Profiling

There is a technique in law enforcement called “profiling,” which has been used over many years in order to determine if a given criminal behavior leads to a mechanism for defining a category of suspects.

Although this approach has been successful in many instances, it has also led to widespread abuses. First, let us consider one of the major types of abuse. The expression “driving while Black” has evolved from the all-too-common practice of police officers stopping an automobile driven by an African-American who might be driving in a predominantly white neighborhood. As eminent a person as former President Barack Obama has reported that this has happened to him on occasion (Soffen, 2016).

Thus in the realm of cybersecurity, it is important to recognize that criteria that might be used to develop profiling approaches need to be sensitive in attributing certain types of behavior based on race, ethnicity, or other identifiable traits of an individual, rather than attributing types of behavior based on actions rather than individual traits.

Profiling in the Cybersecurity Context

There has been a growing body of instances of cyberattacks where there is a great need to try to isolate one or several potential perpetrators of the attack.

Throughout this book, you will see a number of case studies of both actual and fictional cyberattacks, and the profiling techniques described here may be applicable in determining potential suspects. To introduce the subject, however, we will use one well-known series of incidents that we might describe as the “Sony Pictures Hack.”

Sony Pictures Hack

In October 2014, word leaked out that Sony Pictures had under development a film titled The Interview. What was known was that the storyline for this film was that the US government wanted to employ journalists to travel to North Korea to interview the president of that country—and under the cover of the interview, to assassinate the president.

As word of this plot leaked out, the North Koreans— understandably furious—threatened reprisals for Sony and for the United States should this film be released.

A hacker group which identified itself by the name “Guardians of Peace” (GOP) leaked a release of confidential data from Sony. The data included personal information about Sony employees and their families, emails between employees, information about executive salaries at the company, and copies of then-unreleased Sony films. This group demanded that Sony pull its film The Interview and threatened terrorist attacks at cinemas screening the film. After major US cinema chains opted not to screen the film in response to these threats, Sony elected to cancel the film’s formal premiere and mainstream release, opting to skip directly to a digital release followed by a limited theatrical release the next day.

US intelligence officials alleged that the attack was sponsored by North Korea.

Sony was made aware of the hack on Monday, November 24, 2014, as malware previously installed rendered many Sony employees’ computers inoperable by the software, with the warning by GOP, along with some of the confidential data taken during the hack. Several Sony-related accounts were also taken over, and several executives had received via email on the previous Friday, coming from a group called “God’sApstls” [xzc], demanded “monetary compensation.” Soon the GOP began leaking yet-unreleased films and started to release portions of the confidential data to attract the attention of social media sites.

Other emails released in the hack showed Scott Rudin, a film and theatrical producer, discussing the actress Angelina Jolie very negatively.

On December 16, for the first time since the hack, the GOP mentioned the then-upcoming film The Interview by name and threatened to take terrorist actions against the film’s New York City premiere at Sunshine Cinema on December 18, as well as on its national release date of December 25. Sony pulled the theatrical release the following day.

We will clearly show it to you at the very time and places The Interview be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you’d better leave.)

The stars of The Interview responded by saying they did not know if it was definitely caused by the film but later canceled all related media appearances.

Undoubtedly all of the publicity involved with these threats, and the embarrassing disclosures from the Sony hack, led to a great deal of public interest in the film and the resulting controversy. As a result, many people, who would have been not willing to take a risk by going to the theater showing this film, decided to purchase and view it in the safety of the streamed video.

Thus, The Interview became somewhat of an underground hit, and it is not disputed that many more people saw the film because of the controversy.

The question thus became who might have been the perpetrator of the Sony hack, and the resulting actions related to the controversy regarding the release of the film.

Profiling Matrices

With the information given regarding the Sony Hack, we can use the information from the series of events to develop a model to try to narrow the consideration of potential perpetrators of this hack as well as their motivations for carrying this out.

Rather than having an approach that will conclusively lead to a definitive answer, the profiling matrix approach will provide the researcher with a means to narrow the potential suspects and the corresponding motivations to a point where many suspects may be effectively eliminated.

First, we will build a list of potential suspects. The beginning step here is to gather as much information as possible regarding candidates to be included or rejected as suspects. From the case study as presented earlier, most persons would immediately include the North Korean government as a suspect. Along those lines, however, it may be that rather than the North Korean government itself which may or may not have the requisite technical ability—actors on their behalf might be considered. As we have said, a suspected hacker group that calls itself the GOP had claimed that they had executed the Sony hack. However, GOP had not been previously identified, so it is possible that they were only a pseudonym for some other hacker group. The group Anonymous might also be suspect, since they had claimed, with some reason, that they had perpetrated numerous other hacks in the past.

It is also known through any analysis of world politics that China is a country that has the strongest working relationship with North Korea and is also known to have very substantial technical capabilities.

But there had also been suspicion related to a technically skilled Sony employee, who is referred to as Lena in numerous articles. Lena had been fired by Sony not long before the hack in question, and it was widely known that she had the capability to perform the hack and may have wished revenge.

