Which of the following is most likely to get stopped and interrogated at the JFK International Airport?
a) An eccentric scientist carrying exotic species of insects?
b) Charlie Sheen?
c) A brown-skinned man wearing a robe?
If you're thinking C then you're probably aware that criminal profiling is a practice that law enforcement agencies around the world use. In fact, it's being used so much that it's given profiling a bad name. But the basic premise is sturdy: Bad guys are predictable because they are creatures of habit.
And that's why criminal profiling is beginning to spread to the cyber world.
For years now, forensic psychologists and behavioral sciences have been working in collaboration with law enforcement agencies to integrate psychological science into criminal profiling.
The most popular method of criminal profiling, offender profiling, aims to identify criminals based on an analysis of their behavior while they engage in the crime. The underlying rational is simple: If behavior is common across crimes, it is probably the same criminal because behavior is related to the psycho-socio characteristics of an offender.
Behavior is revealed by the choices offenders make while committing a crime. This could include their modus operandi, the location of the crime, and the weapon of choice among others. This information is then combined with other pieces of physical evidence, and compared with the characteristics of known personality types and mental abnormalities to develop a practical working description of an offender. This study of the psyche of a criminal is considered the third wave of investigative science.
Criminal profiling began being used as a tool for investigation as far back as the beginning of the 20th century. The role of profiling first garnered interest following the infamous Jack, the Ripper killings in England. Traditional policing systems like the Kotwali system, too, had a system of recording behavioral traits of criminals to arrive at some sort of a profile of a criminal, says S. Murugan, deputy inspector general of police, Cyber Cell, Bangalore.
But it's only recently that the science has really caught the fancy of the public. TV shows including CSI, the Mentalist, and Castle have all gotten on the study-the-mind-of-a-killer bandwagon.
In reality though, much more ground needs to be covered. The criminal profile practice in India is largely done by the police with the help of forensic experts. But there is not a great degree of psychoanalysis of offenders, admits Murugan.
The current practice of criminal profiling is based on crime scene characteristics and demographic details; it does not include much of behavioral tendencies and personality traits, continues Dr. S.L. Vaya, director, Institute of Behavioral Science at the Gujarat Forensics Science University, which claims to be the first of its kind in India.
Part of the problem is the controversy surrounding the effectiveness of criminal profiling, along with lack of empirical evidence supporting its effectiveness. But recent research points that criminal profiling is estimated to have a success rate of 77 percent in assisting traditional investigations.
The world of cyber crime significantly reshuffles the rules of criminal investigation. Unlike traditional crime scenes, evidence often exists only in the cyber-world; in a computer, a network, or the Internet. The weapon of choice also a computer, a network, or the Internet's volatile and easily contaminated or destroyed. And that's why CIOs and CISOs need to build robust ecosystems that can create accurate and reliable logs and audit trails.
But even that has its limitations. While log and audit trails could lead security analysts to a perpetrator, most often the trail ends at a computer, a server or a network not the face behind it. As a result only five percent of cyber criminals are caught and prosecuted.
It is this faceless dimension of cyber crime that compounds its challenge. And that's why the use of profiling will almost certainly grow over time.
I think the concept of profiling is an excellent step. However, since most of cyber crimes are faceless attacks, what would be great is if we could extend the concept of profiling to websites or URLs that are most likely to send malicious content or associated with criminal activity, says Manish Dave, CISO, Essar Group.
If cyber criminals rely on the pseudo-anonymous nature of the Internet and technology to camouflage their true identities, it is up to security leaders to use another method to locate them. Fortunately, a cyber criminal's facelessness doesn't extend to other telling signs of crime: Motivation, MO, and signature behaviors. And criminal profiling relies heavily on such clues.
Criminal profiling can also be especially useful during the process of recruiting. As the trend of planting snitches in companies increases, it would be a great tool to keep in mind while conducting background checks of employees, says Parag Deodhar, chief risk officer, and VP process excellence and program management, Bharti AXA General Insurance.
