The Method to the Madness of Criminal Intent

method to the madnessLate in the summer of 2015, open source news reporting indicated that Chinese hackers may have been to blame for the breach of information at USIS, which is the major U.S. contractor for security background investigations for the U.S. Government. Initial estimates indicate that the cyber security hacking included more than 25,000 private records. Investigators with the FBI described the attack as “sophisticated” because USIS was not aware of the intrusion for several weeks if not months.  Finally, if this breach included biometric data (since digitized fingerprint cards are part of the files) then the compromise could affect people working in sensitive government positions involving travel or assignment overseas.

While the cyber threat is not new, the recent attack at USIS indicates that the threat is more insidious. Attempts to thwart new and emerging threats seem fruitless, since technology advances so quickly. That is, the cyber criminals stay abreast of emerging developments is the fields of cyber security. So the cycle continues: improved security results in improved hacking methods, which in turn result in newer approaches to security.

This article will suggest that the efficient approach to cyber threats lies not only in the employment of effective cyber defenses, but in the methodology of employing those defenses.  This approach stems from effective methodologies in criminal investigation.

First, let us view the cyber threat through the lens of the criminal mind. Basically, all cyber attacks are a form of criminal behavior, because vandalism or theft is the end result. In the field of criminal investigation, investigators utilize certain methodologies to capture evidence and criminals; that is, there is a general process used by all criminals committing any crime. This process is as follows:

1. Identifying the target
2. Intelligence gathering of the target
3. Surveillance of the target
4. Planning the operation
5. Preparation/staging of tools/weapons
6. Rehearsing & training for the operation
7. Execution of the operation
8. Getaway

These steps are not “hard and fast” and so some steps are longer (or shorter), and some steps may not occur at all.  This is the general guide. For example, if someone were to plan a housebreaking, they would first identify the target (Step 1). So, in concert with this step, the individual(s) would scan the area through the ruse of soliciting work, passing out brochures, or perhaps offering to sell magazine subscriptions. While many innocent people solicit work, pass out brochures, or sell magazine subscriptions door-to-door, so do criminals. Once the criminal has ascertained several homes as targets, the winnowing process would move to Step 2, Intelligence Gathering.

In the second step, the criminals would attempt to make calls to the home (if the telephone number is known) and/o r conduct surveillance  of the target, which is Step 3.  So, to use an everyday example, if manual laborers were working a small residential construction project in a local neighborhood, and one or more of those workers had criminal intent, the process of Steps 1-3 could occur while working on-site. That is, for example, these workers would have direct visual access to the next door neighbors and the times they left and returned home; what kind of cars they drove; and perhaps have a view of the interior of the garage. To ensure that no one was home in the mid-day, one of these workers might ring the doorbell and ask for water, and in this way ascertain if there was anyone in the home during the workday. In this regard, when daylight house break-ins occur, police investigators tend to look for any general contractors in the local area who have had recent work in the neighborhood.

How do these vignettes of criminal behavior relate to cyber security?

First, there are many innocent people who participate in behaviors that align with the process identified for committing criminal acts. In order to thwart the thieves (before they reach Step 7), or even to begin to capture evidence against them in preparation of a sting operation, investigators need to identify behaviors to discriminate between benign behavior and behavior that warrants further scrutiny.

Investigators therefore need to identify what is to be protected (for example, the home, or in the context of this article, servers and networks). Once the protected environment is identified, investigators then develop lists of behaviors associated with someone who would have criminal intent against the protected environment. That is, for each step of the criminal process, investigators would develop the lists of behaviors associated with someone who is executing one or more steps of the criminal process.

Returning to the magazine selling example, if someone approaches your doorstep selling subscriptions, and that person cannot tell you (right then and there without pondering an answer) what their commission is, or perhaps what specific training  they had received as part of their employment, then that person warrants further scrutiny. Failure to answer such questions does not mean the individual has criminal intent.  But if they do have criminal intent, they tend not to prepare in advance and have “back stop” answers to such questions. This approach illustrates the methodology for identifying potential threats in petty crime, and the use of this methodology also applies to cyber threats, because hacking is criminal behavior. So each and every step of the criminal process would provide the lists of behaviors when associated with the protected environment. These behaviors then become the focus of the investigator who focuses on specific objective criteria as opposed to general subjective criteria.

The use of the methodology for the proactive identification of criminal activity, which, when applied with current cyber defense tools and techniques, can identify potential threats before they occur. Spending money on cyber defense technology is important, but if that technology does not live within the context of the appropriate methodology (based on the criminal process), then such technology will not realize its full potential.  As was seen in the cyber security attack of the USIS Corporation, the criminals made the successful completion to Step 8 of the process – the Getaway.

— — — — — — — — — — — — — —

Post by Joseph Lukowski.  Major Lukowski retired from the Air Force Office of Special Investigations after 20 years of service with career experience in counterintelligence. Today he is a small business owner in San Antonio, TX. His clients are federal Government agencies both CONUS and overseas.



  1. Alexander on February 14, 2017 at 4:24 pm

    This article was interesting and well structured but entirely misses the mark.

    “The cyber threat through the lens of the criminal mind. Basically, all cyber attacks are a form of criminal behavior, because vandalism or theft is the end result.”

    This is an over simplification that fails to identify the threat accurately. Cyber Hactivism may have been popular in the 80’s as cyber vandalism, and I am sure there are still cases today of high school students defacing each others website pages or sending out false rumors over social media. As for theft, it is a means to an end in Information Assurance and not the end result but rather the beginning of any advanced persistent threat. There is more hacking done to see if it can be done rather than to cause vandalism or theft. Take DROWN for example, a case of hacking to expose a vulnerability and potential zero day attack and share the findings with the Information Technology community to prevent damage. But then that is the definition of hacking, to take something apart to build something better. What most media refer to as hacking is actually cracking, to break into a system with malicious intent.

    Most Cyber instances now are forms of state sponsored or trained freelance operations to gain infrastructure access and control, then when needed that access and control is exploited for monetary objectives. Ransom Ware for example encrypts ones data due to poor Information Assurance backups and redundancy, this causes the victim to pay 500 Bitcoin for the public passphrase to decrypt their data. To date 100 % of the ransom paid has resulted in decryption of the data, but that will change once disruption becomes the objective and not monetary exploit.

    Law enforcement tends to think of cyber attacks as crimes by criminals when in actuality it is more like signals intelligence on steroids. In several cases the actual criminal was the one cracked and shut down as the cyber community also self polices from time to time.

    Your method and techniques do have merit, but the premise causes a form of mirror imaging, or conforming the threat to fit our familiar known threats through a law enforcement lens.

    • Joseph Lukowski on March 8, 2017 at 3:51 pm

      Alexander, I appreciate your contemporary perspective, but the methodology remains the same throughout time: individuals are breaking the law. The victims do not view this activity as “signals intelligence on steroids” but as actual violations of law (personal property, identity theft, vandalism, etc.). Robert Burns onced penned an Old English lyric that said: “O wad some Pow’r the giftie gie us, To see oursels as ithers see us!” In other words, it is not how the cyber criminal sees himself (for example, as the enlightened warrior), but how others (the victims) view the outcomes — i.e., criminals in intent and action.

Leave a Comment

5 × 2 =