Vulnerabilities / Threats

10:45 PM
Connect Directly

The Art Of Profiling Cybercriminals

New psychological and criminological studies attempt to capture a glimpse of the human behind the hack

He's a white, 37-year-old engineer in your organization, and he feels justified in selling out your intellectual property to a foreign country because he's miffed about getting overlooked for a promotion. He has had a history of mental health problems, and his marriage is on the rocks as he faces personal financial issues.

Those are some of the common characteristics of the perfect storm for a typical malicious insider who steals and profits from his organization's trade secrets, according to a new report authored by psychologists with expertise in risk management and forensic psychology. The "Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property" research paper by Drs. Eric Shaw and Harley Stock was commissioned by Symantec and draws from real-world malicious insider cases.

With cybercrime becoming the weapon of choice for more criminals, psychologists such as Shaw and Stock, as well as sociologists and criminologists, are increasingly being tapped to help construct profiles of hackers and malicious insiders so organizations can better defend against outside threats and to better spot trouble internally.

While technology has been the main weapon against these attacks, experts say a better understanding of the psychological, criminological, and sociological side of the equation can help boost defenses and even catch an internal thief before he goes the distance.

Stock, a certified forensic psychologist and managing partner with the Incident Management Group (IMG), says the profile of the malicious insider that he and Shaw derived from real-world cases isn't just about the physical profile: "In the research, it says the typical person who conducts intellectual property theft is a 37-year-old male Caucasian. But we don't want companies to get sidetracked by that [profile] -- anybody at any given time is capable of stealing," Stock says. "We tried to describe how they get on a critical pathway to IP theft, and how you can identify different parts of that pathway."

Criminologist David Maimon, assistant professor of criminology and criminal justice at the University of Maryland's College of Behavioral and Social Sciences, recently teamed with engineer and computer scientist Michel Cukier, associate professor of reliability engineering at the university, to study the criminological side of hacking, spamming, and malware.

The professors, who plan to present details of their findings early next year, discovered some interesting correlations between computer crime and network usage trends that can help organizations better predict victims and attacks.

"We both had interest in the human component and tried to figure out innovative ways to try and study the human players behind cybercrime," says Maimon, who provided Dark Reading with a preview of some of the findings.

The researchers used real data from actual attempted attacks against the University of Maryland's network to study trends in how and when attackers strike, as well as other characteristics. One of their key findings was that the social composition of the network typically helps determine the origin of an attack, and that cybercriminals are like physical criminals: They are opportunistic when it comes to their victims.

"Cyberattacks against the campus network occurred at specific times, when most of the victims were on campus and using the system," Maimon says. "When you have more users online, you have more victims so more crimes going on during that time."

And like physical crime, where you go on the network determines your risk, too, he says. "We all use the same sort of devices to protect our systems, IPSes, IDSes, firewalls, and antivirus," Maimon says. "These tools are important, but at the same time you have to take into consideration the social [aspect] and end users."

As for the malicious insider, predispositions and professional dissatisfaction or a sense of being slighted in his job can serve as a trigger for sending him on that path. "A perceived injustice sends them along the critical pathway. They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior," Stock says.

Around 65 percent of malicious insiders have already lined up new job with a competitor or started their own firm at the time of the data theft. More than half begin stealing information within a month of leaving their employer. One-fourth sell the stolen information to a foreign company or country, and 20 percent are hired by an outsider to pilfer the information, according to the Symantec report.

Three-fourths take information that they have legitimate access to in their jobs, and more than half of these cases involve the theft of trade secrets; 30 percent, billing information, price lists, and other administrative data; 20 percent, source code; 14 percent, proprietary software; 12 percent, customer information; and 6 percent, business plans.

Even so, an employee going rogue after being overlooked for a promotion, for example, is the exception, not the rule. "A lot of employees aren't happy and think about doing bad things, but very few move down that pathway to do it. Those who do are very dangerous," Stock says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-19
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...