Most of the work in cyber criminal profiling has been done around hackers. For the sake of general understanding, it needs to be said that cyber criminals are not the same as hackers. Cyber criminals use the electronic medium to commit theft, embezzlement or any other punishable offence. Whereas hackers are just exceptionally-skilled computer geeks.
That said, a large of number of cyber criminal analyses have attempted to profile hackers on the basis of their hacking expertise level. The common profiles are:
Toolkit Newbies. They are largely technology novices, with very low technical skills and know-how. They use ready-made, pre-prepared software and depend on how-to documentation downloaded from the Internet.
Cyber-Punks. They are generally capable of writing short programs themselves, which they use mainly for defacing Web pages, spamming, credit card or personal information theft, identity theft, and telecommunications fraud. These cyber-criminals are mostly like to brag about their skills and accomplishments.
Coders. They write code aimed exclusively at damaging other systems. They have ulterior motives and spread spywares and Trojans for this purpose.
Old-guard hackers. They are highly qualified, without criminal intent, who embrace the original ideology of first generation hackers. Their interest lies in the intellectual, cognitive side of hacking.
Hacktivists. These are political activists and have grown in popularity in the last year. They may or may not be well funded but always have some social or political agenda. However, any hidden ulterior motives are possible too.
For CISOs, the following two categories are those to study. That's because they usually harbor the most malicious intent and they pose the highest threat to enterprises.
Internals. These are employees, former employees or contractual employees. Their intent to damage a company's system is primarily based on revenge for perceived grievances. Their attacks aren't based on technical skill but rather on a precise knowledge of the level and type of security present within an organization.
In their report The Insider Threat to Information Systems authors Eric Shaw, Keven Ruby, and Jerrold Post define such internals as Employee CITIs (Critical Information Technology Insider). According to them, Employee CITIs use their knowledge and access to internal information resources for a range of motives in addition to revenge, including greed, ego gratification, to resolve a personal or professional problem, to protect or advance their careers, to express their anger, to impress others, or a combination of these.
Michael Lauffenberger, a 31-year-old programmer for the General Dynamics Atlas Missile Program, is an example. He reportedly felt unappreciated for his programming work on a parts tracking system. That led him to planting a logic bomb in the system that was designed to erase critical data after he resigned. He anticipated returning to rescue the company as a highly-paid and valued consultant.
Another rather infamous example is Jay Beaman, a regional PC manager for the King Soopers supermarket chain. Beaman and two clerks were charged in an intricate computer fraud that cost the supermarket over $2 million (about Rs 9 crore) over two years.
Investigators described their motives as beginning with financial necessity but quickly escalating into greed and ego. Among the strategies Beaman and team used was manipulating the computer accounting system to funnel certain purchases into a dummy account. At the end of every day, they encashed the money and deleted the account, thereby erasing any trace of their fraud.
In both examples, employees used their knowledge and access to critical systems to create crisis. In fact, Beaman was able to use his position to both commit and cover up his fraud, emphasizing the vulnerability of organizations to trusted employees.
Professional criminals and cyber-terrorists. Professional criminals specialize in industrial espionage and intelligence operations against governments, national security agencies, and organizations that deal with highly-sensitive information, and represent the highest class of risk. They are highly-motivated, highly-trained, highly-focused and have easy access to sophisticated tools and technologies. Like all mercenaries, they usually have the support and the backing of large-scale, organized crime syndicates.
One such ring was recently uncovered. The cyber-banking fraud ring, working from multiple geographies, went after the accounts of medium-sized companies, towns, and even churches in the United States. Before they were caught by law enforcement agencies in US, UK, Ukraine and the Netherlands; members of the ring managed to steal $70 million (about Rs 315 crore).
According to the FBI, using a Trojan horse virus known as Zeus, hackers in Eastern Europe infected computers around the world. The virus was carried in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the malicious software installed itself on their computers, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.
The hackers then used this information to take over bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of money mules. Many of the money mules in the US were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe or turn it into cash and smuggle it out of the country. For their work, they were paid a commission.
Last year, the FBI along with the law enforcement agencies of the UK, Ukraine and Netherlands executed numerous warrants to arrest more than 27 persons across multiple countries in one of the largest cyber criminal cases FBI claims to have ever investigated.
