ASSIGNMENT: WHO HACKED IT?Forensic psychology professionals can play a variety of roles within the field of cybercrime. From examining evidence to assisting as an expert witness, your experience and...

Proposed Methodology for Cyber Criminal Profiling Information Security Journal: A Global Perspective, 23:172–178, 2014 Copyright © Taylor & Francis Group, LLC ISSN: 1939-3555 print / 1939-3547 online DOI: 10.1080/19393555.2014.931491 Proposed Methodology for Cyber Criminal Profiling Arun Warikoo Jersey City, New Jersey, USA ABSTRACT Criminal profiling is an important tool employed by law enforce- ment agencies in their investigations. Criminal profiling is much more than an educated guess; it requires a scientific-based methodology. Cyber crimes are occur- ring at an alarming rate globally. Law enforcement agencies follow similar techniques to traditional crimes. As is the case in traditional criminal investigation, cyber criminal profiling is a key component in cyber crime investigations as well. This paper examines cyber criminal profiling techniques prevalent today, including induc- tive and deductive profiling, and the need for employing a hybrid technique that incorporates both inductive and deductive profiling. This paper proposes a cyber criminal profiling methodology based on the hybrid technique. Criminal behavior and characteristics are identified by analyzing the data against a predefined set of metrics. KEYWORDS cyber attacks, cyber criminal profiling, forensics, profiling framework Address correspondence to Arun Warikoo, 31 River Court, #2704, Jersey City, NJ 07310, USA. E-mail: [email protected] Color versions of one or more of the figures in the article can be found online at www.tandfonline. com/uiss. INTRODUCTION The growing reliance on the cyber space among government institutions and businesses alike has led to a tremendous surge in cybercrimes. The Internet Crime Reports published yearly by the Internet Crime Complaint Center (IC3) is testi- mony to the menace of cybercrime. IC3 received 289,874 consumer complaints with an adjusted dollar loss of $525,441,1101, an 8.3% increase in reported losses since 2011 (Annual Report, 2012). Before we dig deeper into cyber crime profiling, it is important to under- stand what cyber crime is. There is no official meaning of cyber crime written in any dictionary. Cyber crime is a subgroup of computer crime (Shinder & Tittel, 2002). Computer crime, as per the U.S. Department of Justice (DOJ), is defined as “any violation of criminal law that involves the knowledge of computer technology for its perpetration, investigation or prosecution” (Shinder et al., 2002). There are varying definitions on cyber crime as described by legis- lators and organizations. The United Nations (UN) defines cyber crime as “any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession of and offering or dis- tributing information by means of a computer system or network” (Shinder et al., 172 mailto:[email protected] www.tandfonline.com/uiss www.tandfonline.com/uiss 2002). Symantec (n.d.) defines cyber crime as “any crime that is committed using a computer or network, or hard- ware device. The computer or device may be the agent of the crime, the facilitator of the crime, or the target of the crime.” There is a motive behind every crime, and cyber crimes are no different. Cyber crimes are performed for the var- ious motives such as financial gain, intellectual property (IP) theft, espionage, terrorism, and for thrill. A UN study (Malby et al., 2013) on cyber crime states that “upwards of 80% of cybercrime acts are estimated to originate in some form of organized activity, with cybercrime black mar- kets established on a cycle of malware creation, computer infection, botnet management, harvesting of personal and financial data, data sale, and ‘cashing out’ of financial information.” PROFILING Criminal profiling is a key tool available to investigators used to narrow the range of suspects and evaluate the like- lihood of a suspect committing a crime. Criminal profiling is a scientific technique to assess and analyze the scene of a crime and deduce behavioral characteristics of the indi- vidual committing the crime (Kirwan & Power, 2011). A profile consists of a set of characteristics likely to be shared by criminals who commit a particular type of crime (Shinder et al., 2002). Profiling methods are based on two assumptions (Kirwan et al., 2011) that are as follows: • consistency assumption, based on the premise that an offender will exhibit similar behavior throughout all their crimes; and • homology assumption, based on the premise that similar offense styles have to be associated with similar offender background characteristics. Two types of criminal profiling methods are prevalent today. These are inductive profiling and deductive profil- ing. Inductive profiling method (Figure 1) employs a database