Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
This chapter walked you through the tradition of counterintelligence and its benefits, and then addressed converting these age-old, tested, and true methods to the cyber world. You should have a better understanding of some basic metrics that you can use to gauge each threat. We covered how to use the collected information against threats in ways they use against us every day (payback time, anyone?). Each contributor to this book is interested in proactive security (an offensive-based defense, where we pursue threats versus waiting for them), attribution, and counterintelligence against active threats, or we wouldn’t be writing this manual of best practices for you in one concise edition.
In the next chapters, you’ll learn more about profiling a threat and methods that will be useful to your legal team and/or law enforcement. But you need to maintain the edge while doing so—collecting, recording, logging, and so on. In order to look forward, you need to know what’s occurred and what is occurring. Never forget that. Attempting to better understand threats can increase your awareness of your enterprise’s protection needs. One way to do this is to study both cyber- and noncyber-based criminal case studies that illustrate habitual or serial-based offenders and their personalities. You can find such case studies at
www.cyberlawclinic.org/casestudy.asp
.
CHAPTER
4
Profiling Fundamentals
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle
.
—Sun Tzu,
The Art of War
I
t is difficult to overstate the value of understanding your adversary. Every facet of the existence of your opponent has some nonzero probability of having an effect on the magnitude of the success of your mission. Whether you use evidence of specific personality types, apply norms of small group interaction, assign specific social psychological motivations, or integrate larger macroeconomic forces into the analysis, the more rigorous and complete picture of your opponent you can construct, the better the odds that a positive outcome will result from those efforts.
One of the challenges in the area of profiling is that human beings are complex social organisms who often think and act in ways that appear to be contradictory or unpredictable. However, if humans exhibited no coherent or coordinated behavioral patterns, we would live in a chaotic world of unimaginable pandemonium. Social order has been a question of importance to social scientists since at least the time of Thomas Hobbes’s inquiries, and there are a number of ways in which the question of social order has been addressed.
1
Fortunately for us as human beings (and especially providential for profilers), people tend to operate in both the real and virtual worlds in ways that have some fundamental qualities of coherence and predictability. Additionally, living in a social world means that there are social norms and expectations generated by societal forces that shape and direct our behaviors. If these cultural norms and expectations were not present, it would be very difficult to manage social interaction beyond those individuals who we already personally know well.
One key beneficial factor in the area of forensics is that every human action leaves an evidence trail of some sort. Some evidence trails are littered with significant, information-rich clues that allow investigators to quickly speed along their path toward their final objective. Other evidence trails hardly seem like trails at all, lacking all but the most inconsequential clues that appear to lead nowhere. Sometimes evidence comes in a concrete form, such as an IP address that is useful for further investigation through Whois records or actual surveillance of the machine to which the address is assigned. Other times, evidence is much more ethereal, such as the case where you learn that it is possible that members of an adversarial group have been ostracized by another, unknown group of individuals. Whatever the case, it is the profiler’s job to gather as much evidence as possible, connect the evidence through logic and theory, and use the profile that emerges to help ensure the most positive mission outcome possible.
This chapter introduces some of the basic principles and fundamentals of profiling. The first part of the chapter includes brief summaries of the history of traditional criminal profiling and the emergence of cyber profiling to provide some background on the birth and development of these areas. During the course of the discussion, comparisons will be made between classic profiling strategies used by various organizations (including the Federal Bureau of Investigation) and adaptations, additions, enhancements, and departures from these techniques necessitated by the nature of the cyber environment, as well as the unique characteristics of the malicious actors who inhabit that virtual world.
The objective of this chapter is to make you aware of the challenges, limitations, and benefits of knowing your enemy, as well as to provide some basic analytical structure that can be beneficial in the course of defending your digital systems from attack.
Chapter 10
, which is about attribution, will build on a subset of information vectors, as well as put the foundational knowledge gained in this chapter to work.
