Part I: Cybercrime Profiling

Part I: Cybercrime Profiling

Most everyone has seen the movie The Silence of the Lambs or the more recently released Hannibal. Each of these popular movies familiarized the public with the established discipline of criminal profiling. The methodology of psychological or criminal profiling has been used for more than two decades to assist investigators and forensic analysts in incident investigation. In the early 1970s, several now well-known FBI special agents (for example, John Douglas, Leo Hazelwood, and Robert Ressler) created and developed conventional crime-profiling techniques. They focused on the psychological profiling of serial killers, serial rapists, and serial arsonists. Their techniques have been validated and expanded over the years to include the profiling of kidnapping cases, single or unrelated homicides, and other conventional (or nontechnical crimes).

The various social scientific and profiling techniques used to assess people have been widely accepted in the conventional investigative world. Psychological profiling has been utilized in law enforcement and in the intelligence community for assessing individuals, groups, and cultures and for solving crimes. The behavioral information and profiles provided to investigators have supplemented forensic data, hard scientific data, and otherwise technically gathered data. Hard scientific information gathered by medical examiners, ballistics experts, demolitions specialists, DNA experts, and other laboratory analysts is both used by and supplemented by profilers. The profilers provide that extra tool in the box that looks at the crime, the crime scene, the victim, and the perpetrator from a behavioral or psychological perspective. This profiling tool can be utilized during all six stages of incident response, depending on who or what is being assessed.

The very basic concept behind profiling is that people are creatures of habit and form behavioral patterns. Individuals might not even be aware of some of their own patterns. Behind each pattern is also a motive, a reason why, or a catalyst that spurs on the behavior. Uncovering and understanding these patterns is critical to forming a useful criminal profile.

There are two simple ways to define profiling:

Definition #1:

Profiling is the process by which an incident is evaluated and assessed from a behavioral perspective to provide social scientific insight into the individual or individuals who might have committed the specific act(s) or offense(s).

Definition #2:

Profiling is the process by which a crime scene is observed , evaluated, and assessed from behavioral, criminological, anthropological, victimological, and psychological perspectives to provide social scientific insight into the individual or individuals who might have committed the specific offense or offenses .

The concept behind profiling is that weapons do not commit crimes, people do. Thus, those individuals who commit cybercrimes are the roots of the problem, not the advancing technologies. If the problem is primarily human driven, the solution must include, in part, a human solution. As criminal profiling increases the size of the conventional investigative toolbox, similar behavior-based methodologies can be used to enhance the number of tools used to combat breaches of information security. Human-based data gathering, assessment, and cybercrime profiling need to be synthesized and incorporated in conjunction with the information security techniques applied by incident response teams .

What is Cybercrime Profiling (CCP)?

CCP, in its purest form, is simply an extension or adaptation of conventional criminal profiling applied to the cybercrime scene. CCP uses all the same data-gathering techniques as conventional criminal profiling, but it has applied the methodology to the technical incident. In conventional crime profiling, the profiler would look to the forensics experts, the medical examiner , the detectives , and the crime victim to collect information about a case. The strategy of the cybercrime profiler is much the same. The cybercrime profiler turns to the system administrator, the incident response team members , the firewall expert, and perhaps the virus expert for the same type of input and information. The cybercrime profiler is searching for those same patterns that the perpetrator left behind that could assist the technical incident responders in mitigating the incident, predicting the attacker's next move, or even identifying the attacker. In these examples, cybercrime profiling would be an integral part of Stage 2, detection. CCP can be broadly defined as follows :

The investigation, analysis, assessment, and reconstruction of data (from behavioral, psychological, criminological, anthropological, and victimological perspectives) that has been extracted from computer systems, networks, media (such as tape, discs, digital, and audio), and physical security logs (such as badge readers, cameras , and biometric devices) as well as from human-based systems (such as corporate policies, organizational procedures, and organizational culture/climate).

Why Is CCP Used as Part of Incident Response?

As previously stated, CCP works in conjunction with and supplements incident response and technical cyberforensics. CCP is recommended as an added aspect of the incident response team for the following reasons:

1. The combination of technical science and social science is a powerful one.

2. The problems associated with information security and incident response are based in human behavior. The integration of technical and behavioral science is necessary; you cannot forget about half of the problem.

3. Profiling provides a distinct investigative perspective.

4. CCP creates an effective multilayered approach to cybercrime investigation and mitigation.

There are many times when an incident, surprisingly enough, will not have a great deal of technical data on which to base an investigation. When email threats are sent or postings are made to message boards , anonymizers and other techniques are typically used to cloak the identity and the technical trail of an attacker. These are the types of cases in which it is certainly appropriate for a profiler to be engaged.

Cybercrime profilers might also look for data in places where the technical team typically does not, or they might provide information to the victim of the incident that the technical team frequently overlooks. Important data might be available through a human resources department of an organization. For example, most HR departments house all employee and former employee records, including complaints, disciplinary actions, and resumes. HR departments are also typically well versed in the corporate culture and climate. They know when layoffs have taken place, when management changes have occurred, and when other things relating to employees have taken place within the organization. Understanding and having access to this type of information about a company might provide leads or clues as to why an incident occurred and who might be responsible. Public relations departments, physical security departments, and finance departments also might be relevant and hold critical information pertinent to the case.

When Is CCP Used?

