October is here. For most of us in the US cybersecurity industry, it’s the month when we commemorate National Cybersecurity Awareness Month (NCSAM). For those who are unfamiliar with this campaign, NCSAM generally aims at driving awareness for safe Internet use, whether you’re a regular consumer or top security executive. Protecting the Internet and keeping it safe is our shared responsibility.

And that’s why we at Malwarebytes not only pledge to provide the best protection for our home and business customers. We also commit ourselves to fostering cybersecurity education and awareness for all. Labs security researchers and writers are on the front lines every day, scouring the Internet for threats and reporting them, as well as how you can stay safe against them, here on the blog. We hope you continue to feel safe knowing we will always do our best to stop attacks, stomp out dangerous malware, and swat away annoying scammers.

In its 15th iteration, this year NCSAM will attempt to address current cybersecurity challenges, focusing on securing families and their homes, building a robust, cyber-aware workforce, and securing critical infrastructures. As such, themes assigned for each week of the month have been aligned according to this year’s objectives.

Below are the themes per week, a brief overview of each, and helpful links we recommend you, dear reader, start perusing.

Week 1: October 1–5

Theme: “Make Your Home a Haven for Online Safety”

NCSAM kicks off its campaign by going back to basics. Parents and caregivers, it’s time to brush up on your cybersecurity know-how and get your kids and the entire family involved. Check out these helpful Malwarebytes Labs posts if you need some inspiration:

• How to manage your child’s online presence
• How to protect your child’s privacy online
• Parenting in the digital world: a book review
• 10 ways to protect your Android phone
• Seven security tips for staying safe on an iPhone
• Internet of things (IoT) security: what is and what should never be

Week 2: October 8–12

Theme: “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity”

As that song goes, “I believe the children are our future.” And we believe that they can make a difference—for better or for worse—on the state of cybersecurity and the future of the Internet as we know it. Schools and teachers play a significant role in shaping the way our kids view and respond to the world, both in their real and digital lives. By molding young minds to be good citizens of the Internet and encouraging careers that honor that code, you can help clear the way for a better online experience for generations to come. Here are some references you may want to read up on:

• When cybersecurity isn’t all cyber: What does it really take to work in cybersecurity?
• Engaging students in cybersecurity: a primer for educators
• Back to school cybersecurity: hints, tips, and links for a safer school year
• Children and young adults: the next-generation money mules
• College cybersecurity survival guide

Week 3: October 15–19

Theme: “It’s Everyone’s Job to Ensure Online Safety at Work”

The shortage of cybersecurity professionals is a genuine problem, especially for businesses that rely on a tight-running and secure ship to keep profit flowing and customers happy. A way to address this shortage is to change the tide by educating current personnel about the importance of taking cybersecurity seriously and how to respond in the event of a cyberattack. Small, medium, and enterprise-sized businesses can pilfer useful nuggets of wisdom from these blog posts:

• All rise! Mind these digital crimes and arm your business against them
• Five easy ways to recognize and dispose of malicious mail
• Why bad coding habits die hard—and 7 ways to kill them
• 5 cybersecurity questions retailers must ask to protect their businesses
• Keeping your business and personal instant message secure
• An ounce of prevention is worth a pound of cure
• How to create an intentional culture of cybersecurity
• How to secure your remote workers

Week 4: October 22–26

Theme: “Safeguarding the Nation’s Critical Infrastructure”

The uncovering of Stuxnet nearly a decade ago completely changed the way we see our critical infrastructures. Since then, there has been an active call to secure the 16 sectors that literally keep a nation running—and for a good reason. Lives are at stake.

While protecting our critical infrastructure may seem like a specialized topic dedicated to a particular audience, it’s not. Those working in the financial, health, and communications sectors, as well as in energy, electricity, and other utilities can contribute by taking on the seemingly impossible task of securing their organizations.