Motivation, method, and maturity: These are three of the more important parameters used in cyber criminal profiling. Though very little documentation exists about the psychological tendencies that drive perpetrators to criminal behavior, their behavioral manifestations can also be used against them.
It's important to remember that cyber criminals, too, are largely victims of their own stereotype. Some of those stereotypes suggest that they have an above average IQ, great technical and problem-solving skills, are dissatisfied or de-motivated by unchallenging environments at school or work, suffer from dysfunctional or impaired social relationships, and tend to rebel against authority.
There has been some work associating psychological diseases with the cyber criminals. Infamous hackers such as Adrian Lamo and Ryan Cleary are reported to have suffered from Asperger's Syndrome, a form of autism characterized by significant difficulties in social interaction. Adrian Lamo, now a threat analyst, gained media attention for breaking into several high-profile networks including The New York Times, Yahoo!, and Microsoft, and later got embroiled in the Bradley Manning-WikiLeaks scandal.
Nineteen-year-old Ryan Cleary was more recently accused of being involved with the LulzSec group and hacking the UK's Serious Organized Crime Agency website.
Cyber criminals, reports suggest, prefer the predictability and structure of computer-based work to the dynamics of relationships. They spend significantly more time online than is necessary for their work, frequently report losing any sense of the passage of time while on-line, and find that their on-line activities interfere significantly with their personal lives. They are more likely to be independent, self-motivated, aggressive loners, who make poor team players and feel entitled to be a law onto themselves.
In addition to these psychological disorders associated with the criminal mind, there are several behavioral tendencies and manifestations that can also be attributed to criminal profiles. Some of these are:
Introversion. Criminal confessions are often the most potent tool for profilers. But the appallingly low rate of cyber-criminal convictions makes for a small pool of research. However, the majority of the arrested hackers and those, which have responded to surveys, indicate they are withdrawn, uncomfortable with other people, and are introverts.
Traditionally, computer professionals are associated with introverted-ness. But with cyber criminals introversion is accompanied by a history of personal and social frustrations (especially anger toward authority), ethical flexibility, a mixed sense of loyalty, entitlement, and lack of empathy.
Apathy. There have been many documented anecdotal accounts of the lack of concern by hackers over the systems they have attacked. Many of the written interviews with convicted hackers portray them as being more concerned with fulfilling their own material needs regardless of the consequences.
Misplaced Sense of Entitlement. Although hackers are self-confessed loners and have under-developed social skills, they appear to have a strong desire for affiliation, acceptance, and approval. Research suggests that individuals who engage in deviant cyber behavior, when encouraged, are willing to discuss and brag about their exploits.
Take the case of a network administrator, the face behind a multi-crore source code theft at one of India's largest software companies. When forced into a confession, he revealed how his desperation for social affiliation led him to commit the crime. In order to show-off his IT skills to a girl he recently met on a social networking site (the girl seemed to have expressed fascination for hackers and their intelligence), he went on to draw network diagrams and security mechanisms including root passwords of his company on paper tissues at the coffee table. The girl, reportedly, kept throwing those tissues into an ash tray, which a waiter emptied every so often. The waiter later confessed that he was paid Rs 5,000 to hand over all the tissues to a suspected Israeli national at another table, who later hacked into the organization from that coffee shop. The criminal was never caught.
More and more of such behavioral manifestations, tendencies, and stereotypes are being constantly studied and analyzed by psychologists and doctors to develop psycho-analytical profiles of such cyber world offenders.
Though research in this field is plenty, there is no integration of research outcomes with actual case studies (field work), thus the level of sophistication required to be regarded as reliable scientific evidence to support criminal investigation is lacking, laments Dr. Vaya.
But she strongly believes that forensic psychological profiling of criminals will be increasingly useful in catching offenders. It is like if the country had a data bank of DNA or fingerprints of all its citizens, it would help make nabbing criminals much easier. Similarly, having a clear understanding of people's behavior to understand their personality traits by forensic behavioral analysis would help develop a data bank of psychological signatures of all suspected persons which would help identify criminals and pre-empt their moves