1 / 13

PERPETRATORS, PROFILING, POLICING: Theory & Practice 8th International Investigative Psychology Conference

PERPETRATORS, PROFILING, POLICING: Theory & Practice 8th International Investigative Psychology Conference. Coordinated Cyber Attacks Towards Norway in 2004 December 15, 2005. Introduction: Cyber Attacks & Incidents. Continuous growth in cyber crime and its related losses

varvara
Download Presentation

PERPETRATORS, PROFILING, POLICING: Theory & Practice 8th International Investigative Psychology Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PERPETRATORS, PROFILING, POLICING: Theory & Practice 8th International Investigative Psychology Conference Coordinated Cyber Attacks Towards Norway in 2004 December 15, 2005

  2. Introduction: Cyber Attacks & Incidents • Continuous growth in cyber crime and its related losses • Definition of cyber attacks versus cyber incidents • Terrorists may conduct attacks via or towards ICTs • Protection of the Critical Infrastructure of major importance • Information gathering and profiling used to reduce the amount of data • Profiling as part of technical tools for detecting anomaly behaviour (IDS and AML) • Behavioural profiling and investigative psychology for categorising and linking offenders and for advancing searches • The current study is profiling cyber incidents to improve insight into to how they are done, by whom and why

  3. Relevant Research and Gap in Literature • Much research on technical security • Excludes the wider social and behavioural context • Emergence of information systems research from the social science tradition • Criminology and psychology may be used in the information systems security domain • There is a gap in inductive profiling of cyber incidents much due to little statistics and information gathering • Information gathering from technical systems that may be used for behavioural profiling come from IDS and Firewall logs, forensic evidence etc. • Inductive profiling may draw on expert statements when little theory is developed in the area

  4. Theoretical Framework • The current analysis builds on Howard’s (1997) category of cyber incidents • Attacker • Tool • Access • Result • Objective • Including the target and opportunity factor (Willison and Backhouse, 2005) • Target • Opportunity • Differences between attackers and types of attack(Kjaerland, 2005) • Expert statements may be related to objective or opportunity of attack (as created by the target)

  5. Research Problem and Question • Much data in systems, that may be reduced though inductive (or statistical) profiling • Differentiate between incidents through the use of multidimensional scaling techniques (MDS) • Systematic analysis of attack/incident characteristics in order to distinguish between type of attacks (method of operation) and type of source (source or attacker) • The research problem is to profile cyber incidents in order to improve the understanding of cyber incidents, how they are done, by whom and why? • In other words, what is the structure of coordinated attacks, and what type of attacks are most characteristic from different types of countries?

  6. Design and Method • Smallest Space Analysis (SSA) is used to understand more about the relationship between: • type of attack (method of operation) • country of attack (source or attacker) • These categories may be seen as variants of Howard’s (1997) typology • SSA is often used in relation to Facet theory, which allows for the reworking of a definitional system • SSA can also be used in an exploratory manner when a subject is not well featured in the literature • The current method is used to look at type of attack and country as categorical data (non-metric) • The current analysis may help improve future analysis by looking at the categories and the relationships between the variables

  7. Dataset and Facets • Data come from an international oil company (Statoil) that cooperates on the project ‘Warning System for Critical Infrastructure’ (VDI) coordinated by the National Authorities in Norway • 205 coordinated attacks towards the critical infrastructure in 2004 are analysed using Smallest Space Analysis (SSA) • The attacks must hit at least 5 companies simultaneously for them to classify as coordinated attacks • The attack type variables are Root, Reconnaissance, Denial of Service (DoS), and Worm • There are 21 countries in the analysis forming 35 variables of countries and type of attack

  8. Results - SSA • The analysis gave a Jaccard’s coefficient of 0.12 in 42 iterations • Norway and Root are close in geographical space, indicating that they are closely related • Slovenia and Root are not close in geographical space, indicating that they do not often appear together • Breaking and Entering:Norway, Japan, Germany, and Turkey • Random Scans & Virus/Worm: Italy, Israel, and Brazil • Crashing/Hanging Programs & Services:China, Canada, UK, Malaysia, and Taiwan

  9. Results - Frequencies • Incident: • Reconnaissance: 190 of 205 cases (92.7%) • Worm: 112 of 205 cases (54.6%) • Root compromise: 85 of 205 cases (41.5%) • DoS: 20 of 205 cases (9.8%) • Country: • US: 71 of 205 attacks (34.6%) • China: 54 of 205 attacks (26.3%) • Canada: 10 of 205 (4.9%) • Japan: 9 of 205 attacks (4.4%) • Norway: 9 of 205 attacks (4.4%) • UK: 7 of 205 incidents (3.4%).

  10. SSA Plot: Percentage Ranges

  11. SSA plot: Grouping Coordinated Attacks Breaking & Entering Random Scans & Virus/Worm Crashing/Hanging Programs & Services

  12. Summary and Conclusion • Countries frequently attacking the critical infrastructure are US, China, Canada, Japan, Norway, and UK • Less industrialised countries use more worms, viruses, and scanning (stepping stones), whereas more industrialised countries use Root and DoS attacks • Some countries that were not previously industrialised are up-ad-coming with attacks similar to industrialised countries • The understanding of cyber incidents may be advanced through improved collection and analysis of information, as well as through sharing of information • Future research in the area may be advanced through applying Criminal Profiling to Information Systems research • There are possibilities for more research in the area of Inductive Profiling of Cyber Incidents

  13. Thank you for your attention!

More Related