Note that good security hygiene is a start, but efforts shouldn’t stop there. We’ll explore this topic in depth come November, when we’ll be looking at election security and commemorating Critical Infrastructure and Resilience Month. For now, you can read through these posts for helpful insights:

• Physician, protect thyself: healthcare cybersecurity circling the drain
• Physician, protect thyself: An ounce of protection is worth a pound of cure
• The enemy is us: a look at insider threats
• BYOD, why don’t you?
• Make way for the GDPR: Is your business ready?

If you or your organization want to take part in NCSAM, it’s never too late to register. You can visit the StaySafeOnline website and navigate to the Become a Champion menu link. After registering, you or your organization will be listed in the 2018 Champions page and receive helpful resources to educate yourself and spread awareness to others.

As always: Stay safe, everyone!

One more year gone, one more Defcon completed.

Defcon is the longest-running security conference in existence and one that I have been attending since Defcon 18. It is an opportunity to see and interact in real life with industry peers that would forever remain a digital persona otherwise. It is the place where you hear about the newest attack techniques, the coolest hacks, and the most spectacular security failures. A giant melting pot of hackers, security professionals, various three-letter agency employees, lawyers, students, black hats, grey hats, white hats, IT admins, help desk warriors, journalists, activists, reversers, cypherpunks, scary pentesting voodoo red team experts, and stoic blue team defenders.

Defcon is the conference of conferences. There’s even a LineCon, consisting of the impromptu discussions that take place while waiting to register or waiting to get into a room to see a presentation. And let’s not forget HallCon, where you strike up a conversation with random strangers and never, not once, have them roll their eyes when you start talking about security.

Villages, such as the LockPick village, exist where volunteers demonstrate just how illusionary the protection a physical lock provides. Then there are various hardware hacking villages, where routers, Wi-Fi repeaters, or anything containing a small computer is picked apart. Soldering irons abound, and disassembling is encouraged. Warranties are gleefully broken and tamper mechanisms are ignored or defeated in an undetectable manner. There’s the car hacking village, drone hacking, the social engineering events. The list goes on and on in a cornucopia of coolness.

And let’s not forget the swag. Oh the swagiest of swag! Epic t-shirts, cool and weird stickers, army backpacks with a bajillion pockets, personalized hotel cards, challenge coins, and the crown jewel of them all…The coveted unofficial electronic badges.

Defcon has the best badges—in part out of necessity, I theorize. How do you combat counterfeit badges when the vast majority of your attendees know about plastic card printers, have a passing familiarity with photo editing software, and perhaps a flexible moral code?

You step up your game. Early examples were embossed, then made of laser-cut plexiglass, and even metal! Very soon, functionality was thrown into the mix. It started slowly, with blinking LEDs, and rapidly progressed. As badges started including crypto challenges, greater and greater functionality was added. The rationale behind this enhancement was to foster collaboration between attendees with different skill sets when attempting to solve the puzzles contained within.

As badge functionality grew, enterprising conference attendees started modifying them. The Defcon 16 badge included a “TV-B-GONE” function, to the great chagrin of the Las Vegas restaurants and sports bars owners. A Defcon 17 attendee even added a Breathalyzer to his badge.

Eventually, the Defcon organizers settled into a cadence. One year was a crypto challenge with an artistic style of badge; the alternating year an electronic one. This was probably a logistical decision, as the electronic badges became more and more intricate, requiring longer and longer development time due to their complexity.

Around this time, Defcon attendees witnessed the birth and rise of unofficial Defcon badges. Built by attendees, these unofficial badges became the most sought-after object to wear around your neck: a prestigious status symbol, confirming your “leet-ness.” A visual confirmation that had the guile necessary to acquire them. You knew the right people, or had the skills to create your own.

Defcon 26 saw a veritable explosion of unofficial badges, as more and more groups of enterprising con attendees started making their own badges with a dizzying array of features. Here is a selection of unofficial badges acquired this year.

