Reverse Deception: Organized Cyber Threat Counter-Exploitation (46 page)

Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online

Authors: Sean Bodmer

Tags: #General, #security, #Computers

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation
12.58Mb size Format: txt, pdf, ePub

However, the effectiveness of a predictive statistical model depends on the quality of the data being used as predictors in the model itself. Inherently, statistical models produce both false positives and false negatives, and the quality of the data present in the statistical model has a significant bearing on the magnitude with which those errors are made. The old adage “garbage in, garbage out” is certainly true in the case where a statistical model is depending on data of dubious quality.

Errors in statistical models can come from both systematic and random sources. Systematic errors are problematic in that they influence the outcome of the model in a specific and nonrandom manner. These types of errors are more likely to cause the investigator to draw the incorrect conclusion. For example, an error in the way in which IP addresses are recorded from a computer network tap might nonrandomly link the wrong IP device to incriminating content contained within the data packets that are also captured.

Random error, while less problematic in steering the investigator to make the wrong decision, impedes the ability of the investigator to make a decision because it raises the noise-to-signal ratio of the data to the point where it may be difficult to draw a conclusion. If a small but valuable piece of data is hidden within a much larger data set that contains random data elements, it may be difficult to detect the critical piece of information, and the investigator may incorrectly conclude that the model did not find any elements of interest.

Statistical models are not deterministic in nature. While you can apply decision criteria to a predictive statistical model and make a discrete prediction from the model, there is always error present in this prediction; that is, there is some chance that the prediction is incorrect. That being said, predictive statistical models can and do play a role in prospective, as well as retrospective, profiling. It is up to the user of the statistical model to keep in mind all of the assumptions and constraints that predictive statistical models bring to the profiling environment.

Two Logical Approaches to Profiling: Inductive vs. Deductive

Two different types of logic often guide the profiling process: inductive and deductive. Inductive reasoning in criminal profiling involves gathering instances of some phenomenon or characteristic from other unrelated crimes, and then drawing a conclusion about a specific crime in question that involves the same phenomenon or characteristic. For example, in the
2009 FBI Uniform Crime Report
, of the homicides where the sex of the offender was known, almost 90 percent of the offenders were male. So, by inductive reasoning, when investigating a murder, one could conclude that,
ceteris paribus
, it is likely that the offender for the specific crime in question was male. Note here that it cannot be said with certainty that the sex of the offender was male, only that it is more likely.

On the other hand, in deductive criminal profiling, only the evidence and characteristics of the specific crime are involved in the profile development. Deductive logic generally follows this pattern: a major premise based on some fact that is then combined with one or more minor premises associated with the crime, which establishes a specific instance of the major premise, which in turns allows the investigator to draw a logical deductive conclusion. Here is an example of deductive profiling in a criminal case:

Major premise
A half-smoked cigar was found at the hotel room crime scene.
Minor premise
A surveillance tape at the hotel showed only two people entered the room: the victim and the perpetrator.
Minor premise
The hotel records show the room had been cleaned just prior to the crime.
Minor premise
The victim’s wife and relatives report the victim never smoked.
Conclusion
The offender is a cigar smoker.

 

As Wayne Petherick notes, deductive reasoning in profiling is less adventurous and not as exciting as perhaps inductive profiling methods might be (Petherick, 2009). However, Petherick concludes:

To have 4 points about which one can be certain is better than having 40, the bases of which are questionable. It is also worth noting that the utility of a profile is largely a consequence of the surety of its conclusions. A profiler who is willing to venture into the unknown with his or her analysis runs the very real risk of leading investigations astray and wasting valuable time.

 

Petherick’s point is well taken, but there are sometimes circumstances, especially in the arena of cyber profiling, where there may not be sufficient evidence to employ a completely deductive profiling process. When a thorough analysis of the crime scene—whether it’s a violent crime with physical clues or a cyber crime where the clues are more ethereal—gives up all of the clues about the specific crime under investigation that it can, and the resulting deductive profile falls seriously short in providing effective guidance to the investigators of the crime, it then becomes time to call upon inductive reasoning to fill in as many of the holes in the profile as possible. It’s a bit like fishing on an ice-covered lake—some of the fishing spots are close to shore where the ice is thick, but the best spot to catch a fish happens to be out farther on the lake where the ice is much thinner.

There are risks and benefits to be evaluated when deciding whether to deploy a deductive, inductive, or hybrid approach to building the profile. It is up to profilers in concert with their fellow investigators to decide how best to proceed.

Information Vectors for Profiling

The preceding discussions have focused on providing a basic understanding of the nature and processes involved in profiling, as well as some of the more recent research work that has been done in the area of cyber profiling and the nature of the hacking community. The remainder of this chapter provides a brief summary of the major information/data vectors that feed into a profile: time, geolocation, skill, motivation, weapons and tactics, and socially meaningful communications and connections. Where relevant, we will compare traditional criminal profiling strategies for that information vector with that of cyber-profiling strategies for the same vector. This information should assist you in understanding the basic nature of each information vector and how these vectors relate to developing a profile.

Time

One of the simplest and yet more important information vectors is the temporal vector. Time is one of the essential organizing forces in human life and activity. Humans often follow reasonably regular schedules, and many major daily activities occur at the same time each day. These time-regulated activities also present windows of opportunity within which individuals may or may not have access to a victim and an environment conducive to perpetrating an attack—whether that attack is a traditional violent crime or a cyber attack.

Criminal profiling often has the profiler creating a timeline of the victim’s life in the 24 hours prior to and including the crime itself (Petherick and Turvey, 2008). The timeline is used to better understand very recent events that may be associated with the crime. What was the relationship of the victim to the events on the day of the crime? Who were the people who interacted with the victim that day? When did those interactions occur? What environments did the victim encounter that day? How might any of these factors be related to how the offender acquired the victim and committed the offense?

Other books

A Most Inconvenient Wish by Eileen Richards
Blue Moon Dragon by Shelley Munro
The Revengers by Donald Hamilton
Daughters of the Heart by Caryl McAdoo
Atom by Steve Aylett