A Brief History of Traditional Criminal Profiling
Some of the early attempts at criminal profiling involved creating taxonomies of physical characteristics of criminals. In 1876, the early Italian physician and criminologist Cesare Lombroso described criminals as being taller, more likely to have brown or dark eyes, darker hair, ears of unusual size, and eye defects, and be heavier than the average person (Lombroso, 2006). He felt that criminals were something of an evolutionary throwback to earlier man. In a similar vein, Ernst Kretschmer, a German criminologist and anthropologist, wrote the book
Physique and Character
(1925), where he linked certain body types to personality characteristics and criminal tendencies.
One of the earlier instances where behavioral sciences began to be applied in the area of profiling was when the City of New York experienced a series of explosions over the years 1940 to 1956. This came to be known as the “Mad Bomber of New York City” case. A psychiatrist named James Brussel was asked to assist in the case. In 1956, after examining some of the letters that the perpetrator had written, Brussel provided some simple descriptive details about the bomber, including that he was probably a former employee of Con Edison, between the ages of 40 and 50, and likely a loner. He based his profile on simple probabilities as well as his own clinical experience.
It wasn’t Brussel’s physical description of the Mad Bomber that eventually led to his arrest, but rather Brussel’s accurate observation that the perpetrator was seeking publicity through articles in the newspaper. Brussel suspected that if the bomber’s profile were printed in the newspaper, the perpetrator would respond in writing. Brussel was capitalizing on the natural tension that exists between the hunter and the hunted. Understanding the personality and motivations of the opponent allows the profiler to take a proactive approach to the identification and apprehension of the offender.
Brussel did publish his profile, and the perpetrator did indeed respond. When that response was analyzed, someone recognized a particular phrase used by a former employee of Con Edison, and the perpetrator was located and arrested. When the bomber was finally caught, it turned out that many of the physical and personality characteristics Brussel had described were true.
2
Howard Teten was a law enforcement officer in the San Francisco Bay Area during the 1960s. He had a keen interest in the reasons behind criminal behavior during his years at the University of California at Berkeley’s School of Criminology. Teten eventually transitioned to the Federal Bureau of Investigation (FBI) and began teaching criminal profiling techniques during the early 1970s. Teten joined the newly created Behavioral Science Unit at the FBI Academy in 1972, and together with some of his agent colleagues, continued to develop and refine profiling ideas and strategies. A set of more applied units in the FBI, christened Behavioral Analysis Units, also emerged to deal with the increasing demand for criminal profiling.
During the following years, veteran agents John Douglas, Robert Ressler, and Roy Hazelwood led most of the profiling efforts at the Academy. During the early 1980s, Hazelwood and Douglas formulated a bifurcated taxonomy of murderers, classifying them into either organized or disorganized offenders. Organized offenders typically picked victims unknown to them, planned their offenses carefully, and often used restraints on their victims. Disorganized offenders tended to know their victims, acted spontaneously, and rarely used restraints on their victims.
The archetype organized offender was of average or above average intelligence, was socially competent, and often lived with a spouse or partner. The typical disorganized offender was characterized as below average intelligence, less socially competent, and often living alone (Ressler and Burgess, 1985). The set of characteristics in each of the two classes of offenders was used by profilers in conjunction with other physical evidence and investigative techniques to help narrow down the potential pool of suspects. In later years, the taxonomy was broadened to include the possibility of offenders who were a hybrid of the organized and disorganized archetype.
In more recent years, the term
profiling
has been replaced at the FBI by the more descriptive name
criminal investigative analysis
(CIA). This analytical paradigm has been enlarged beyond the traditional, historical roots of profiling to include areas such as indirect personality assessment and equivocal death analysis. Indirect personality assessment is the technique by which investigators attempt to develop a psychological profile of a known suspect through questions directed to individuals who know the individual in question. Equivocal death analysis synthesizes actual crime scene evidence with a psychological profile to determine the nature of a death—by homicide, accident, natural causes, suicide, or some other means.