Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:45 PM
Connect Directly

The Art Of Profiling Cybercriminals

New psychological and criminological studies attempt to capture a glimpse of the human behind the hack

He's a white, 37-year-old engineer in your organization, and he feels justified in selling out your intellectual property to a foreign country because he's miffed about getting overlooked for a promotion. He has had a history of mental health problems, and his marriage is on the rocks as he faces personal financial issues.

Those are some of the common characteristics of the perfect storm for a typical malicious insider who steals and profits from his organization's trade secrets, according to a new report authored by psychologists with expertise in risk management and forensic psychology. The "Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property" research paper by Drs. Eric Shaw and Harley Stock was commissioned by Symantec and draws from real-world malicious insider cases.

With cybercrime becoming the weapon of choice for more criminals, psychologists such as Shaw and Stock, as well as sociologists and criminologists, are increasingly being tapped to help construct profiles of hackers and malicious insiders so organizations can better defend against outside threats and to better spot trouble internally.

While technology has been the main weapon against these attacks, experts say a better understanding of the psychological, criminological, and sociological side of the equation can help boost defenses and even catch an internal thief before he goes the distance.

Stock, a certified forensic psychologist and managing partner with the Incident Management Group (IMG), says the profile of the malicious insider that he and Shaw derived from real-world cases isn't just about the physical profile: "In the research, it says the typical person who conducts intellectual property theft is a 37-year-old male Caucasian. But we don't want companies to get sidetracked by that [profile] -- anybody at any given time is capable of stealing," Stock says. "We tried to describe how they get on a critical pathway to IP theft, and how you can identify different parts of that pathway."

Criminologist David Maimon, assistant professor of criminology and criminal justice at the University of Maryland's College of Behavioral and Social Sciences, recently teamed with engineer and computer scientist Michel Cukier, associate professor of reliability engineering at the university, to study the criminological side of hacking, spamming, and malware.

The professors, who plan to present details of their findings early next year, discovered some interesting correlations between computer crime and network usage trends that can help organizations better predict victims and attacks.

"We both had interest in the human component and tried to figure out innovative ways to try and study the human players behind cybercrime," says Maimon, who provided Dark Reading with a preview of some of the findings.

The researchers used real data from actual attempted attacks against the University of Maryland's network to study trends in how and when attackers strike, as well as other characteristics. One of their key findings was that the social composition of the network typically helps determine the origin of an attack, and that cybercriminals are like physical criminals: They are opportunistic when it comes to their victims.

"Cyberattacks against the campus network occurred at specific times, when most of the victims were on campus and using the system," Maimon says. "When you have more users online, you have more victims so more crimes going on during that time."

And like physical crime, where you go on the network determines your risk, too, he says. "We all use the same sort of devices to protect our systems, IPSes, IDSes, firewalls, and antivirus," Maimon says. "These tools are important, but at the same time you have to take into consideration the social [aspect] and end users."

As for the malicious insider, predispositions and professional dissatisfaction or a sense of being slighted in his job can serve as a trigger for sending him on that path. "A perceived injustice sends them along the critical pathway. They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior," Stock says.

Around 65 percent of malicious insiders have already lined up new job with a competitor or started their own firm at the time of the data theft. More than half begin stealing information within a month of leaving their employer. One-fourth sell the stolen information to a foreign company or country, and 20 percent are hired by an outsider to pilfer the information, according to the Symantec report.

Three-fourths take information that they have legitimate access to in their jobs, and more than half of these cases involve the theft of trade secrets; 30 percent, billing information, price lists, and other administrative data; 20 percent, source code; 14 percent, proprietary software; 12 percent, customer information; and 6 percent, business plans.

Even so, an employee going rogue after being overlooked for a promotion, for example, is the exception, not the rule. "A lot of employees aren't happy and think about doing bad things, but very few move down that pathway to do it. Those who do are very dangerous," Stock says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
PUBLISHED: 2021-01-19
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.