Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:45 PM
Connect Directly

The Art Of Profiling Cybercriminals

New psychological and criminological studies attempt to capture a glimpse of the human behind the hack

He's a white, 37-year-old engineer in your organization, and he feels justified in selling out your intellectual property to a foreign country because he's miffed about getting overlooked for a promotion. He has had a history of mental health problems, and his marriage is on the rocks as he faces personal financial issues.

Those are some of the common characteristics of the perfect storm for a typical malicious insider who steals and profits from his organization's trade secrets, according to a new report authored by psychologists with expertise in risk management and forensic psychology. The "Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property" research paper by Drs. Eric Shaw and Harley Stock was commissioned by Symantec and draws from real-world malicious insider cases.

With cybercrime becoming the weapon of choice for more criminals, psychologists such as Shaw and Stock, as well as sociologists and criminologists, are increasingly being tapped to help construct profiles of hackers and malicious insiders so organizations can better defend against outside threats and to better spot trouble internally.

While technology has been the main weapon against these attacks, experts say a better understanding of the psychological, criminological, and sociological side of the equation can help boost defenses and even catch an internal thief before he goes the distance.

Stock, a certified forensic psychologist and managing partner with the Incident Management Group (IMG), says the profile of the malicious insider that he and Shaw derived from real-world cases isn't just about the physical profile: "In the research, it says the typical person who conducts intellectual property theft is a 37-year-old male Caucasian. But we don't want companies to get sidetracked by that [profile] -- anybody at any given time is capable of stealing," Stock says. "We tried to describe how they get on a critical pathway to IP theft, and how you can identify different parts of that pathway."

Criminologist David Maimon, assistant professor of criminology and criminal justice at the University of Maryland's College of Behavioral and Social Sciences, recently teamed with engineer and computer scientist Michel Cukier, associate professor of reliability engineering at the university, to study the criminological side of hacking, spamming, and malware.

The professors, who plan to present details of their findings early next year, discovered some interesting correlations between computer crime and network usage trends that can help organizations better predict victims and attacks.

"We both had interest in the human component and tried to figure out innovative ways to try and study the human players behind cybercrime," says Maimon, who provided Dark Reading with a preview of some of the findings.

The researchers used real data from actual attempted attacks against the University of Maryland's network to study trends in how and when attackers strike, as well as other characteristics. One of their key findings was that the social composition of the network typically helps determine the origin of an attack, and that cybercriminals are like physical criminals: They are opportunistic when it comes to their victims.

"Cyberattacks against the campus network occurred at specific times, when most of the victims were on campus and using the system," Maimon says. "When you have more users online, you have more victims so more crimes going on during that time."

And like physical crime, where you go on the network determines your risk, too, he says. "We all use the same sort of devices to protect our systems, IPSes, IDSes, firewalls, and antivirus," Maimon says. "These tools are important, but at the same time you have to take into consideration the social [aspect] and end users."

As for the malicious insider, predispositions and professional dissatisfaction or a sense of being slighted in his job can serve as a trigger for sending him on that path. "A perceived injustice sends them along the critical pathway. They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior," Stock says.

Around 65 percent of malicious insiders have already lined up new job with a competitor or started their own firm at the time of the data theft. More than half begin stealing information within a month of leaving their employer. One-fourth sell the stolen information to a foreign company or country, and 20 percent are hired by an outsider to pilfer the information, according to the Symantec report.

Three-fourths take information that they have legitimate access to in their jobs, and more than half of these cases involve the theft of trade secrets; 30 percent, billing information, price lists, and other administrative data; 20 percent, source code; 14 percent, proprietary software; 12 percent, customer information; and 6 percent, business plans.

Even so, an employee going rogue after being overlooked for a promotion, for example, is the exception, not the rule. "A lot of employees aren't happy and think about doing bad things, but very few move down that pathway to do it. Those who do are very dangerous," Stock says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32.
PUBLISHED: 2021-06-24
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 1...
PUBLISHED: 2021-06-24
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
PUBLISHED: 2021-06-24
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.