Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:45 PM
Connect Directly

The Art Of Profiling Cybercriminals

New psychological and criminological studies attempt to capture a glimpse of the human behind the hack

He's a white, 37-year-old engineer in your organization, and he feels justified in selling out your intellectual property to a foreign country because he's miffed about getting overlooked for a promotion. He has had a history of mental health problems, and his marriage is on the rocks as he faces personal financial issues.

Those are some of the common characteristics of the perfect storm for a typical malicious insider who steals and profits from his organization's trade secrets, according to a new report authored by psychologists with expertise in risk management and forensic psychology. The "Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property" research paper by Drs. Eric Shaw and Harley Stock was commissioned by Symantec and draws from real-world malicious insider cases.

With cybercrime becoming the weapon of choice for more criminals, psychologists such as Shaw and Stock, as well as sociologists and criminologists, are increasingly being tapped to help construct profiles of hackers and malicious insiders so organizations can better defend against outside threats and to better spot trouble internally.

While technology has been the main weapon against these attacks, experts say a better understanding of the psychological, criminological, and sociological side of the equation can help boost defenses and even catch an internal thief before he goes the distance.

Stock, a certified forensic psychologist and managing partner with the Incident Management Group (IMG), says the profile of the malicious insider that he and Shaw derived from real-world cases isn't just about the physical profile: "In the research, it says the typical person who conducts intellectual property theft is a 37-year-old male Caucasian. But we don't want companies to get sidetracked by that [profile] -- anybody at any given time is capable of stealing," Stock says. "We tried to describe how they get on a critical pathway to IP theft, and how you can identify different parts of that pathway."

Criminologist David Maimon, assistant professor of criminology and criminal justice at the University of Maryland's College of Behavioral and Social Sciences, recently teamed with engineer and computer scientist Michel Cukier, associate professor of reliability engineering at the university, to study the criminological side of hacking, spamming, and malware.

The professors, who plan to present details of their findings early next year, discovered some interesting correlations between computer crime and network usage trends that can help organizations better predict victims and attacks.

"We both had interest in the human component and tried to figure out innovative ways to try and study the human players behind cybercrime," says Maimon, who provided Dark Reading with a preview of some of the findings.

The researchers used real data from actual attempted attacks against the University of Maryland's network to study trends in how and when attackers strike, as well as other characteristics. One of their key findings was that the social composition of the network typically helps determine the origin of an attack, and that cybercriminals are like physical criminals: They are opportunistic when it comes to their victims.

"Cyberattacks against the campus network occurred at specific times, when most of the victims were on campus and using the system," Maimon says. "When you have more users online, you have more victims so more crimes going on during that time."

And like physical crime, where you go on the network determines your risk, too, he says. "We all use the same sort of devices to protect our systems, IPSes, IDSes, firewalls, and antivirus," Maimon says. "These tools are important, but at the same time you have to take into consideration the social [aspect] and end users."

As for the malicious insider, predispositions and professional dissatisfaction or a sense of being slighted in his job can serve as a trigger for sending him on that path. "A perceived injustice sends them along the critical pathway. They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior," Stock says.

Around 65 percent of malicious insiders have already lined up new job with a competitor or started their own firm at the time of the data theft. More than half begin stealing information within a month of leaving their employer. One-fourth sell the stolen information to a foreign company or country, and 20 percent are hired by an outsider to pilfer the information, according to the Symantec report.

Three-fourths take information that they have legitimate access to in their jobs, and more than half of these cases involve the theft of trade secrets; 30 percent, billing information, price lists, and other administrative data; 20 percent, source code; 14 percent, proprietary software; 12 percent, customer information; and 6 percent, business plans.

Even so, an employee going rogue after being overlooked for a promotion, for example, is the exception, not the rule. "A lot of employees aren't happy and think about doing bad things, but very few move down that pathway to do it. Those who do are very dangerous," Stock says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.