It is also reasonable to consider in any competitive environment that competitors of Sony might have also had a motivation to do damage to Sony’s reputation.

At the point where there was considerable discussion as to whether or not the film The Interview might be pulled from being released, or released in a fashion that might diminish its profitability, persons that stood to benefit from the success of the film—for example, the producer and director, or the lead actors, might have a motive in terms of either decreasing or increasing the value of the film.

A final consideration might be that Sony Pictures themselves might have realized that creating considerable controversy over the release of the film, which otherwise might have gone mostly unnoticed, could result in greater profitability for Sony themselves.

When offering a course at Howard University, and using the Sony Pictures Hack as an example, the complete list of 16 potential suspects became:

North Korea

Guardians of Peace

Iran

Sony Employees

WikiLeaks

Russia

China

Microsoft

Industrial Competitor

Movie Industry

Google

Anonymous

Lena

MGM

Seth Rogen, James Franco

Sony Pictures

We now have a potential list of suspects, our next task is to try to identify the reasons for the motivations for this series of events. It is conceivable that one could identify a new motivation for which none of the previous suspects (identified by roles) might be identified. Nevertheless, money and politics are obvious.

Anytime we identify groups for whom hacking is a primary activity, we should consider if the hack is carried out to demonstrate technical proficiency—or even to try to “advertise” for future business. Revenge is often another motive, certainly in this case given the existence of the disgruntled former employee. And industrial competitiveness is often another potential motivation.

Perhaps one more candidate should be added to this list: Given the results that Sony was much more profitable with this film after all of the controversy, it might be considered that stirring the controversy could have been perceived as a potential for making the series of events beneficial to Sony itself.

Thus, we identified 12 possible motivations as follows:

Politics

Keep the peace

Warfare

Reputation

Start conspiracy

Become famous

Personal vendetta

Money

Disclose information

Adventure

Abuse

Competition

Our next step is now to create the columns of the profiling matrix. Thus, we list all of the potential motivations that we have identified and now we can create a matrix whose 16 rows are labeled by the suspects and the 12 columns labeled by the potential motivations.

Thus, we have defined the columns of our profiling matrix.

The next step in the analysis is to examine each cell in this newly formed matrix and then, based on all of the documentary evidence at hand for the case, estimate the probability that this particular cell, defined by a pair (perpetrator, motivation), might be the most likely guilty party and rationale. The results in our classroom exercise are shown in Figure 5.1.

In Chapter 9, the method of establishing profiling matrices is extended in a transformation to a game theory model that allows for a solution to be developed from the profiling data.

The “ABCD” Analysis

Another methodology for analyzing levels of threat in a cybersecurity environment is the so-called “ABCD” approach. This approach, which had its origins in criminal justice theory, attempts

Motivado ns •>

Politi

cs

Кее

P the

cea

ce

Warf are

Reputa tion

Start conspir асу

Seco me famo us

Perso nal vende fía

Mon ey

Disetos e Informa tion

advent иге

Abu se

Competí tion

Suspect s

North !

Korea

V-5 ) °

31.0 7

18.21

10.00

1.07

10.36

4.2 9

7.14

0.36

0.3 6

0.36

Guardia ns of Peace

  • 12.8
  • 6
  • 10.
  • 36

4.29

ХГоЛ

. 16.43

  • 23.2
  • 1

9.64

  • 3.2
  • 1

11.43

3.93

  • 1.0
  • 7

0.71

Iran

21.2 6

  • 1.1
  • 9

12.4 5

14.12

13.41

2.26

3.76

  • 5.1
  • 2

6.07

1.07

  • 1.0
  • 7

0.36

SONY Employ

1.07

11. 79

0.89

6.79

3.57

6.43

34.64

S'