that contains extensive data on criminals com- mitting a type of crime. The profiler analyzes the data, establishes correlations, and deduces the character- istics common to statistically large number of offend- ers committing a specific type of crime (Shinder et al., 2002). Deductive profiling (Figure 2) involves analysis of foren- sic evidence and victim profiling to determine the motive Profiler Analyze data from the profile database Profile DB Correlate and identify patterns Deduce characteristics Map to a profile FIGURE 1 Inductive profiling methodology. Profiler Collect data at the crime scene, gather information from the victim Analyze forensic evidence Perform analysis based on experience, knowledge and critical thinking Map to a profileDeduce characteristics FIGURE 2 Deductive profiling methodology. and attacker characteristics (Tennakoon, 2011). The pro- filer analyzes the forensic evidence, employs the principles of victimology, and utilizes his/or her experience to deduce criminal characteristics (Shinder et al., 2002). CYBER CRIMINAL PROFILING Criminal profiling plays a key role in investigations. This paper uses the definition provided in “Examination of Cyber-criminal Behavior” (Jahankhani & Al-Nemrat, 2010), which is as follows: “An educated attempt to pro- vide specific information as to the type of individual who committed a certain crime. A profile based on character- istics patterns or factors of uniqueness that distinguishes certain individuals from the general population.” As is the case with a crime, cyber criminal profiling must be used as a tool for cyber crime investigations. Cyber criminal profiling is effective as a law enforcement tool only when a standard methodology is used in developing profiles and is not based on an educated guess. Cyber criminal profiling is garnering tremendous atten- tion due to the rise in cyber crimes. Although it is similar to traditional criminal profiling, it presents numerous Methodology for Cyber Criminal Profiling 173 challenges to investigators. The perpetrators of the crime are remote and may be residing on different continents (Jahankhani et al., 2010). An interdisciplinary approach is required that applies not only psychology, criminology, and law but also a technological understanding on the subject of cyber crime (Tennakoon, 2011). Profiling is still based on educated guesses wherein investigators try to identify patterns by comparing with recorded cyber crimes that may lead to results that are inac- curate. Without a proper use of a scientific methodology and empirical analysis, profilers may come to different con- clusions and recommendations (Broucek & Turner, 2006). Therefore, a standard methodology is required for cyber criminal profiling to be a credible and effective tool for law enforcement agencies. Forensic psychology offender profiling techniques are being used in cyber crime investigations as well. Inductive profiling involves a statistical analysis and is a method frequently used by the Federal Bureau of Investigation (Jahankhani et al., 2010). The inductive profiling method utilizes data mining techniques to develop models for pattern detection and involves the examination of data to identify patterns that match known fraud profiles (Wheelbarger, 2009). Much academic work has been done on building a database of cyber criminal profiles. One of the projects known as the Hackers Profiling Project revolved around building a huge database on existing hacker profiles that included demographics, socioeconomic background, social relationships, and psychological traits (Kirwan et al., 2011). However, profiling was based on data obtained from self-reporting questionnaires rather than hacker activ- ities and offenses (Kirwan et al., 2011). Donato (2009) in his paper on criminal profiling proposes a methodol- ogy on how to use criminal profiling to improve digital forensics and cybercrime investigations. Donato’s method- ology focuses on finding the capability of the attacker in terms of skill level and deducing psychological charac- teristics on basis of the evidence (Kirwan et al., 2011). Donato’s methodology does not look at empirical analy- sis to establish patterns, nor does it look at demographic characteristics of previous offenders (Kirwan et al., 2011). In the cyber world, technology keeps on changing and hackers develop and employ new techniques known as zero day attacks. Their behavior is dynamic and may change over time with the acquisition of new skills (Jahankhani et al., 2010). The other issue is that the data are based on generalizations, and the sampling leaves out a dataset of skillful people who avoid detection over a period of time, thereby introducing inaccuracies in the results (Benny, 2007). Therefore, relying on inductive profiling only is not suitable for cyber criminal profiling. On the other hand, relying just on deductive profiling will