With the explosion of unofficial badges, a standard was developed known as the “SAO.” This standard allowed for add-on mini badges that were much easier to make and gave the opportunity to less experienced badge makers to wet their feet. These mini badges also allowed for much brisker badge trading, as they tended to be simpler in design and scope.

All of these are but a small sampling of what was available. The project I was involved with was Defcon Drone badge (Hi Bl1n7!) and our team frantically flashed badge operating systems and assembled kits into the late hours of the night. I got to learn about the Arduino IDE as I flashed the base firmware on the Kickstarter pledged badge packages. I also took the opportunity to hone my soldering skills and repair electronics. The suite where all these activities took place was most thoroughly equipped with microscopes, soldering stations, classic sci-fi movies in the background, and a bevy of delicious snacks!

Defcon is what you make of it, and this year I elected to make it all about the badge life. You can find out more about badgelife here, courtesy of Hackaday.

They can go undetected for years. They do their questionable deeds in the background. And, at times, one wonders if they’re doing more harm than good.

Although this sounds like we’re describing some sophisticated PUP you haven’t heard of, we’re not.

These are the known attributes of insider threats.

Insider threats are one of a handful of non-digital threats troubling organizations of all sizes to date. And—to bang on the hype—the danger they pose is real.

When once companies thought that risks to their high-valued assets can only come from outside actors, they’re slowly realizing that they are also facing potential dangers from within. The worst part is no one can tell who the culprits are until the damage is done.

In the Osterman Research white paper entitled White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime, it is found that insider threats account for a quarter of the eight serious cybersecurity risks that significantly affect private and public sectors. To put it another way, an organization’s current and former employees, third-party vendors, contractors, business associates, office cleaning staff, and other entities who have physical or digital access to company resources, critical systems, and networks are collectively ranked in the same list as ransomware, spear phishing, and nation-state attacks.

The majority of insiders who have caused their employers a headache didn’t necessarily have technical backgrounds. In fact, they didn’t have the desire or the inclination to do something malicious against their company to begin with. In the 2016 Cost of Insider Threats [PDF], a benchmark study conducted by the Ponemon Institute, a significant percentage of insider incidents within companies in the United States was not caused by criminal insiders but by negligent staff members.

This finding remains consistent with the 2018 Cost of Insider Threats [PDF], where coverage also includes organizations in the Asia-Pacific region, Europe, Africa, and the Middle East. The insider’s general lack of attention and misuse of access privileges, coupled with little-to-no cybersecurity awareness and training, are some of the reasons why they’re dangerous.

Understanding insider threats

Many have already described what an insider threat is, but none as inclusive and encompassing as the meaning put forward by the CERT Insider Threat Center, a research arm of Carnegie Mellon University’s Software Engineering Institute (SEI). They have defined an insider threat as:

…the potential for individuals who have or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

From this definition, we can classify insiders into two main categories: the intentional and the unintentional. Within those categories, we’ve described the five known types of insider threats to date. The are as follows:

Intentional insiders

They knowingly do harm to the organization, its assets, resources, properties, and people.

The malicious insider 

This type has several names, including rogue agent and turncoat. Perhaps its main differentiation from the professional insider (as you will see below) is that not one insider of this type started off with malicious intent. Some disgruntled employees, for example, may decide to compromise the company’s network if they perceive that their company has done them wrong by planting malware, deleting company files, stealing proprietary intellectual property to be sold, or even withholding essential accounts and data for ransom.

In certain circumstances, employees go rogue because they want to help their home country. Such is the case of Greg Chung, who was found guilty of supplying China with proprietary military and spacecraft intel during his tenure in Rockwell and Boeing by stealing nearly three decades worth of top-secret documents. The number of boxes of files retrieved from his home was not disclosed, but we can assume it to be in the hundreds.

Employees who are coerced or forced to perform malicious acts on behalf of one or more entities also fall under this type.

