Well I agree with you that sometimes there is little information to build a profile. How about when there is substancial information, especially when a particular crime is committed more than once in a similar fashion? Could this onformation be enough to establish a profile?
Again, I have to ask…who would do the profiling, and how would they be trained?
I've seen a number of engagements that were all very similar, as far as I could tell, but I am not a "profiler" and would not even begin to assume that I could somehow guess the intruder's intentions…doing so would be speculation, and that can be a very bad thing.
Again, I have to ask…who would do the profiling, and how would they be trained?
With regards to who would do the profiling, it depends on the approach that is to be taken in the modelling, s/w engineering and development of the system. I am assuming, here, that we're talking about developing a piece of software for profiling?
As for training, what exactly do you mean? Something akin to a certificate, a university-level taught module on profiling or…?
I've seen a number of engagements that were all very similar, as far as I could tell, but I am not a "profiler" and would not even begin to assume that I could somehow guess the intruder's intentions…doing so would be speculation, and that can be a very bad thing.
But speculation is really all we have, and is, to a varying degree, either supported by the data (in which case it becomes a certainty) or not supported by the data (in which case we have to look for an alternative hypothesis).
Does this make it a bit more clear?
Cheers
DarkSYN
With regards to who would do the profiling, it depends on the approach that is to be taken in the modelling, s/w engineering and development of the system. I am assuming, here, that we're talking about developing a piece of software for profiling?
As for training, what exactly do you mean? Something akin to a certificate, a university-level taught module on profiling or…?
Not sure I see that…how would software be able to take multiple intrusions and provide a "profile"?
I ask about training, because doesn't a person need to do the profiling?
But speculation is really all we have, and is, to a varying degree, either supported by the data (in which case it becomes a certainty) or not supported by the data (in which case we have to look for an alternative hypothesis).
Does this make it a bit more clear?
Unfortunately, no. There are hypotheses supported by data, and that which is not supported by data is thrown out. What is the purpose of speculation? How is making unsupported, uneducated assumptions beneficial to an engagement?
Not sure I see that…how would software be able to take multiple intrusions and provide a "profile"?
There are many ways of doing that, all of which depend on which discipline or which number of disciplines you are going to use in your approach. There is a lot of literature in the fields of Network Security, Artificial Intelligence, Statistics (Frequentist & Bayesian), Econometrics, Forecasting, Computer Networking etc describing the various ways this issue has been approached in. Digital Forensics is only just starting to work towards that direction, which is why there's a small number of publications.
I ask about training, because doesn't a person need to do the profiling?
A person does not need to be a trained profiler to do that, just to know their network security well enough, plus either get a theoretical background in profiling or be in a position to consult a profiler who's focus is on cybercrime, which is generally rare.
From what I've seen, anyone who's done work in AI, forecasting and statistics should be able to, build a model/profile of an attack/intrusion in one way or another.
If you are referring to certifications or university-taught courses on cyber-profiling, to my knowledge there are none in existence as this is quite new a field.
Unfortunately, no. There are hypotheses supported by data, and that which is not supported by data is thrown out. What is the purpose of speculation? How is making unsupported, uneducated assumptions beneficial to an engagement?
First of all, the assumptions you make are neither uneducated (as you will have a background knowledge of networking, protocols, services etc and thus you will know the default behavior they would exhibit "in vitro" so to speak) nor unsupported. They will be informed by your
a. background knowledge
b. background experience
c. previous research in the subject
d. external circumstances related to the specifics of the environment for which you are developing the profiling system
which would mean that you would be able to have grounds to make certain assumptions with regards to the starting conditions. Nobody will sue you for making a certain number of informed assumptions, and they do not (and should not) influence the course of, say, an investigation, they are just starting points given your briefing.
Any better now?
Cheers
DarkSYN
DarkSyn,
Not trying to be argumentative, it just appears that my experience is perhaps different from yours…
A person does not need to be a trained profiler to do that, just to know their network security well enough, plus either get a theoretical background in profiling or be in a position to consult a profiler who's focus is on cybercrime, which is generally rare.
As a consultant on the corporate side, one who performs incident response activities, most often I am called on-site because folks do NOT know their network security well enough…in fact, some simply do not have a basic understanding of network security at all.
Further, from a business perspective, there doesn't seem to be a legitimate rational for profiling in the first place. When an organization is breached, there are a couple of basic questions they need answered…and not one of them has to do with profiling.
First of all, the assumptions you make are neither uneducated (as you will have a background knowledge of networking, protocols, services etc and thus you will know the default behavior they would exhibit "in vitro" so to speak) nor unsupported. They will be informed by your
a. background knowledge
b. background experience
c. previous research in the subject
d. external circumstances related to the specifics of the environment for which you are developing the profiling systemwhich would mean that you would be able to have grounds to make certain assumptions with regards to the starting conditions. Nobody will sue you for making a certain number of informed assumptions, and they do not (and should not) influence the course of, say, an investigation, they are just starting points given your briefing.