Although CCP is mostly seen as an aspect of incident response to profile "who done it," there are a few other applications. Overall in the scheme of information security, CCP is used in three basic ways, fitting into all six stages of incident response as described in Chapter 3:

1. As a cybercrime prevention tool (Stage 1)

2. As a postincident or postmortem assessment tool (Stage 6)

3. As an Incident Response tool (Stages 2 ‚ 5)

Preparation and Prevention

As a cybercrime preparation or prevention tool, CCP is used to identify vulnerabilities within an organization and hopefully to prevent an incident from happening. CCP can be used in various ways to add to the existing technical methods used to prevent attacks. The focus of profiling, preattack, is to basically think like or assess the motivations of a would-be attacker. White hat hackers or ethical hackers do this from a technical perspective. Profiling can be used as a precursor to or as preparation for conducting ethical social engineering tests. Constructing scenarios to run against call centers, organizations, and other critical parts of a company using emotional or psychological strategies is effective in uncovering potential human-based vulnerabilities. Of course, the information gained from an effective psychologically based social engineering task (for example, account data, passwords, user IDs) can be passed to the ethical hacking team for further exploitation.

CCP can also be used to construct an organizational profile of a company, corporation, or agency. To conduct "preventative profiling," information about an organization and its employees, policies, structure, size, departments, industry, and internal workings needs to be assessed. Due to the interdependence of individuals, organizations, departments within organizations, and the trends that occur in society, the relationships and connections between those elements must be analyzed because they are all synthesized and linked via computers, networks, the Internet, and intranets .

Every organization goes through difficult times, and every organization has a distinct culture. Understanding and profiling the corporate culture and climate can provide the organization with an understanding of when the probability of attack might be higher or lower. One method of identifying the more probable times of attack is to identify the hot spots within the organization. The hot spots are those times during the year when the organization experiences the most stress, anxiety, or change, the times of the year when the employees, the stockholders , the investors, or the customers might become uneasy, disgruntled , tense, or on the flipside, more successful or more public. For example, in some organizations, the hot spots might include the timeframe when performance evaluations and bonuses are conducted ; in other organizations, it might be during the annual or quarterly reports . Some organizations report the most unrest during times of downsizing or critical management change; other organizations experience stress during acquisitions, mergers, or physical location changes. These times of stress typically correspond to increased incidents; about three to four months after a hot spot occurs, an organization is more likely to experience an attack, most likely from an insider.

Another hot spot catalyst is when the organization attains publicity or becomes prominent in the news. Organizations that have become household names or are otherwise well known are frequent targets for attack. When an organization's public relations department or marketing department prepares a big media spread or when a company is doing so well financially that it gets a lot of attention from Wall Street and is reported in the news, this publicity (positive or negative) heightens the probability of attack. If these hot spots are understood , they are predictable. Thus, enhanced security measures can be put in place during these times of higher incident probability.

CCP can likewise be applied to the preparation for and prevention of incidents by assisting in the candidate screening or hiring process. No organization wants to hire people who will steal, cheat, conduct industrial espionage, or otherwise sabotage the company. Specifically , companies are very aware of the damage that highly technical people can do to their organization with skill, access, and in some cases, even authorization. There are many theories and many approaches to employee screening, including background investigations, polygraph tests, and interviews that seem like interrogations. Some organizations have no hiring process and seem to hire anyone who appears to be breathing and have a pulse. Most companies do not want to hire hackers or crackers; however, they are not sure how to weed out people who are capable of doing damage but won't from those who are capable of doing damage and would ‚ either for money, kicks, or revenge . Just as CCP can assist a company in profiling an organization for vulnerabilities, the methodologies of profiling can be used to assist organizations in developing interview strategies and techniques to weed out those who might do an organization damage.

Postmortem or Follow-Up

Just as CCP can be applied to incident preparation and prevention, profiling or assessing an incident from a human perspective can provide both the incident response team and the client with useful postincident recommendations. This postmortem assessment is part of Stage 6, follow-up. The three applications of human-based assessment techniques for postmortem assessment are as follows:

1. Continuing the process and flow of the incident response capability

2. Evaluating the communication and behavior of the incident response team members as well as the communication with the client

3. Contributing human-based recommendations to prevent the incident from reoccurring

Although the incident response team leader or manager is frequently responsible for maintaining the skill sets of the response team and managing the successful conclusion of an incident, this team leader is typically focusing on the successful technical solution of the incident. In some cases, even though the technical issues are resolved, human beings might have been adversely affected and might still feel victimized by the incident. Specifically in cyberstalking cases and cyberthreat cases, victims of these types of crimes don't usually go back to business as usual just because their stalker was identified and caught or because their system was restored. The victims have emotional and psychological issues that need postincident attention and perhaps counseling . This particular subject will be discussed in more detail in Part III of this chapter.

It is always recommended, but infrequent, that incident response teams sit down after an incident is closed to discuss what went well and what did not go so well. When teams walk through this process, again, the focus is primarily targeted to how well the team members used their technical prowess to go after the attacker, patch the holes, and locate other vulnerabilities, or how fast they were able to restore the system to functionality. One aspect that the human side of incident response can bring to the table is an assessment of the communication between team members as well as an assessment of how well team members communicated with the client or victim. Developing trusting and open interpersonal relationships with clients is an important, if not critical, part of incident response. During the course of an incident, it is highly likely that someone will be briefing a manager or someone within the attacked organization who is not highly technical but who needs to understand the incident and its implications. It is imperative that an incident response team be able to discuss the incident in highly technical terms as well as break down it in plain language so that a public relations specialist can prepare to answer questions from the media if needed.

Working an incident from the human perspective also provides an added dimension to the list of recommendations and suggestions provided to the client postincident. Human-based recommendations might include recommendations regarding employee policy changes, physical security observations, and social engineering prevention strategies. For example, if an insider committed an incident, there might be relevant suggestions to make regarding the organization's hiring procedures or termination processes.

