Industry Thought Leadership

Weaponizing Dewey’s Decimal System

July, 2018
Elad Yoran
Executive Chairman


Newton’s Third Law of Motion, stating that, “For every action, there is an equal and opposite reaction” can be used to describe today’s focus on metadata. Social network operators, telecom carriers, and others are increasingly turning to metadata as they search for new and lucrative monetization opportunities in data analytics. However, at the same time, bad actors are innovating new ways to exploit and weaponize metadata. Analytics and Big Data are just beginning to bring into reach the potential to extract value from metadata - yet the struggle for competitive advantage and commercial gain is already at a fevered pitch.

Metadata, or “data about data,” is used to describe data, identify trends, administer algorithms and for scenario-modelling. Traditionally used in library card catalogs, today, it can be categorized as:

  • Descriptive - describes a resource for discovery and identification;
  • Structural - describes the types, versions, relationships and other characteristics of digital materials; and,
  • Administrative - describes when and how something was created, file type and other technical information, along with who can access it.

Examples of metadata include users’ IP addresses, Internet search history, when a user is online, for how long, the time between clicks and visit duration, among other things. These definitions may seem bland, but metadata has real-world ramifications. The National Security Agency’s General Counsel, Stewart Baker, described metadata by saying, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” General Michael Hayden, former director of the NSA and CIA, put it even more bluntly when he said, “We kill people based on metadata.”

Generally speaking, when networks sell data, what they are actually selling is targeting of a specific sub-segment of users on their platform. Social media and online networking services create psycho-graphic profiles of users by linking profile information with activities, behaviors and other expressions that can then be used to psychologically influence them to absorb and trust sponsored content and/or to behave in certain ways. This is usually thought of in terms of influencing buying behaviors, but there is no reason why it can’t also be applied to inciting extremism, recruiting terrorists, or even influencing elections, in addition to run-of-the-mill online fraud and digital theft. The rising popularity of cryptocurrencies and digital wallets present a prime opportunity for bad actors to deploy these methods for illicit financial gain.

However, ISPs cannot adopt the same business model because, by and large, they don’t have a platform to deliver tailored ads to targeted consumers and must sell and convey data sets to leverage potential commercial opportunities.

Recent legislative activity in many countries, including the United States, has resulted in mass-surveillance and data sale bills that increase the risk that metadata poses to Internet users by permitted or requiring private entities, such as ISPs, to exchange consumer-centric information with unknown and unregulated third parties. This - along with data leakage, insecure ISP servers and increasing commercial viability and interest in consumer data sets - almost certainly means that it’s only a matter of time before Internet users are harmed by exploitation tailored to their online activities. This can happen in unexpected ways. For example, potential employers or health insurance providers, when determining hiring or insurability, might rely on metadata generated by a user who is searching for health-related information for themselves or a family member.

Today, the rate of cyber-attacks continues to grow along with the sophistication of bad actors. Rather than focus on rare zero-day exploits, the focus has shifted to metadata and for an alarming reason: no matter how much is invested in personnel and training, it is impossible to avoid relying on people, and people’s characteristics are difficult or impossible to change.

The risks associated with metadata are difficult to overstate. Metadata enables the success of direct and indirect exploits in all critical infrastructure segments in every nation because it exposes systemic vulnerabilities and simplifies the avoidance of embedded behaviors for cyber defense. For a bad actor who understands seemingly random metadata and how to combine it with other data sources that further weaponize the psychographic and demographic outputs of Big Data analytics, the possibilities for social engineering and cyber exploitation are – to put it mildly – endless.