Using Offender Profiling Techniques in Security Operations

Let's start this article off with a question. What does Agent Smith from the Matrix, the Joker from Batman and Darth Vader from Star Wars all have in common? It's not the fact that they're all from movies, nor the fact that they’re all villains, but instead it’s the fact that they're all villains with motives and purposes. Be it enslaving humanity in the Matrix or building the Death Star in Star Wars, each of these villains do what they do for a reason. Then the heroes in these movies will use these motives and purposes against the villains in one form or another.

This, at its core, is what offender profiling is all about. It’s about building a knowledge base on malicious actors, and about understanding who the villains are so that we can better protect against them.

There’s an example I like giving for offender profiling, and I’ll be honest I like giving it because it is simple and easy for us to understand. It’s the idea of a DoS (Denial of Service) attack. Let’s imagine we’re protecting a customer’s network and they’re continually getting DoSed by a Scandinavian hacker group, between the hours of 03:00 and 06:00 each day. As a response we can add extra load balancers in place at these times, and then for the rest of the day use what we usually use. Here we’re using preemptive security, offender profiling, as well as some general security techniques to help protect our customers.

There is a great quote from the Los Angeles Police Chief, Charlie Beck, that talks about the importance of predictive policing. It says: “I’m not going to get more money. I’m not going to get more cops. I have to be better at using what I have, and that’s what predictive policing is about.” This same approach can be used for offender profiling. It’s all about preemptive security, doing what we can now to help protect ourselves in the future.

So if that’s what offender profiling is and why it’s important, how do we actually implement it? We can break building a knowledge base down into three main areas.

  • The Target | Who is the target and what type of target are they (Individual, Group, Government, etc)?
  • The Attacker | Who is the attacker and again what type of attacker are they (Individual, Group, State Sponsored, etc)?
  • Overall | When and where did the attack occur?

All of this information helps us build a knowledge base. It allows us to build a bigger picture on who the malicious actors are and what they do.

The question comes down to how we implement offender profiling techniques into a security operations center. It’s quite simple, and to explain it let’s look at Alice. Alice is a security analyst for an up and coming security start up. Alice manages a small team of security analysts and it is her job to deal with security incidents from their customers as they come in: anything from SQLi attacks to Malware infections.

It’s the job of Alice and her team to action these security incidents. This could involve anything from calling up a customer to writing up some feedback or remoting into a system. Generally this works really well.

This approach fails when Alice and her team become overwhelmed with security incidents. This is because the incidents Alice and her team receive are prioritized by time, this means that some of the higher priority attacks may get swamped in a sea of lower risk ones. Alice doesn’t like this, she wants to find a way to priorities these attacks on factors outside of time.

Going into an array of methods for offender profiling would turn this article into an essay. So instead here are some key takeaways that we could implement right here and now to improve our security operations.

  • Asset Profiling | Understanding what we are actually protecting.
  • Attack Frequency Plotting | Reviewing how often different malicious actors attack which assets.
  • Attack Comparison Analysis | Comparing the risk of attacks based on the impact and likelihood of the attack.
  • Kill chain analysis | Deciding where an attack fits in its life-cycle and if the attack is currently a risk.
  • Naming conventions | Making sure that we have accurate and beneficial naming conventions for our malicious actors.

Intrusion analysis is far more than the tools that we use. Instead, it is about understanding something. In some cases this might be about understanding an attack. When this is the case, offender profiling shows us that every attack is orchestrated, that every attack has a motive and a purpose. Finally, it shows us, that in better understanding these motives and purposes we can better protect ourselves and our customers.

What’s Hot on Infosecurity Magazine?