Incident Response ‚ Detection, Containment, Eradication, and Recovery

The most recognized time when CCP is used is during the heat of an ongoing incident. At this stage, profiling can assist in the identification, investigation, interrogation , and prosecution of the perpetrator. Cybercrime profiling can supplement Stage 2, detection, by trying to ascertain what is going on and who the perpetrator might be. Profiling can supplement Stage 3, containment, by helping to limit the extent of the attack damage or compromise committed by the perpetrator. Profiling and behavioral assessment might be able to assist in the isolation or eradication of the cause of the attack, assisting the technical team during Stage 4, eradication. Finally, by understanding the attack or incident from a psychological or behavioral perspective, profiling techniques might be able to supplement the recovery process, as described in Stage 5. The goals of the profiler during an incident, however, are driven by the needs of the client. Each client has distinct needs that could vary widely.The goals of CCP include the following:

• Narrowing the suspect pool (insider or outsider)

• Identifying the actual perpetrator

• Identifying whether the incident was caused by a single attacker or multiple perpetrators

• Assessing the organization and determining the attacker's motivation and additional vulnerabilities or attack targets

• Assessing the scope of the incident and the impact on employees, customers, stockholders, managers, and public perception

• Predicting the perpetrator's behavior or next move

• Providing consultation to the victim(s)

• Assisting in the sharing of information between organizational departments

• Using the profile to generate more questions or answers about the incident and who might be involved

• Supplementing the interview or interrogation process if suspects are revealed

• Assisting in the evidence collection and prosecution process

• Providing suggestions and follow-up advice postincident

The sooner CCP can be brought into an investigation the better. Again, just as in conventional crime cases, it is more difficult to assess a case when it's cold or when it has been ongoing for some time.

The Methodology of CCP

The assessment methodologies used in cyberprofiling are very similar to those used in conventional criminal profiling. The actual methodology of CCP, as in conventional criminal profiling, is a mix of science and art. CCP is grounded in behavioral science but utilizes the subjective experience of the profiler in addition to the art of interpretation. In general, there are four foundational steps or processes to work through when profiling a cybercrime case. The four foundational steps are as follows:

1. Conducting a case overview

2. Performing triage

3. Analysis and profiling

4. Conducting the technical interview

Case Overview

The basics of a CPP case overview include the following:

1. The identification of modus operandi (MO).

2. The determination and identification of a signature.

3. A content analysis.

4. Pattern recognition of the attack.

5. An assessment of the technical aspects of the attack.

6. Extension of research and search for related information.

7. A victimological assessment.

8. The determination of linkage. Each data set within a case and related to a case is independent until multiple cases can be linked together.

The goal of this first step, which is part of the detection stage, is to get a handle on what is going on, what has the attacker done, how has the attacker committed the offense, and what some of the patterns and details are that jump out at the beginning.

Modus Operandi

Modus operandi (MO) is a mechanism by which the perpetrator commits his or her crime. It is a learned behavior, and it can change over time as the individual changes, grows, and develops. The MO can be considered a pattern, allowing for some variance. It is important, however, to understand the basic behavioral pattern of the perpetrator. An example of an MO in conventional crime can be found in the case of the Boston Strangler. In that case, the strangler not only strangled all his victims but also included the process of selecting females living alone in apartment buildings as victims and the mode and ruse of entry to his victims' apartments as "maintenance." An MO in cybercrime might include the use of email to launch extortion demands after which the attacker consistently compromises systems by using known vulnerabilities in networks and assuming that most companies are not current on their patches. The attacker's MO also might include the use of root kit.

Assessing and constructing the MO of a computer attack is useful in determining not only who might have conducted the attack but also what the person's skill sets are, his or her attack preferences, and what some of the attacker's vulnerabilities might be. In the case of the extortion attempts, the MO indicates that the attacker's most likely vulnerability might be his next step, which is the voice or face-to-face communication with the company to collect the demanded payment. The MO in that case highlights the attacker's technical skills and abilities ; the entire attack is extremely technical and, according to the technical members of the incident response team, very well executed. There is no indication of comfort or evidence of confidence in interpersonal communication.

Signature

Signature is what the perpetrator has to do to fulfill self-needs. It is an unnecessary addition to the completion of the actual crime. The signature of a crime or of the criminal typically does not change from one crime to the next. For example, in the case of the Boston Strangler, his signature was tying bows around the bodies made from the victims' clothing items (such as stockings or scarves) found in their apartments. The big, sometimes elaborate bows made by the Boston Strangler were not necessary to the actual completion of his crime. He could have strangled his victims without conducting this last behavior, but it was his signature. It was something he had to do for emotional or psychological reasons.

The signature is distinctive , and in most cases, there is some form of a signature. It might be difficult to detect or a bit obtuse, but there is some distinguishing factor in most behaviors ‚ including the behavior of hackers! Various signatures found in cybercrimes include comment lines in virus code, email address names/aliases, screen names, stylistic components of emails and message board postings, and graphic characteristics in web defacements. The establishment and identification of a signature is one of the best ways to tie cases together or to establish linkage.

The Style of the Technical Attack

The style of the technical attack includes components that might relate directly to the MO and the signature. These stylistic components include the manner in which the perpetrator used the attack tools. In conventional crime, stylistic components of a crime might include things like what type of binding materials were used during an abduction (rope, duct tape, handcuffs) or in what style the ransom note was written (pen and ink, script versus printing, paragraph divisions, margins, typed, and so on) In cybercrime investigation and incident response, the stylistic components might be contained in captured virus code. Part of the style of a virus attack might include what the actual code looks like, how spaces are used in the program, how the logic of the code flows, and how elegant the code is. Understanding the style of the code might provide insight regarding who authored the code. In one case, virus code was captured, and the style of the programming was that all the lines of code were jammed together with no spaces and no indentation between lines. This style of programming was characteristic in the mid-to-late 1970s and early 1980s. Space was at a premium, and every available space was valuable . Thus, programmers who learned to program during this timeframe valued space, and many continued to program using this indicative style. Estimating the educational timeframe of the virus writer can provide an educated prediction of the virus writer's age. Assessing age on only the evidence of space is not recommended, but this is useful data and is a worthwhile observation to note.

