Finding its roots since time immemorial, criminal activity has always been part of a cat-and-mouse game with Justice. In the last decades, we have seen this game gradually transposed to the cyber domain as well, where crime discovered a new and broad field for its perpetration. Never was it so easy to find a new victim or a group of victims – they are in reach of a criminal’s fingers –and never was it so easy for criminals to hide their whereabouts and identities.
Though in this cat-and-mouse game our investigative techniques and tools have evolved with time, so have the modus operandi of cyber criminals. We need to admit that we are facing some interesting challenges. No, we are not talking about the classic “It wasn’t me, it was a Trojan in my computer!” argument. We are talking about a wealth of hiding mechanisms like anonymous proxies, compromised computers, public internet cafes (virtually, we have internet access everywhere!) and anonymity networks like Tor, i2p and Freenet, all of them being misused and making life harder for law enforcement. Criminals are enjoying all these means with a unique sense of freedom and impunity to promote a black market and sell drugs, guns, criminal services, organ trafficking and share child pornography.
Actually, these mechanisms are being used by a broader group, classified as “cyber offenders” in this article and related literature. This group of individuals includes not only typical cyber criminals, but also state-sponsored actors who engage on attacks against foreign critical infrastructures as well hacktivists spreading their word and launching DDoS attacks against their target of choice. It does not matter which class of individual we are dealing. When we need to figure out who is behind that masked IP address in our log files or who is behind that fake Twitter account, the “attribution problem” rises.
While dealing with such challenge, maybe we should think whether we are overlooking all those roots of criminal activity – offender activity here – and how they usually can be manifested in a crime scene. The cyber offender is clearly enjoying some advantages, so we need to adapt ourselves. As said by Collin Willians in the welcome message of this magazine’s first issue, “we must re-think our approach to the pursuit of the safety and security of the human experience in the cyber domain.” It makes sense here.
A digital crime scene is still a crime scene, and a digital crime (or digital offense, in broad terms) is still an act that has at least a minimum of planning, counts on at least a minimum of resources and it is committed by an individual or a group of individuals with specific motivations. We should agree that most methods and tools are new on cybercrimes, but when we are talking about revenge, activism, challenge, profit… hmm… these motivations don’t seem to be so new… they are inherent to the human being. Risk appetite, attack inhibitors? They are too.
Since technology is therefore just a means to commit a crime, we should revisit some useful approaches to deal with traditional crimes and analyse whether they could be of help while dealing with cybercrimes as well. When all types of crimes or offensives share some features – like human motivations, human traits expressed through behavior evidence in a crime scene, signature aspects (just to name a few) – we should mention for sure the scientific discipline of Criminal Profiling. The study of the criminal behavior and its manifestation in a crime scene has been explored for more than a century by the discipline, which infers a set of traits of the perpetrator or group of perpetrators of a crime by the examination of the criminal evidence available.
This set of traits – a “profile” – can be elaborated containing features like skills, resources available, knowledge, motivations, whereabouts and so on, depending on the evidence available and depending on which conclusions we could reach about them. Then, this profile becomes a valuable additional tool to assist investigations – with at least 77% rate of success according to a research done in the 90’s (Theodore H. Blau). With this encouraging numbers, and knowing that cybercrimes share some roots with traditional crimes, the idea is to apply the same concepts on digital investigations. According to the literature, the main objectives that can be achieved by applying profiling on investigations are:
- Narrowing down the number of suspects
- Linking cases that seem to be distinct
- Helping define strategies of interrogation
- Optimizing investigative resources (e.g., “let’s focus on where we have more chances to find evidence”)
- Help develop investigative leads to unsolved cases
Actually, advantages are not restricted to digital investigations. When we have a profile of a cyber offender in hand, we are able to develop better countermeasures against their attacks. This is especially important when we are dealing with advanced offenders, like APT.
The good news when we talk about how broad the options are for cyber offenders to hide themselves behind computer attacks is that profiling can be a broad tool as well. Recalling the Locard Exchange Principle, the offender always leaves traces in the crime scene. And some of them can be of behavioral nature. Depending on the level of interaction an attacker has in a digital offense (e.g. a manual attack VS an automated attack – or a single web defacement VS an attack that involves a huge team of skilled offenders and many interactions with the target), we could have different levels of traces left on log files, network traffic, social networks, chat networks, file systems of compromised machines, e-mail messages, defaced websites, instant messaging… Therefore the mindmap below is just a non-exhaustive set of features that we can explore and work on:
Going deep, the following list is a very small set of examples that we can search for during the investigation to help populate our mindmap:
- Analysing the time between probes in a port scanning
- Identifying motivation [revenge, curiosity, challenge, profit, to be part of a group, usage of computer resources, platform to launch other attacks, dispute between individuals or hacking groups, profit, cyber terror, hacktivism, cyber warfare…]
- Analysing victimology.
- Performing authorship analysis on spear phishing e-mail content, social network posts or on software source code (looking for patterns, errors, preferred programming functions, sofistication…)
- Identifying the type of tools employed during an attack and evaluating their availability (public? comercial? restricted?), required knowledge to operate (Tom Parker has a very good research on this topic)…
- Analysing offender activities on social networks, ranging from their first followers/following, closest contacts, word frequency, periods of the day in which activities are more intense, evidence of planning actions etc…
- Analysing global or regional political/social/religious/economical events that could influence in the commission of the offensive
The topic is vast and encouraging and we can go much further. But the final message here is: We know that there are a multitude of means and technologies that are being (and will be) used by offenders on the perpetuation of their actions. But we need to know that there is a multitude of means to catch them as well.
Author: Lucas Donato
Lucas Donato, CISSP, CRISC, is an information security consultant who currently works at a Brazilian bank. In the last ten years he has been involved with penetration testing, vulnerability assessments, incident response and digital investigations for some of the biggest Brazilian companies. Nowadays, he is pursuing his PhD degree at the Cyber Security Centre of De Montfort University, exploring the ins and outs of criminal profiling applied to digital investigations.