When I decided to get a degree in criminal justice, cybersecurity wasn't top of mind for me. I just wanted to get justice for folks who had been wronged.
But as I learned more about the criminal justice system in the United States, it wasn't long before I made a pivot. In my junior year in college, while working for a degree in history, I received an unpaid internship to work at a small company in New Hampshire. It was there that I got my introduction to the cybersecurity world — and it led to an epiphany.
I realized that what I learned in college about human behavior extends in the same way to any criminal — whether we're talking about the physical or cyber worlds, a similar logic applies. Since I had always wanted a job where I could develop my analytical skills, cybersecurity was an unexpected fit.
Tapping an Untapped Talent Pool
This field can also be an unexpected fit for some of the hundreds of thousands of people who enter the job market each year, even if they graduate with degrees other than computer science. Cybersecurity suffers from a talent shortage and we're making it worse by not tapping this reservoir of potential talent.
There's no one-size-fits-all handbook to guide the battle against cybercriminals. Most often, it requires cybersecurity defenders to fit together different pieces of a human puzzle that will vary depending on a myriad of geographical, political, and cultural influences.
Essentially, this boils down to problem-solving on a global scale. Yet, whether it's cybercrime or physical crime, it's possible to read into the motivations of the threat actors and understand why they're doing the things they do. And then, once we know that, we get closer to predicting their next steps. This is where people with finely honed analytic skills can make excellent cyber sleuths.
Clearly, it's important to possess technical knowledge. But I think you can always teach technical skills to curious minds who enjoy a challenge. The critical thinking aspect is harder to come by. People who possess top-flight problem-solving abilities can make a difference and leverage their skills and fill the cybersecurity ranks with badly needed talent. It's key to have skilled individuals who are capable of training and teaching these individuals.
Understanding Criminal Motivations
In terms of adversary detection, there are several variables to consider. But you don’t need to be a veritable Sherlock Holmes to understand the criminal mindset. We need people who can determine what motivates someone to commit a certain act, and subsequently identify the likely next potential actions a threat actor would conduct, whether we’re talking about a distributed denial-of-service (DDoS) attack or a home intrusion.
When it comes to deciphering criminal groups, we repeatedly find similar patterns.
Cybercriminals can often be lazy and tend to choose targets that are designated as "easier," or simply target everyone to see what sticks. Professional cybercriminal groups develop and distribute malware on a global scale, and some groups can be very sophisticated and financially motivated. For example, advanced persistent threat (APT) groups are highly sophisticated professionals that tend to be motivated to carry out the theft of sensitive information, and sometimes, the destruction or prevention of resource access. With Russia-sponsored groups increasingly active since the Ukraine invasion, we can sometimes see both motivations simultaneously. Cyber espionage is solely motivated by information, and threat actors will go to great lengths and show extreme patience to get it. Nation-state groups arguably have the most resources at their disposal, and they can function with different motivation depending on their given objectives.
So, the process of adversary detection comes down to making logical deductions to understand how cybercriminals approach their goals. Once we know what the bad guys tend to do, then it becomes easier to detect their behavior. That's not to dismiss the complexity of the task. Attacker detection is challenging, but not impossible.
It's about getting that full picture of the actor, their motivations, and how they like to operate. Just like Sun Tzu said a long time ago, "If you know the enemy and know yourself, you need not fear the result of a hundred battles."