Victimology

Victimology is the study of the victim or the target. It is necessary and important when investigating an incident to understand why a particular victim was targeted. Studying the victim might provide clues as to who the attacker is by virtue of who was intended to receive harm. In cybercrime investigation, ascertaining who the victim is might include both human and inanimate objects (such as the systems, networks, web servers, laptops). It is possible that an incident might include the compromise of a system or an email account to send harassing or threatening messages to a human victim. In that case, there are two victims: the compromised system and account and the person receiving the threats. Understanding who the person is and why someone might have wanted to inflict fear or harm on him or her might become a very personal and disclosive process. Interviewing the victim must be conducted with the utmost confidentiality and respect. It is also recommended that the victim be interviewed more than once and with a variety of interviewing strategies.

Content Analysis

Content analysis as a social scientific tool has been around since the early 1900s. This interpretation and assessment technique primarily was used by anthropologists, rhetoricians, and literary scholars. Varied and early types of content analysis have been used in academic settings since Socrates and Aristotle. Used in profiling, content analysis is the assessment of the actual contents or matter of the evidence available in a crime scene. By conducting a cursory content analysis of a crime scene, the profiler begins to get a more robust picture of what actually took place. In conventional profiling, a content analysis would certainly be conducted on a ransom note, an extortion letter, or a bank robbery note. At this stage, the literal interpretation is important to understand. What does the note or letter actually say? What do the kidnappers want? How much money are the extortionists asking for? How does the bank robber want the money, in 20s, in 100s? In the case of cybercrime profiling, the same goal applies.

In cases of computer crime, a content analysis would be conducted on virus code, cyberstalking emails, threatening message board postings, files of compromised systems, and particularly in forensics cases in which entire drives are imaged. The same types of questions apply to computer crime as to conventional crime. What is the virus attempting to do to the OS? What does the cyberstalker want? Who specifically is the message board poster threatening, an individual or an organization? What are the names of the files that were compromised? What are the contents or categories of data on the imaged system?

Content analysis will be revisited later in the profiling process. At this stage, it is imperative to understand the plain presentation of the facts. At a later stage, more facets of content analysis will emerge that will include subjective interpretation.

Pattern Recognition

Pattern recognition is the search for and recognition of any repeating components of a crime that have occurred within the same crime or case. Identifying patterns within the same case could provide insight regarding the identity of the attacker, the motivation of the attacker, or when the attacker might strike next. When it becomes very apparent in the course of an investigation that the same attacker is responsible for the crime, looking for patterns within the individual's attack can assist investigators and incident responders. Pattern recognition is a useful tool to use in cases of stalking, both conventional stalking and cyberstalking. In most cases of stalking, it is apparent that there is one perpetrator and typically one victim. The stalker might behave in ways that reveal a pattern to his or her actions. A cyberstalker's pattern might be the time of day emails are sent to the victim, or a pattern might reveal that the stalker is more active on Wednesdays than on any other day of the week. In conventional cases, this type of information might be very important in the maintenance of victim safety. In cyberstalking cases, this information is likewise central to maintaining the safety and well being of the victim, but this information might provide timeframes to set up sniffers, trace-backs, and other technical trap and trace methods.

Linkage

Linkage is the natural extension of pattern recognition. Linkage is the search for and recognition of any repeating components of a crime that might also have occurred in other crimes. Identifying links between different cases is historically a foundational part of linking and identifying serial crime cases. Similarities in MO, signature, stylistic components, victims, or the contents of attacks might indicate the presence of a recidivist criminal. On the other hand, extreme dissimilarities in attack patterns might indicate that there are multiple attackers or a group . Patterns can be found in any aspect of the incident. Patterns could include the time of day the compromises were conducted as well as whom was targeted. In serial crime cases, the study of the victims as well as pattern recognition can uncover the victim MO of the killer. In the example of the infamous serial killer Ted Bundy, his pattern or preference was to target young, brunette, college women.

Using linkage as a profiling tool in incident response is only slightly different from its use in conventional crime investigation. Firewall logs, email headers, server logs, timestamps, and Internet histories are only a few places where patterns can be uncovered. Sometimes the link is discovered by looking outside of the obvious or outside the technical data and logs. For example, in one serial denial-of-service attack case, the victim company was being attacked multiple times over the course of six months. The company did not know whether the attacks were related. However, linkage identified that the company was being attacked only after the company received positive attention in the media. The company's public relations department provided the information for identifying the pattern. Specifically, the company was attacked every time its PR department issued a press release. The positive attention appeared to be the catalyst for the attacks. The next question, of course, was who would attack a company after good press? A disgruntled employee? An activist group? A competitor? In this case, it turned out to be a competitor.

Research

After completing the seven foundational information-gathering stages presented in the preceding sections (MO, signature, the style of the technical attack, victimological assessment, content analysis, pattern recognition, and linkage), the last step in this first phase of profiling is to take all the data and information collected from this cursory review and search for more data. Search for related information that might be relevant to the case. Related case research is most easily first conducted on the Internet. Using any pertinent information, an open-source collection on the Internet and World Wide Web can be conducted. Incident response case data might provide screen names, email addresses, IP addresses, names, places, and other pointers. It is surprising how many people (including perpetrators) use and reuse favorite addresses and names. People are known to choose one screen name and use the same name on several message boards. People use the same initials or a variation of their email address in other correspondence identifiers. An enormous amount of information is available online, and it is worthwhile to play sleuth and surf for additional information that might be very germane to a case.