When performing data collection, I have certain procedures that I follow, and then analysis of that data may lead me to other data or resources. I generally stay away from making assumptions, and stick to the facts which are derived from the analyzed data.
For example, if during an intrusion engagement, I may see where an unauthorized individual logged into a system ("unauthorized" based on the account, time that they logged in, etc.). From there, based on my analysis procedures, I may then see indications where certain searches were conducted, files opened or accessed, applications launched, etc.
However, I do not make assumptions about what was done. If the intruder opened a document in, say, MS Word, it is a possibility that the data included in that document was compromised…but I cannot prove it. Did the intruder read it and close the document? Did they grab a screen capture?
In my analysis process, I look for supporting and corroborating facts, and I present those facts in my report. I do my very best to NOT speculate. As you've pointed out, speculation is based on background knowledge and experience…and it's very unlikely that someone else, either on my team or on the customer site, has the same background knowledge and experience that I do. Therefore, putting the facts aside and speculating as to what happened can lead to too many false rabbit trails, and eventually to a waste of time and resources.
While I agree with what Harlan said about not making decisions, inasmuch as they apply to his particular line of work performing incident response and from a business perspective, I do believe that there is definately a time and a place for assumptions in the field of computer forensics…hear me out…
When I would produce computer forensic reports for law enforcement, I usually included an addendum called, 'Investigative Leads', where I would outline several avenues to pursue which could lead to additional inculpatory or exculpatory evidence. Most of time, these leads were based solely on the evidence found during the computer forensic investigation, but sometimes there was a fair element of uncertainty, and the fact that I still documented the leads could be considered as my making assumptions. Fortunately, I never had to worry about discovery isues or witness role conflicts when producing these addendums, due to my special circumstances at the time, but I would advise anyone else to be very careful in this regard if they are producing a report for LE or a lawyer.
Another niche field which almost requires making assumpetions, is that of media exploitation (computer forensics in the intelligence world). The standards for 'media exploitation' compared to 'computer forensics' are not nearly as strict when considering the legal persective, and many times the best intelligence is gained based on educated assumptions which analysts make based on limited findings (and sometimes that's not the case…WMD in Iraq, cough, cough…)
Regrding profiling - I don't think 'cybercriminal' profiling will ever be as accurate or beneficial as criminal profiling has been for other crimes such as murder or theft. Although there are certain elements which one would be able to deduce based on their findings such as motive and opportunity. It's fairly obvious most of the time if someone was out to destroy data or capture it and many times you can tell if the job was inside one or not. But due to the nature of computer crimes and their lack of a human element, I think it'll be very difficult to sucessfully create profiles of 'cybercriminals'. Then again, the same could've been said about psychological profiling as applied to many other kinds of crimes in the past.
Off the top of my head, I can think of a few scenarios where you could begin to develop a profile if you had enough data. If homebrew code was used in an attack, you could RE it to determine the level of sophistication required to develop such an exploit, the programming language used and possibly find any commented out strings with shout-outs to a handle or group. This could possibly help you gauge the age and nationality of the suspect. The intent of their attack combined with the target of the atack should help you develop their motivation which would also add to your profile of who the individual is. An exploit meant to deface a High School website - probably a student at that school. An exploit meant to deface the official Georgian website during the Russia-Georgia conflict - probably a Russian hacker. etc.
Jeff
You know, after thinking about it, I believe my response was out of context to psemenye's original post - the term 'cyberriminal profiling' coupled with the references to incident response got me thinking in that direction, but as DarkSYN indicated, that is only a subset of computer forensics.
On the whole, combining the findings of a forensic investigation with statisical analysis, one might be able to produce a profile of an individual based on computer usage. An analysis of logfiles and timestamps could illustrate how often an indivdual uses their computer - an analysis of link files, timestamps, installed applications and other associated content could show which files/applications an individual uses most and thus may betray information about the individual's personality. How the person's computer was configured, what Internet sites they visited and bookmarks they had saved, heck even their desktop wallpaper could all reveal clues about the individual's personality and possibly other facts such as age, gender, race, religious/political views, etc.
I recall, the very first 'official' forensic investigation I worked involved a case of identity theft - due to the circumstances of the case, the scope of the investigation was pretty wide open. We ended up dissecting every piece of this indivudual's computer, and I remember thinking to myself how powerful a computer forensic investigation could be in providing you with personal information about the user, especially the more a person relied on their computer.
Recently I had a discussion with an individual who recounted their first experience with a forensic investigation to me and they recalled their discussion with the examineer and his words, "You show me someone's computer and I'll show you their soul."
