Late in the summer of 2015, open source news reporting indicated that Chinese hackers may have been to blame for the breach of information at USIS, which is the major U.S. contractor for security background investigations for the U.S. Government. Initial estimates indicate that the cyber security hacking included more than 25,000 private records. Investigators with the FBI described the attack as “sophisticated” because USIS was not aware of the intrusion for several weeks if not months. Finally, if this breach included biometric data (since digitized fingerprint cards are part of the files) then the compromise could affect people working in sensitive government positions involving travel or assignment overseas.
While the cyber threat is not new, the recent attack at USIS indicates that the threat is more insidious. Attempts to thwart new and emerging threats seem fruitless, since technology advances so quickly. That is, the cyber criminals stay abreast of emerging developments is the fields of cyber security. So the cycle continues: improved security results in improved hacking methods, which in turn result in newer approaches to security.
This article will suggest that the efficient approach to cyber threats lies not only in the employment of effective cyber defenses, but in the methodology of employing those defenses. This approach stems from effective methodologies in criminal investigation.
First, let us view the cyber threat through the lens of the criminal mind. Basically, all cyber attacks are a form of criminal behavior, because vandalism or theft is the end result. In the field of criminal investigation, investigators utilize certain methodologies to capture evidence and criminals; that is, there is a general process used by all criminals committing any crime. This process is as follows:
1. Identifying the target
2. Intelligence gathering of the target
3. Surveillance of the target
4. Planning the operation
5. Preparation/staging of tools/weapons
6. Rehearsing & training for the operation
7. Execution of the operation
These steps are not “hard and fast” and so some steps are longer (or shorter), and some steps may not occur at all. This is the general guide. For example, if someone were to plan a housebreaking, they would first identify the target (Step 1). So, in concert with this step, the individual(s) would scan the area through the ruse of soliciting work, passing out brochures, or perhaps offering to sell magazine subscriptions. While many innocent people solicit work, pass out brochures, or sell magazine subscriptions door-to-door, so do criminals. Once the criminal has ascertained several homes as targets, the winnowing process would move to Step 2, Intelligence Gathering.
In the second step, the criminals would attempt to make calls to the home (if the telephone number is known) and/o r conduct surveillance of the target, which is Step 3. So, to use an everyday example, if manual laborers were working a small residential construction project in a local neighborhood, and one or more of those workers had criminal intent, the process of Steps 1-3 could occur while working on-site. That is, for example, these workers would have direct visual access to the next door neighbors and the times they left and returned home; what kind of cars they drove; and perhaps have a view of the interior of the garage. To ensure that no one was home in the mid-day, one of these workers might ring the doorbell and ask for water, and in this way ascertain if there was anyone in the home during the workday. In this regard, when daylight house break-ins occur, police investigators tend to look for any general contractors in the local area who have had recent work in the neighborhood.
How do these vignettes of criminal behavior relate to cyber security?
First, there are many innocent people who participate in behaviors that align with the process identified for committing criminal acts. In order to thwart the thieves (before they reach Step 7), or even to begin to capture evidence against them in preparation of a sting operation, investigators need to identify behaviors to discriminate between benign behavior and behavior that warrants further scrutiny.
Investigators therefore need to identify what is to be protected (for example, the home, or in the context of this article, servers and networks). Once the protected environment is identified, investigators then develop lists of behaviors associated with someone who would have criminal intent against the protected environment. That is, for each step of the criminal process, investigators would develop the lists of behaviors associated with someone who is executing one or more steps of the criminal process.
Returning to the magazine selling example, if someone approaches your doorstep selling subscriptions, and that person cannot tell you (right then and there without pondering an answer) what their commission is, or perhaps what specific training they had received as part of their employment, then that person warrants further scrutiny. Failure to answer such questions does not mean the individual has criminal intent. But if they do have criminal intent, they tend not to prepare in advance and have “back stop” answers to such questions. This approach illustrates the methodology for identifying potential threats in petty crime, and the use of this methodology also applies to cyber threats, because hacking is criminal behavior. So each and every step of the criminal process would provide the lists of behaviors when associated with the protected environment. These behaviors then become the focus of the investigator who focuses on specific objective criteria as opposed to general subjective criteria.
The use of the methodology for the proactive identification of criminal activity, which, when applied with current cyber defense tools and techniques, can identify potential threats before they occur. Spending money on cyber defense technology is important, but if that technology does not live within the context of the appropriate methodology (based on the criminal process), then such technology will not realize its full potential. As was seen in the cyber security attack of the USIS Corporation, the criminals made the successful completion to Step 8 of the process – the Getaway.
— — — — — — — — — — — — — —
Post by Joseph Lukowski. Major Lukowski retired from the Air Force Office of Special Investigations after 20 years of service with career experience in counterintelligence. Today he is a small business owner in San Antonio, TX. His clients are federal Government agencies both CONUS and overseas.