Performing Triage

The next step in the profiling process is to conduct a full-scale triage on the case. After the case overview is completed, the incident response team and cybercrime profiler should have a good feel for the case. It is possible, however, that at this stage, the incident responders might have to clarify some findings and points to the client or the victim. Triage in the incident response arena can best be defined as the sorting and defining of critical incident components, and it is part of detection, containment, and eradication. Completing the triage process usually assists the cybercrime profiler and incident responder in accurately answering questions posed by the client or victim. There are six steps in the triage process:

1. Validation of the incident category (threat, stalking, harassment , denial of service, compromise)

2. Establishment of bonafides

3. Assessment of the threat level

4. Assessment of the level of potential violence

5. Communication and establishment of goals with the victim

6. Communication strategy with the attacker

Validation of the Incident Category

The first component of triage is to validate the type or category of incident. It is not infrequent or unusual for a client or victim to call an incident response team for assistance and start the conversation by saying,"I am being cyberstalked and I need help," or "I think a disgruntled employee has just launched an attack on us by taking down our firewalls." After conducting the case overview, the incident type should be fairly clear, and sometimes it does not match the original description provided by the client or victim. It is not remarkable for someone to call with the belief that he or she is being cyberstalked when the actual incident category is cyberharassment or even spam. Accurately labeling the incident at this point will assist the profiler and the incident responders in shaping the expectations of the client as well as educating the client or victim to the actual circumstances. One of the unfortunate situations is when a victim or a client misreads the incident. Inappropriate actions can be taken (sometimes by the client) that might negatively affect the case.

Establishment of Bonafides

When everyone seems to agree with the incident category, one more variable must be validated. The establishment of bonafides means making sure that the information provided is accurate and that the information has come from accurate sources. This is a regrettable step to have to go through, but at this point, further responding to a bogus case would be a terrible waste of time, energy, and money. Just as people fabricate being the victim of all sorts of crimes ‚ even sexual assault ‚ some cybercrimes have likewise been fabricated by victims. Whether the motivation is to seek and attain attention or is a byproduct of severe manic depression, there are cases in which individuals have invented their own cyberharassers, cyberstalkers , and death threats. Validation of provided information is necessary. There have also been cases in which the perpetrator has actually been one of the information technology experts providing logs and incident data to the incident response team. Of course, not all the relevant data made it to the hands of the incident response team. Check, recheck, and question any anomalies in data acquisition.

Level of Threat

When the bonafides of an incident and a victim have been validated, the next most critical assessment to conduct is the level of threat. The victim must be given an indication of how threatening the attacker is and what can be done to minimize the threat. Again, in cases of incident response, the victim can be human (an individual or an organization) or inanimate. When the CCP is dealing with a human victim ‚ whether that victim is an individual, a group of individuals, or all employees within an organization ‚ the following might be some of the elements of threat:

1. What is the geographic proximity of the attacker to the victim?

2. Are the words or actions of the attacker becoming more aggressive ?

3. Is there any evidence that the attacker has committed this type of crime in the past?

4. How many attackers do there appear to be?

5. Are the attacks organized or disorganized?

6. Are the attacks or actions of the attacker happening more frequently?

Depending on the level of threat assessed, the victims might need special assistance. For example, if an individual has received multiple threats that are increasing in veracity, enhanced physical security might be recommended. If an organization or its employees are threatened, the appropriate follow-up might be to involve local law enforcement, and likewise, an increase in physical security precautions might be recommended. On the technical side, the incident response team members might be simultaneously providing various methods of increasing information security.

Level of Violence

If the threat level is assessed as being high, there is potential for violence. The assessment of the type of violence likely and the level of violence probable should be reported and responded to as quickly as possible. Physical security departments should be contacted immediately, and private security and law enforcement might also be brought in at this juncture. Regardless of the system restoration process or any network damage related to the incident, the safety and well being of employees should be the top priority of all organizations.

Communication and Establishment of Goals with the Victim

When both the threat and violence preventative measures have been implemented, ongoing communication with the victim is essential. The incident response team must understand the goals of the investigation. It is possible that the client will simply want the systems restored and the victims protected, with little to no actual investigation. The client might also choose to have the incident investigated to a level that determines whether the attack originated from the inside or the outside. It is also possible that the client will want a full investigation, including identifying the perpetrator. Regardless of what goal the client has, all aspects of the investigation must be conducted as if the case were going to court . Collection of evidence, documentation of records, and due diligence on the technical side as well as the human side must be conducted. It is always possible that the client will change his or her mind and later decide to prosecute or investigate to a fuller extent.

The client or the victim must also realize the potential consequences of the investigation. What happens if the incident response team actually identifies the perpetrator and the person is revealed to be a vice president in the company? How does the client want to deal with human resources issues such as termination or disciplinary action? How does the client want to deal with possible media attention? How does the client want to deal with the affect that the incident and the revelation of the perpetrator are going to have on employees and morale ? Answers to these questions and a host of others must be answered before actions are taken.

Communication Strategy with the Attacker

One possibility is that the client will want the attacker to be identified. There are many ways to go about conducting the "who done it" part of the investigation. One potential suggestion is to commence communication with the attacker. Whether the attacker is attempting to extort money, harass an employee, or post intellectual property information on the Internet, it is possible to learn more about the perpetrator by actually attempting contact. Computer crimes units in law enforcement must be very careful when using this technique because it might be illegal and considered entrapment. Commercial incident response teams do have more legal room to maneuver in this manner, but the client must provide explicit permission. The following are some of the issues that must be discussed and decided before any incident responder attempts to communicate with a potential attacker:

1. How is initial contact with the potential attacker going to be made?

2. For what purpose is the attacker going to be contacted?

3. Where is the attacker going to be contacted? On a message board? An IM session? Via email?

4. When should the attacker be contacted?

5. What is going to be communicated to the attacker?

6. What is the overall goal of the communication?

This last question might be the most important. Is the purpose of contacting the attacker to attain additional information? Is it to attain a certain piece of information? Or is it to establish an electronic form of communication that can be traced?

