PERPETRATORS, PROFILING, POLICING: Theory

1
PERPETRATORS, PROFILING, POLICING Theory
Practice 8th International Investigative
Psychology Conference

• Coordinated Cyber Attacks Towards Norway in 2004
• December 15, 2005

2
Introduction Cyber Attacks Incidents

• Continuous growth in cyber crime and its related
  losses
• Definition of cyber attacks versus cyber
  incidents
• Terrorists may conduct attacks via or towards
  ICTs
• Protection of the Critical Infrastructure of
  major importance
• Information gathering and profiling used to
  reduce the amount of data
• Profiling as part of technical tools for
  detecting anomaly behaviour (IDS and AML)
• Behavioural profiling and investigative
  psychology for categorising and linking offenders
  and for advancing searches
• The current study is profiling cyber incidents to
  improve insight into to how they are done, by
  whom and why

3
Relevant Research and Gap in Literature

• Much research on technical security
• Excludes the wider social and behavioural context
• Emergence of information systems research from
  the social science tradition
• Criminology and psychology may be used in the
  information systems security domain
• There is a gap in inductive profiling of cyber
  incidents much due to little statistics and
  information gathering
• Information gathering from technical systems that
  may be used for behavioural profiling come from
  IDS and Firewall logs, forensic evidence etc.
• Inductive profiling may draw on expert statements
  when little theory is developed in the area

4
Theoretical Framework

• The current analysis builds on Howards (1997)
  category of cyber incidents
• Attacker
• Tool
• Access
• Result
• Objective
• Including the target and opportunity factor
  (Willison and Backhouse, 2005)
• Target
• Opportunity
• Differences between attackers and types of attack
  (Kjaerland, 2005)
• Expert statements may be related to objective or
  opportunity of attack (as created by the target)

5
Research Problem and Question

• Much data in systems, that may be reduced though
  inductive (or statistical) profiling
• Differentiate between incidents through the use
  of multidimensional scaling techniques (MDS)
• Systematic analysis of attack/incident
  characteristics in order to distinguish between
  type of attacks (method of operation) and type of
  source (source or attacker)
• The research problem is to profile cyber
  incidents in order to improve the understanding
  of cyber incidents, how they are done, by whom
  and why?
• In other words, what is the structure of
  coordinated attacks, and what type of attacks are
  most characteristic from different types of
  countries?

6
Design and Method

• Smallest Space Analysis (SSA) is used to
  understand more about the relationship between
• type of attack (method of operation)
• country of attack (source or attacker)
• These categories may be seen as variants of
  Howards (1997) typology
• SSA is often used in relation to Facet theory,
  which allows for the reworking of a definitional
  system
• SSA can also be used in an exploratory manner
  when a subject is not well featured in the
  literature
• The current method is used to look at type of
  attack and country as categorical data
  (non-metric)
• The current analysis may help improve future
  analysis by looking at the categories and the
  relationships between the variables

7
Dataset and Facets

• Data come from an international oil company
  (Statoil) that cooperates on the project Warning
  System for Critical Infrastructure (VDI)
  coordinated by the National Authorities in Norway
• 205 coordinated attacks towards the critical
  infrastructure in 2004 are analysed using
  Smallest Space Analysis (SSA)
• The attacks must hit at least 5 companies
  simultaneously for them to classify as
  coordinated attacks
• The attack type variables are Root,
  Reconnaissance, Denial of Service (DoS), and Worm
  
• There are 21 countries in the analysis forming 35
  variables of countries and type of attack

8
Results - SSA

• The analysis gave a Jaccards coefficient of 0.12
  in 42 iterations
• Norway and Root are close in geographical space,
  indicating that they are closely related
• Slovenia and Root are not close in geographical
  space, indicating that they do not often appear
  together
• Breaking and Entering Norway, Japan, Germany,
  and Turkey
• Random Scans Virus/Worm Italy, Israel, and
  Brazil
• Crashing/Hanging Programs Services China,
  Canada, UK, Malaysia, and Taiwan

9
Results - Frequencies

• Incident
• Reconnaissance 190 of 205 cases (92.7)
• Worm 112 of 205 cases (54.6)
• Root compromise 85 of 205 cases (41.5)
• DoS 20 of 205 cases (9.8)
• Country
• US 71 of 205 attacks (34.6)
• China 54 of 205 attacks (26.3)
• Canada 10 of 205 (4.9)
• Japan 9 of 205 attacks (4.4)
• Norway 9 of 205 attacks (4.4)
• UK 7 of 205 incidents (3.4).

10
SSA Plot Percentage Ranges
11
SSA plot Grouping Coordinated Attacks
Breaking Entering
Random Scans Virus/Worm
Crashing/Hanging Programs Services
12
Summary and Conclusion

• Countries frequently attacking the critical
  infrastructure are US, China, Canada, Japan,
  Norway, and UK
• Less industrialised countries use more worms,
  viruses, and scanning (stepping stones), whereas
  more industrialised countries use Root and DoS
  attacks
• Some countries that were not previously
  industrialised are up-ad-coming with attacks
  similar to industrialised countries
• The understanding of cyber incidents may be
  advanced through improved collection and analysis
  of information, as well as through sharing of
  information
• Future research in the area may be advanced
  through applying Criminal Profiling to
  Information Systems research
• There are possibilities for more research in the
  area of Inductive Profiling of Cyber Incidents

13
Thank you for your attention!