The professional insider

This type is usually referred to as a spy or mole in an organization. They enter an organization generally as employees or contractors with the intent to steal, compromise, sabotage, and/or damage assets and the integrity of the company. They can either be funded and directed by nation states or private organizations—usually a competitor of the target company.

When the Jacobs Letter was made public, a 37-page allegation penned by former Uber employee Ric Jacobs, it seemed that the civil suit between Google and Uber was no longer your usual intellectual property theft case. In this letter, Jacobs claimed that Uber ex-CEO Travis Kalanick was the mastermind behind the theft, with Anthony Levandowski as the actor. Although this allegation has yet to be substantiated, Levandowski would fit this type if found true.

The violent insider

Acts that negatively impact organizations don’t start or end in the abuse, misuse, and theft of non-physical assets. They can also include threats of a violent nature. Peopleware is as essential as the software and hardware an organization uses, if not even more crucial. So, what negatively affects employees in turn affects the organization, too.

Therefore, it’s imperative that organizations also identify, mitigate, and protect their staff from potential physical threats, especially those that are born from within. The CERT Insider Threat Center recognizes workplace violence (WPV) as another type of insider threat, and we categorized it under intentional insiders.

WPV is defined as violence or threat of violence against employees and/or themselves. This can manifest in the form of physical attacks, threatening or intimidating behavior and speech (written, verbal, or electronically transmitted), harassment, or other acts that can potentially put people at risk.

This author hopes that CERT and/or other organizations looking into insider threats expand their definition to include workplace bullying, domestic violence (e.g. when an abusive partner comes after his/her abused partner in the workplace), and other actions that put employee safety at risk or negatively impact their emotional and psychological well-being.

---

Read: Of weasels, snakes, and queen bees

---

Insider Threat Researcher Tracy Cassidy of CERT has identified [PDF] the following indicators that enable an employee to fall under this type:

• History of violence
• Legal problems
• Loss of significant other
• Conflict with supervisor
• Potential loss of employment
• Increased drinking
• Concerning web searches

In 2015, Vester L. Flanagan II (aka Bryce Williams) shot and killed two of his former colleagues in WDBJ7, a local TV station in Roanoke, Virginia, during a live interview. Flanagan later posted a clip of the shooting on Facebook and on Twitter, claiming that his victims wronged him.

Two years after the Flanagan incident, Randy Stair was posting troubling videos and messages on Twitter about his plot to kill his co-workers at the Weis supermarket in Pennsylvania. No one was entirely sure of his motive, but investigations revealed that he disliked his manager and was showing signs of extreme loneliness days before the incident.

Unintentional insiders

They have no ill intent or malice towards their employer, but their actions, inactions, and behavior sometimes cause harm to the organization, its assets, resources, properties, and people.

The accidental insider

They are also called the oblivious, naïve, or careless insiders. This type is perhaps the most overlooked and underestimated regarding their potential risk and damage to organizations. Yet, multiple studies confirm that accidental insiders account for a majority of the significant breaches that make headlines. Insiders under this type are relatively common.

Incidents, like unknowingly or inadvertently clicking a link in an email message of dubious origin, accidentally posting or leaking information online, improperly disposing sensitive documents, and misplacing company-owned assets (e.g., smartphones, CDs, USBs, laptops), even if they only happen once, may not seem like a big deal. But these actions increase an organization’s exposure to risk that could lead to its compromise.

Here’s an example of an accidental insider’s potential for damage: A publicly-accessible Amazon Web Service (AWS) account was used by hijackers to mine cryptocurrencies. Security researchers from Redlock investigated the matter and found misconfigurations in the AWS server. This gave hijackers access to credentials that could allow anyone to open the S3 buckets where sensitive information was stored. It turned out that the account belonged to someone at Tesla, so the researchers alerted them of the breach.

The negligent insider

Employees under this type are generally familiar with the organization’s security policies and the risks involved if they’re ignored. However, they look for ways to avoid them anyway, especially if they feel such policies limit their ability to do their work.