In one case, contact with the attacker served several purposes. The case was originally called in as a cyberstalking case. However, after performing triage, it was assessed as a multiple harassment case. The victim was receiving repeated and numerous emails every day that were threatening and harassing. At first glance, the victim assumed one person was stalking her, but after completing the first few steps of the case overview process, it became apparent that the emails were originating from multiple people. Someone had posted the victim's email address on the web and encouraged others to harass her. The victim was barraged with emails. The contents of one repeat harasser were particularly disturbing . The client wanted to know where (geographically) this specific harasser was located. It was assessed that if this harasser was local to the victim, she would be in more imminent danger than if the harasser was geographically in another state. Caution had to be exercised; people are mobile. Thus, the level of threat would not decrease to zero just because the harasser is found to live hundreds of miles away. The threat probability would just decrease as compared to the level of threat if the harasser were local. At any rate, the goal was to find the location of the one harasser.

The victim provided permission to use all means possible to find this harasser's location. After conducting some research using the harasser's email address, contact was made via a message board with only one strategy in mind: to get him to discuss something local to his current geographic location. The secondary goal was to get him to disclose where his home was located. The entire communication process took three days. The harasser did end up being almost 800 miles away from the victim, but his actual identity was not ascertained. After this combination of technical incident response techniques and profiling techniques, the victim's online identity was altered , extra security measures were put in place, and the case was closed.

Profiling and Analysis

Although the processes of case overview and triage are important building blocks in establishing a profile, the real nuts and bolts of the CCP methodology are steeped in this next section. There is some overlap or expansion of ideas and components presented within the case overview and triage sections. However, the establishment of a good (and accurate) profile must incorporate much more than a surface level assessment of a case. Profiling is a process that is context driven and is perhaps more ethno-graphic in nature than statistical. A profile that is accurate ‚ and thus useful ‚ is created from the specific crime scene and incorporates elements from the immediate surrounding context. Profiling is done on a case-by-case basis to deductively draw conclusions from the data as opposed to inductively force fitting a new situation into a template created by prior cases.

To build, expand, and increase the accuracy of a profile, four cybercrime elements must be layered onto the data and information already compiled: the physical MO, the psychological MO, the addition of technical data assessment, and the actual profile.

The Physical MO

The physical MO characterizes tangible items that the attacker displays or reveals while committing the offense. These items are sensory apparent when assessing an incident (that is, they are heard , seen, spoken, felt). The code and comment lines in virus code can be seen; the words, grammar, and syntax of email text can be seen; the names of the compromised files also can be viewed , as can the contents of any logs. The language used in emails, postings, and files also can be interpreted as heard or spoken. Although in these examples the attacker chooses to verbalize in writing, the words can still be read out loud. When read aloud , the tempo, inflection , and emotive value of the written language can sometimes expose added meaning. The physical MO contains three major categories: frequency or time pattern analysis, in-depth content analysis, and linguistic analysis.

Frequency or Time Pattern Analysis

The physical MO includes an aspect of frequency or time pattern analysis. Earlier in the profiling process, components such as pattern recognition and linkage might have already started the foundation for the complete time pattern analysis. Time pattern analysis begins by cataloging or databasing time-relevant data. Logs, email headers, message board dates, forensics reports, and other timestamp records all provide the data to compile information for a time pattern analysis. All available time-related data should be recorded, such as month, year, date, day of the week, and time. When recording time, remember to record it consistently; some timestamps might use Eastern Standard Time, some Pacific Time, and some Greenwich Time. Other time- or frequency-related data found, for example, in the Internet cache might include the actual number of web sites visited, how many times they were visited, and over what time period. Collecting and analyzing this data can provide insight as to the behavioral habits and activity level of the attacker or the suspect.

In-Depth Content Analysis

The physical MO also includes a more in-depth aspect of content analysis. Although a cursory content analysis was conducted during the case overview (which focused on the literal and factual aspects of evidence), this more in-depth content analysis takes a closer look at those literal words. This content analysis is conducted, among many reasons, to establish a behavioral baseline of the attacker. This content analysis begins by taking the evidence apart word by word, phrase by phrase, and assessing the content for subjects, topics, names, categories, themes, or issues. The breadth and depth of topic or subject matter knowledge might be assessed as well. Although the obvious place to use this type of analysis is on written text (such as emails or postings), this technique can also be used to assess the content of imaged drives in a forensics case; the content of copied , stolen, or damaged files; the filenames of damaged sites; and any residual the attacker might leave behind such as the graffiti on a defaced web site. The content analysis should also include an assessment of the attacker's technical expertise or demonstrated expertise in any other field.

Linguistic Analysis

The final part of completing the physical MO is to conduct a linguistic analysis of the evidence. Once again, each word and each phrase must be picked apart and analyzed for any meaning. A linguistic assessment of the evidence would include the language used (such as English, Spanish, or Russian), the writing style, word choice, grammar, syntax, and punctuation. The emotive value of the words must be assessed as well as the emotive impact of phrases or sentences. For example, although the word "kill" might appear in an email, without context, the word might or might not have emotive power. Other linguistic elements might surface during this assessment such as the use of colloquialisms, shorthand, acronyms, regionalisms, and typos.

An enormous amount of information is contained in language, which reveals information about the author. One way to look at both content analysis and linguistic analysis is to ask,"Out of all the words in all the languages, why did this attacker choose these? And why are they combined in this fashion?" People also tend to be creatures of habit, and certain stylistic elements are invisible or unimportant to most people. Luckily, this includes the crackers, cyberstalkers, harassers, and other cyberdeviants.

Psychological MO

The psychological MO might be the most difficult piece to assess and put together. The psychological MO focuses on the behavioral and psychological factors of the attacker. This piece of the profiling process is sometimes conducted last, after all data is collected and all other analyses have been conducted. The purpose of this part is to gain enough insight into the psychological or characterological structure of the attacker that predicting attacker behavior might be possible. The psychological MO is also an important addition to the threat level and violence level probabilities. This is also the time when the profiler gets the closest to climbing inside the head of the criminal. The assessments and conclusions drawn from this section must be done conservatively and carefully . In most cases, this psychological assessment is being conducted without any direct interaction with the attacker (unless communication was established with the attacker). Thus, the assessment is called a "remote" assessment and should be conducted with assiduousness.

