An Exploratory Qualitative Study of Computer Network Attacker Cognition

Many computer network defenders do not know how malicious hackers think and act during a network (McCloskey & Chrenka, 2001). To study attacker cognition, experienced hackers were recruited to attack a Windows 2000 network and pursue three goals: Deface the website, steal (faux) credit card numbers, and read email. Participants wrote a report of what they did, and a post-attack cognitive task analysis interview was conducted. Logs were also captured on the network including firewall, snort IDS, and Microsoft applications (IIS, SQL, Exchange). An Attacker Cognition Model based on data collected from five participants was created. The model has two basic properties: It describes the cognitive steps followed by an attacker, and describes several passes through these steps that the attacker follows as s/he penetrates several layers deep into a network. Future research using smaller sample sizes and multiple studies using the same participants is encouraged.