A data analyst working for the Department of Veterans Affairs downloaded and took home the personal data of 26.5 million US military veterans. Not only was this a violation of the department’s policies, but the analyst was also not authorized to do this. The analyst’s home was then burglarized, and the laptop was stolen. The data included names, social security numbers, and dates of birth.

Steps to controlling insider incidents

While cybersecurity education and awareness are initiatives that every organization must invest in, there are times when these are simply not enough. Such initiatives may decrease the likelihood of accidental insider incidents, but not for negligence-based incidents, professional insiders, or other sophisticated attack campaigns. Organizations must implement controls and use software to minimize insider threat incidents. That said, organizations must also continue to drive education and awareness, as well as provide professional and emotional support for employees to mitigate potential damage from accidental, malicious, or violent insiders.

Get executive support. As more and more organizations realize the risks insider threats pose, it also becomes easier to get executive buy-in on the idea of lessening insider threat incidents happening in the workplace. Gather and use information about incidents that occurred within the organization (especially those the C-suite may not even be aware of) before pitching the idea of creating an insider threat program.

Build a team. If an organization is employing thousands, it would be ideal to have a team that exclusively handles the insider threat program. Members must track, oversee, investigate, and document cases or incidents of insider threats. This team must comprise of a multidisciplinary membership from security, IT security, HR, legal, communication, and other departments. If possible, the organization should also bring in outside help, such as a workplace violence consultant, a mental health professional, and even someone from law enforcement, to act as external advisors to the team.

Identify risks. Threats of insiders vary from one industry to another. It is vital that organizations identify what threats they are exposed to within their industry before they can come up with a plan for how to detect and mitigate them.

Update existing policies. This is assuming that the organization already has a security or cybersecurity policy established. If not, creating one now is essential. It’s also important for the team to create a plan or process for how they should respond to incidents of insider threats, especially on reports of workplace violence. The team should always remember that there is no one-size-fits-all approach to addressing insider threat incidents of a similar nature.

Implement controls. An organization that has little-to-no controls isn’t secure at all. In fact, they are low-hanging fruit for external and internal actors. Controls keep an organization’s system, network, and assets safe. They also minimize the risk of insider threats. Below are some controls organizations may want to consider adopting. (Again, doing so should be based on their risk assessment):

• Block harmful activity. This includes the accessing of particular websites or the downloading and installation of certain programs.
• Whitelist applications. This includes file types of email attachments employees can open.
• Disable USB drives, CD drives, and follow-based email programs.
• Minimize accessibility of certain data. Organizations should focus on this, too, when it comes to their telework or remote workers.

---

Read: How to secure your remote workers

---

• Provide the least level of access to privileged users.
• Place flags on old credentials. Former employees may attempt to use the credentials they used when they were still employed.
• Create an employee termination process.

Install software. Many organizations may not realize that software helps in nipping insider threats in the bud. Below is a list of some programs the organization may want to consider using:

• User activity monitoring software
• Predictive/data analytics software (for looking for patterns collected from employee interactions within the organization’s network)
• Security information and event management (SIEM) software
• Log management software
• Intrusion detection (IDS) and prevention (IDP) software
• Virtual machines (for a safe environment to detonate or open potentially harmful files)

It’s important to note that while software, controls, and policies designed to aid organizations in stopping insider risks are in place, insider threat incidents may never be eradicated entirely. Furthermore, predicting insider threats is not easy.

“To be able to predict when an insider maliciously wants to harm an organization, to defraud them, to steal something from them—it’s really hard with the technology alone to identify someone who is doing something with malicious intent,” said Randy Trzeciak, director of Carnegie Mellon University’s CERT program, in an interview with SearchSecurity.Com. “You really do need to combine the behavioral aspects of what might motivate somebody to defraud an organization, or to steal intellectual property, or to sabotage a network or system, which is usually outside of the control of what a traditional IT department is and what they do to prevent or detect malicious activity by insiders.”