Now to the OP of this thread, regarding what I'm 'having difficulties with', I have one word for you – DOCUMENTATION. Manually dissecting binary file formats, operating system 'features', file system formats and the like is so tedious. I spent a solid week or two reverse'ing Skype's logs, only to find a document floating around on the Internet with a complete summary of the format. Apparently, Skype's owners didn't want the information to be too publically available. How about undocumented features of web browsers which leave artifacts behind, which people have had to discover for themselves? Or informaton about the Windows registry or Shadow Copy service or hibernation file? I know that all of this is stuff which people are working on, but my point is this
Someone had to develop these applications and all applications follow rules - if those rules were properly documented and available to individuals in the forensics community then tools and techniques which are able to extract information would be more widely available and available much more quickly. The Windows hibernation file has been around for more than 8 years now, and it's only been the last year or so where serious research has gone into understanding it's structure and usefullness from a forensics perspective. Imagine if proper documentation had been available when it was first introduced…
Jeff
Not trying to be argumentative, it just appears that my experience is perhaps different from yours…
D Don't worry, we are simply discussing a topic.
As a consultant on the corporate side, one who performs incident response activities, most often I am called on-site because folks do NOT know their network security well enough…in fact, some simply do not have a basic understanding of network security at all.
Yes, undoubtedly there are a number of sysadmins who don't know their network security well enough.
Further, from a business perspective, there doesn't seem to be a legitimate rational for profiling in the first place. When an organization is breached, there are a couple of basic questions they need answered…and not one of them has to do with profiling.
A business that just suffered a security break-in, for instance, would want to know the answers to questions such as
"Was it an inside job or was it an external break-in?"
"If internal, who would have been able to do it, in what department would they be working in, and how skilled are they?"
"If external, was it a skiddie or l33t, and were they acting alone or was it the action of a crew?"
"Was the attack a simple DoS/DDoS one or a smokescreen for some data gathering expedition?"
At the very least I, as a network security engineer/consultant would want to have the answers to those questions in order to decide on the best course of action.
When performing data collection, I have certain procedures that I follow, and then analysis of that data may lead me to other data or resources. I generally stay away from making assumptions, and stick to the facts which are derived from the analyzed data.
For example, if during an intrusion engagement, I may see where an unauthorized individual logged into a system ("unauthorized" based on the account, time that they logged in, etc.). From there, based on my analysis procedures, I may then see indications where certain searches were conducted, files opened or accessed, applications launched, etc.
Yes, following procedures is both good and useful and, to a degree, professional. But at some stage you have to make assumptions and trust your intuition, especially when you're dealing with a security break-in, as one of the things all DF investigators know or eventually learn is that data from a hacked system cannot be either trusted completely or relied upon completely.
As you've pointed out, speculation is based on background knowledge and experience…and it's very unlikely that someone else, either on my team or on the customer site, has the same background knowledge and experience that I do.
Then you automatically underestimate your opponents (and colleagues???!) by assuming superiority over them, which is a big no-no. You will find, especially if you run into a real l33t group, that not only do they have the same background knowledge and experience you do, but they've developed a counter-move to any move you may possibly make.
That is in NO way meant to insult you or impugn your knowledge and experience, so please do not take what I've said the wrong way.
Regrding profiling - I don't think 'cybercriminal' profiling will ever be as accurate or beneficial as criminal profiling has been for other crimes such as murder or theft. Although there are certain elements which one would be able to deduce based on their findings such as motive and opportunity. It's fairly obvious most of the time if someone was out to destroy data or capture it and many times you can tell if the job was inside one or not. But due to the nature of computer crimes and their lack of a human element, I think it'll be very difficult to sucessfully create profiles of 'cybercriminals'.
Yes, there is some truth in what you say here, and by the way, thank you for providing me with some further information on what I'm currently studying.
However, that's not completely true. Usually, attackers tend to have an M.O. in cyber-space as in meat-space. You touch upon this when you speak about homebrew code. But even if the attacker uses someone else's tools, they still differ enough to be able to be profiled.
if those rules were properly documented and available to individuals in the forensics community then tools and techniques which are able to extract information would be more widely available and available much more quickly.
I understand and share your frustration with poor documentation. And its a lovely example of why open-source software is better D D .
The problem, however is that closed-source companies operate under the assumption that by making information difficult to find they are inhibiting copyright infringement and protecting their "invention", not to mention the monopoly aspects. Given how easily it is for documents to be leaked to the web, they would not trust even forensic investigators to keep them safe.
Cheers
DarkSYN
Thank you very much DarkSYN and Jeffcapal for your input and opinions. There was a time I was actually thinking of abandoning that topic. Thanks DarkSYN for the book references, I will definately need them and I will also be coming back to you for help. Am still trying to figure out which angle I will approach the topic from.
DarkSYN,
> Then you automatically underestimate your opponents (and
> colleagues???!) by assuming superiority over them, which is a big no-no.
Interesting…I never said anything about superiority. I said that it's "unlikely that someone else, either on my team or on the customer site, has the same background knowledge and experience that I do". I'm not entirely sure where you were able to get "superior" from "different".
I'm not at all offended by this, but I do find it somewhat difficult to discuss this topic when such assumptions are made…