The psychological MO has 12 variables; they are the attacker's predatory needs, target/victim MO, need to control, acceleration, escalation, level of success, self-needs fulfilled, level of premeditation, level of self-control, ability to relate to others, sociocultural issues, and environmental needs. Each variable is described in the following sections. To some extent, although these variables are defined and listed individually, there is a great deal of overlap and synthesis between the concepts. When dealing with human behavior and psychology, it is sometimes difficult to split out variables that are mutually exclusive or exhaustive.

Predatory Needs

The attacker's predatory needs include the level to which the person has to prey on someone or something to achieve the desired satisfaction. Predatory needs might include the desire to instill fear, incite rage, achieve emotional control over someone, or achieve technical control over something.

Target/Victim MO

The attacker's target victim MO is a more in-depth assessment of the victimology of the targets. The attacker's choice of targets might also include both human and technical targets.

Need to Control

The attacker's need to control is analyzed. Assessment of the data might reveal insight into the attacker's psychological need to control the actual attack, the victim(s), and the consequences of the attack. The factor of control provides psychological insight regarding the stability of the attacker. A lack of control could indicate attacker vulnerability and perhaps even the potential to make mistakes in subsequent incidents.

Acceleration

The attacker's acceleration relates to the rate at or frequency with which he or she conducts the attacks. Time pattern analysis can provide the basic information to address this variable. Stalkers who increase the number of emails or communications to their victims over time would demonstrate an increase in acceleration.

Escalation

The attacker's escalation relates to the potency, power, or vigor with which the attacks are progressing. An example of escalation would be an attacker who starts out by simply posting complaints about a company on a message board and then over time escalates to posting threats to company officers. Typically, if the attacker is escalating, the probable threat and/or violence levels might increase.

Level of Success

The attacker's level of success is just that ‚ how successful the attacker is. If the assessed goal of the attacker was to compromise a particular system and that goal was achieved, the attacker can be deemed to have a high level of success. There are many instances in which the attacker might not know his or her actual level of success. For example, if the goal is to frighten or scare an individual via death threats, unless the attacker actually sees the reaction of the victim, the attacker might not have an accurate grasp on the level of success. It may be possible, however, to assess what the attacker might believe.

Self-Needs Fulfilled

It might not be possible to assess the attacker's self-needs might in every case. It is difficult to analyze what exactly anyone's needs are at any given time. However, if it can be ascertained that the attacker needs to feel important or feel power through committing criminal acts, the success level of the attack might be able to contribute to the assessment of this variable. If an attacker's self-needs are not met, more activity might be predicted for the attacker to achieve his or her needs.

Level of Premeditation

The attacker's level of premeditation reveals how organized and thoughtful the attacker was prior to the actual incident. A high level of premediation might indicate a more controlled and sophisticated attacker. It might also indicate a certain experience level.

Level of Self-Control

The attacker's level of self-control reflects the attacker's ability to control his or her behaviors before, during, and after an incident. The level of self-control might also include the ability of the attacker to control his or her emotions and risk-taking ability. If an attacker gets to the point where he or she cannot exercise self-control, the ability to predict the attacker's behavior is diminished.

Ability to Relate to Others

The attacker's ability to relate to others indicates his or her level of social skills, social or interpersonal appropriateness, and ability to form "normal" relationships with others. Even though the attacker might be conducting a purely technical attack, there may be technical " fingerprints " left at the crime scene that would provide insight to the attacker's interactive capabilities.

Sociocultural Issues

The attacker's sociocultural issues correspond to how the attacker relates to society and to certain cultures. Depending on the data, language cues and linguistic elements might reveal from where geographically or culturally the attacker originates.

Environmental Needs

The attacker's environmental needs indicate the environment in which the attacker is comfortable and desires to operate . In some cases, the attacker is environmentally comfortable launching attacks from public places such as cybercafes; other attackers must be in the comfort of their own homes or spaces.

Adding the Technical Piece

In addition to synthesizing the profile data emerging from the physical MO and the psychological MO, CCP must include the technical assessment of the incident. The technical experts on the incident response team should be questioned throughout the profiling process. Information about the technical parts of the attack that contribute to the construction of a profile might include the following: How technically skilled is the attacker? How long did this attack take to complete from beginning to end? What security measures did the attacker have to circumvent? Are there more sophisticated ways to conduct the same type of attack? What are the unusual parts of the attack? Could the attack have been prevented? Did the attack take any inside knowledge? Does it appear that one person could have launched this attack alone? Literally, there are probably hundreds of questions to ask the technical experts; the specific case will drive the types of questions that are appropriate.

The Final Profile

Constructing the final profile of the attacker or attackers is done by synthesizing all the data and information collected through the stages of the profiling process. From this data, a profile of the attacker will emerge. The final profile contains as much demographic and psychological information as possible. There is no template, and the depth of each profile as well as the type of information contained therein will differ from case to case. See Figure 11.1 for a chart with the types of information that make up the profile.

As part of the incident response report, the profile should be presented as additional investigative information and should not be considered fact. The final profile, although generated using both qualitative and quantitative methods, is subjective in nature, and if the behavioral profiler is provided additional information or different information, it is possible that the final profile could change. Additional information collected via profiling might also enhance the methods chosen to question individuals, search for suspects, predict possible future behavior of the attacker(s), and question and assess the perpetrators when identified.