leave investi- gators oblivious to the current trends such as popular attack methods, likely targets and victims (Tennakoon, 2011). Therefore, a hybrid methodology must be employed for cyber criminal profiling. PROPOSED METHODOLOGY The proposed methodology is based on a hybrid pro- filing model wherein the initial processes are deductive in nature and statistical analysis is performed to identify com- mon patterns and characteristics. Digital forensics data can provide vital clues about the attacker such as sophistica- tion of attack, motivation, tools used, and vulnerabilities exposed (Kwan, Ray, & Stephens, 2008). Cyber criminals, like traditional offenders, have their modus operandi that they tend to repeat at each crime (Shinder et al., 2002). The proposed methodology employs six Profile Identification Metrics to determine the offender’s modus operandi, psychology, and behavior characteristics: 1. Attack Signature. This refers to the tools that were used for the attack. Analysis of the digital forensic evidence will provide information on the nature of attack sig- nature. For example, if forensic evidence points to a zero day attack, it implies that a customized code was created for the attack. On the other hand, attacks that expose known vulnerabilities employ ready to use tools or known codes. 2. Attack Method. This refers to the method used for the attack. Social engineering, malware, distributed denial of service (DDoS), spamming, and phishing are some of the common attack methods employed by the cybercriminals. 3. Motivation Level. Motivation level is a key metric in identifying cyber criminal behavior. Motivation Level can be determined by the complexity of the attack, and the complexity of an attack can be determined by employing the vulnerability tree methodology (Vidalis & Jones, 2003). An attack with high level of complexity were an attacker has to exploit multiple layers of vul- nerabilities implicitly implies an attacker with a high motivation level. Such attackers are risk takers and per- sistent in their attack. An attacker with medium level motivation conducts attacks that are not continuous. An attack with high level of complexity indicates an 174 A. Warikoo attacker with low level motivation is risk averse and nonpersistent. 4. Capability Factor. Capability factor is another impor- tant metric useful in identifying characteristics and is defined in terms of the availability of hacking tools, the ability to use those tools and techniques, and the level of resources at the attacker’s disposal. Script kiddies are attackers with basic skill level and use freely available tools. An attacker with intermediate skills uses freely available tools or purchases malware to conduct attacks and has a handle on the tools used. An advanced level attacker is an expert in developing customized codes for zero day exploits. 5. Attack Severity. Attack severity is defined in terms of the impact the threat has on the enterprise. The severity of an attack is classified into the following: • Low: no tangible to the enterprise; • Medium: there is moderate disruption to the enter- prise; • Major: major breach that can have a major business impact; and • Critical: the enterprise goes out of business the moment the threat is realized. 6. Demographics. Geographic location is a critical met- ric in profile identification. Existing profiling methods do not look at geographic locations for profile building, which is a key indicator in identifying characteristics of cyber crimes (Tompsett, Marshall, & Semmens, 2005). It is well documented that the majority of cyber crimes of a particular type originate from a certain location. For example, cyber crimes related to espionage have been known to originate from China. The proposed methodology is a four-step process as fol- lows: Process 1 or P1 The first stage (Figure 3) involves victim profiling. P1 involves identifying the various aspects of an individ- ual or an organization that attracted criminals (Tennakoon, 2011). Process 2 or P2 The second stage (Figure 4) involves identifying the motive behind the attack. A motive is closely associated with a victim. For example, an attack on government implies that the motive is espionage. This stage also Profiler Profile the victim Deduce why the victim was chosen Determine how the victim was targeted P2 FIGURE 3 Process 1/ P1 of the proposed methodology. Determine motive and Modus Operandi Establish relationship between the victim and the offender Establish possible method of approach, method of attack and deduce possible characteristics by employing the Profile Identification Metrics P3 P1 Perform a risk assessment on the victim Analyze forensic evidence FIGURE 4 Process 2/ P2 of the proposed methodology. involves analyzing the digital forensic evidence to deduce possible characteristics. Process 3 or P3 This stage involves an empirical analysis on the data