s

11.79

  • 2.3
  • 2

1.07

ees

W/kiLea ks

27.9 0

  • 4.3
  • 3

4.29

7.65

15.08

1.43

0.00

1.0 7

41.60

3.02

0.0 0

1.15

Russia

23.5 4

0.7

! Q

і 2.74

30.99

1.94

0.71

5.0 0

6.62

2.30

  • 0.7
  • 1

1.87

China

  • 35.7
  • 8

3.0 6

8

1.02

28.28

3.06

2.14

  • 7.8
  • 6

3.21

0.00

  • 0.7
  • 1

0.71

Microsof t

4.12

  • 4.9
  • 5

1.55

10.55

7.26

0.36

0.00

  • 28.
  • 36

5.00

0.00

0.0 0

15.00

Industri al Competí

3.57

  • 3.5
  • 7

0.71

13.57

12.86

1.79

2.86^

^2.86

2.14

  • 2.8
  • 6

15.36

tor

Movie Industry

0.71

  • 7.8
  • 6

0.00

3.57

6.43

1.43

1.43

15. 00

3.57

0.00

0.0 0

22.86

Google

3.39

9.2 9

0.89

3.39

5.18

0.00

0.00

  • 16.
  • 61

9.64

5.00

  • 0.8
  • 9

7.14

Anonym

OUS

3.89

1.0 7

1.07

7.53

17.45

1.38

6.07

  • 4.5
  • 9

31.54

25.39

  • 2.4
  • 5

3.65

Lena

0.36

2.1 4

0.00

17.12

3.81

4.29

30.33

  • 23.
  • 14

10.24

0.00

0.0 0

0.00

MGM

1.43

4.2 9

0.00

7.14

10.00

0.71

0.00

  • 11.
  • 43

0.00

0.00

0.0 0

14.29

Seth Rogen. James Franco

1.79

  • 13.
  • 21

1.79

1.43

2.86

19.2 9

5.00

20. 71

1.79

0.00

0.0 0

4.29

SONY

Pictures

3.93

  • 20.
  • 17

2.74

2.14

17.95

5.95

0.00

29. 02

2.38

0.00

0.0 0

8.57

Figure 5.1 Profiling matrix for the Sony Hack.

to define an attack in terms of its sophistication. As a simplification, potential cyberattacks or the hackers developing or utilizing these attacks are divided into four categories, with the least sophisticated attacks categorized as “D-level”; going all the way to the most sophisticated attacks were attackers who fall into the “A-level” category. Our examples will include both car theft and cyberattacks (Table 5.1).

Level of

Criminal

D

Description

Smash-and-grab: no skill, knowledge, resources, sees opportunity, and acts immediately

Car Theft Example

A potential thief walks along a street where there are a number of parked cars and comes to a car where the thief sees a briefcase sitting on the passenger seat, observes the presence of a large rock beside the sidewalk, grabs it, and immediately throws it at the window, shattering it and therefore allowing the person to take the briefcase and run

C

Some limited skills and resources, but little planning in execution

The potential thief’s objective is actually to steal the car. Since there are many cars on the street, the C thief looks for a target. If the thief noticed a club steering wheel lock, he or she would probably move on to the next car, since the thief’s limited skills would cause the realization that destroying the club might occupy enough time to expose the thief to capture

Cybersecurity Example

Script kiddies: the D-level cybercriminal is a person who is pointed to a website that might contain embedded software that can be downloaded and run in order to create some form of attack. The effort requires no skill or knowledge but is simply acted upon once the malicious software is found. Sometimes these perpetrators have been called “script kiddies” Low orbit ion cannon: the C-level cybercriminal might be one who is able to launch a form of a DDoS (Distributed Denial of Service) attack. For example, by downloading the program “Low Orbit Ion Cannon,” one can simply type in the URL and thus launch various types of the DDoS attacks

(Continued)

Behavioral Cybersecurity

TABLE 5.1 (Continued)

Classification of Malware: The “ABCD" Model for Bad Guys

Level of

Criminal Description

B Very knowledgeable, some

resources, ability to plan

Well-organized team, very sophisticated knowledge, lots of resources, only interested in large targets, can plan extensively

Car Theft Example

There is in fact a well-developed “university” system for the training of the B level criminal: It is called the prison system. Where except in prison can one obtain—without the cost of tuition—the highest level of training in committing criminal acts, with therefore the greatest knowledge but yet a small amount of resources? This thief might know how to “hotwire” a car to be able to start it up, and takeoff

The leader or part of an organization that is in the business of receiving the stolen car that might be delivered by the B-level accomplice, but then have the knowledge, resources, organization, and planning to be able to strip down these vehicles and repackage them for future sales

Cybersecurity Example

Internet worm: the B-level cybercriminal might be someone with a great deal of programming skill, sufficient to create a worm, virus, or ransomware and to launch it to attack some well-chosen target site or sites

Stuxnet: The A-level cybercriminal might in fact be a government or a vast organization sponsored by government or governments. Examples of A-level attacks might be Stuxnet or variants. Stuxnet has been reliably identified as a joint project of both the US and Israeli governments

Profiling 43

Problems

  • 1. Find an example beyond “Driving While Black” with the generic assumption of identifying with an ethnic or racial stereotype.
  • 2. Identify some values and some dangers of profiling.
  • 3. Can you find a tragic outcome of profiling?
  • 4. Assess the reviews of movie The Interview related to the Sony Hack.
  • 5. Has “Lena” ever been identified?
  • 6. Identify your own candidates as suspects and motivations for the Sony profiling case.
  • 7. Construct an ABCD description for the classification of potential bank robbers.
  • 8. Use the ABCD method to classify the follow ing:

A. B.C, or D:

A. pickpocket

B. fabrication of student grades

C. the Morris worm

D. script kiddies

Reference

Soffen, K. 2016. “The Big Question about Why Police Pull Over So Many Black Drivers,” Washington Post, July 8, 2016. https:// www.washingtonpost.com/news/wonk/wp/2016/07/08/the-big-quest ion-about-why-pol ice-pul 1-over-so-many-black-drivers/?utm_term=.7346a524986f.

 
Source
< Prev   CONTENTS   Source   Next >