Profile Validation

When possible, it is important to validate the accuracy of the profiles. In instances in which the perpetrator is identified, a postincident assessment should take place to evaluate the validity of the profile provided before the final identification of the perpetrator. A great deal can be learned and gained from reviewing why a profile matched the actual attacker or why a profile did not match. Although the science of psychological profiling has been around for decades and has been validated over the years, cybercrime profiling is still in its infancy. The heuristic value gained from a postincident analysis of profiling accuracy is crucial to the development and advancement of the discipline of cybercrime profiling.

Psychological Profiling: Myths and Legends

For the discipline of cybercrime profiling to gain momentum and credibility, some common myths and legends must be dismissed. As demonstrated in the previous pages, profiling is not done through some type of psychic ability nor are tarot cards or crystal balls used. Developing a profile is not conducted as depicted in the movie The Silence of the Lambs or on the TV show Profiler.

Another popular myth is that psychological profiling or criminal profiling is conducted by giving subjects psychological tests. The art and science of profiling does not include the clinical aspects of diagnosis. Quite honestly, a cybercrime profiler should not focus on nor care whether the attacker is clinically depressed, is bipolar, or has any other psychological disorders. The cybercrime profiler must concentrate on the behavior of the attacker, regardless what or how the attacker might be feeling. The attacker him- or herself might not even know how he or she is feeling.

The most popular myth is that there is some type of hacker or attacker profile that describes what attackers look like and who they are. It would be extremely beneficial for companies and organizations to have a quick answer to their problems with threats and hackers. The development of a criminal profile of a hacker using psychological assessment tools and demographics (that is, he's a white male, 25 to 42 years old, middle management level, divorced, egocentric, and wears green tennis shoes) could be that quick fix. However, there is no profile of a hacker, there is no profile of an insider who intrudes or damages a company's system, there is no profile to help establish preventative measures against cybercrimes, and there never will be a single "silver bullet" profile or simple answer to the question,"What type of person commits computer crime?" Nor is a profile derived by collecting data from prior cases, as in a compilation of psychological testing data and demographic data.

Profiles are created on an individual, case-by-case basis. Thus, there are many reasons why a single profile cannot and should not be developed from psychological testing data or prior case data. First and foremost, human beings are far too complex. If a profile template is generated from prior data (such as jailhouse interviews, psychological testing data, demographics of convicted criminals), the conclusion is not a true profile but a review of characteristics from a subset of individuals (those who were there and those who agreed to participate in interviews and tests). As an aside, the reliability of self-reports also needs to be questioned.

Finally,"profiling is not studying data and taking a generalization and applying it to a specific offense" (Turvey, 1997, p. 3). Using generalizations is dangerous. For example, a researcher might interview and test disgruntled employees and discover that a statistical majority were divorced and/or clinically depressed at the time of the offense. To then generalize and draw the conclusion that divorced, depressed people are more likely to be disgruntled and do damage is not valid. The lack of face validity, criterion validity, predictive validity, and common sense will indicate that many, many people in this country are divorced and are probably depressed over the divorce, but these variables do not make them disgruntled employees who might constitute an insider threat. People are dynamic and life is dynamic, thus incentives, motivations, beliefs, methods of attack, and circumstances change over time as well. Each incident is a case to be worked in context.

Understanding the Attackers

So, what does an attacker look like? Popular media and culture want us to believe that hackers are all under 20 years old with blue hair, too many earrings, and droopy pants. Psychiatrists want us to believe that hackers are disgruntled, depressed, disloyal employees. Other scientists want us to believe that hackers have a disorder called Aspberger's Syndrome, a light form of autism. That's just not the case. Perpetrators of computer crime come in all shapes and sizes and with all disorders or no disorders. As previously discussed, there are no demographics that provide a "profile" of a hacker. Don't buy into the stereotype of what a hacker looks like and who it must be. It is crucial for the incident response team not to have any preconceived notions or to cave into management's belief that the "weird sys admin guy" is probably the insider who hacked the system. There are three major reasons why a single hacker or attacker profile will not be generated: incident variance, motivational variance, and perpetrator variance.

Incident Variance

There are many different types of cybercrimes. Even within the categories of cybercrime, there is no evidence to support the theory that all cyberstalkers fit a certain demographic or psychological profile, nor do all data sabotagers look, act, or think a certain way.The following is an abbreviated list of distinct types of cybercrime:

• Incident variance

• Cyberstalking

• Child pornography

• Industrial espionage

• Extortion

• Illegal gambling

• Theft of proprietary information

• Insider trading

• Cyberthreats

• Malicious code/virus

• Discrimination and harassment

• Sabotage of data and/or networks

• Copyright violations

• Financial fraud

• Denial of service

• Pirating software

• System penetration

• Insider attacks

Motivational Variance

Differing motivations is the second reason why a single profile cannot be developed by psychological testing or by creating a profiling template. The motivations to commit these offenses are broad in scope and different for each individual. Motivating factors might include revenge, financial instability, thrill seeking, fun, intellectual challenge, goal fulfillment, greed, fear, stress, rebellion, protest, believed justification, extortion, blackmail, and the list goes on. Those who commit computer crimes are hackers, crackers, individuals, groups, terrorists, disgruntled employees, former employees, terminated employees, industrial spies, government spies, contractors, competitor informants, members of organized crime, and those who have a cause or reason to protest.

Perpetrator Variance

The third reason why a single hacker profile cannot be generated is due to the variance of individuals: emotionally, intellectually, psychologically, and culturally. People are dynamic and life is dynamic, thus incentives, motivations, beliefs, methods of attack, and circumstances change over time as well. Cybercrimes have been committed by all types of people from all around the world. The only general statement that can be made accurately at this juncture is that the majority of cybercrimes are committed by males. Types of perpetrator variance include gender, ethnicity , race, level of technical ability, level of social skill, and cross-cultural variance. Perpetrators might be working alone or with others, they could be insiders or outsiders, and their ages have also varied.