Additional reading:

• Four types of employees who are potential insider threats
• “Workplace Violence: Issues in Response” by the FBI’s Critical Incident Response Group

Just one more hour behind the hot grill flipping burgers, and Derek* could call it a day. Under his musty hat, his hair was matted down with sweat, and his work uniform was spattered with grease. He knew he’d smell the processed meat and smoke for the next three days, even after he’d showered. But it was money, he supposed.

“Derek!” His manager slapped him on the shoulder. “A little bird told me you were good with computers. I’ve got a job for you, if you’ll take it.”

The next day, with routers and cables bought and paid for by his manager, Derek networked his boss’ entire home. After one hour of work, he was handed a crisp $100 bill. Derek made a quick calculation: He’d have to put in three full shifts at the burger joint to take home the equivalent.

Unfortunately, not all of Derek’s clients had his manager’s money. Like him, his classmates came from a modest middle-class background, and they often couldn’t afford the latest video games, DVDs, and albums. But Derek had something not even his boss had: the ability to hack.

Mostly, his classmates looked for video game hacks, like unlimited life, or access to boatloads of free music. Sometimes they needed expensive cables to set up LAN parties, and Derek could McGyver a cat-5 so that his friends only had to pay him $10, instead of the $50 they cost at Best Buy.

Sometimes, Derek took on work that was a little more dangerous or challenging—like scamming other scammers to get onto their networks and drop malware or redirecting browser traffic to personal eBay storefronts—and he proved himself adept at this type of problem solving. Everyone knew Derek was the man to go to for these things—and he liked that. What’s not to like? Money, popularity, and a quiet “screw you” to the man. He was proud of his ability to hack into and modify programs built by professionals.

“There was ego involved, of course. It was like, ‘Ha! Look what I did that I wasn’t supposed to be able to do,’” said Derek, who today works as an engineer at a security company, but sometimes still participates in less-than-legal activities online. “Some 13-year-old kid just beat a 30-year-old programmer.”

Derek’s hacking hobby soon became more than a pastime. The stars had aligned for him to step into the world of cybercrime.

What makes a cybercriminal?

Some of Derek’s actions might sound familiar to those who tapped into the early, Wild West-esque days of the Internet. Pirating and counterfeiting music, video games, and DVDs was par for the course in the mid and late 1990’s, until the Napster lawsuit and subsequent shutdown opened the nation’s collective eyes to the fact that these actions were, in fact, unlawful.

Today, we know better. Those who can game the system are called hackers, and the term is often used interchangeably with cybercriminals. However, hackers are merely people who know how to use computers to gain access to systems or data. Many hackers do so with altruistic purpose, and they are called white hats.

White hats are considered the good guys. They’re experts in compromising computer systems, and they use their skills to help protect users and networks from a criminal breach. White hats often work as security researchers, network admins, or malware analysts, creating systems to capture and analyze malware, testing programs for vulnerabilities, and identifying weaknesses in companies’ infrastructures that could be exploited and/or infected. Their work is legal, sanctioned, and compensated (sometimes handsomely). But sometimes, even white hats can find themselves in compromising positions.

Jared* got his start in IT as a technician, working at a mom-and-pop shop that he had frequented often when putting together his own machine. “I was a computer hobbyist,” he said. “I bought and built my first one, and I kept going to the same store for parts. Eventually, I ended up working there.”

Jared built up his skills working in the shop, eventually moving up to enterprise work at a larger chain store. It was there that he was introduced to a software developer that was making an anti-malware product designed to rip spyware out of people’s machines. He was hired on to add definitions (the code that helps antivirus programs detect malicious software).

But soon, Jared started to sense that something was off. Despite the fact that the company owners kept departments siloed—the user interface (UI) people didn’t know what the product development people were doing, and none of them knew what the marketing people were up to—Jared started asking uncomfortable, ethical questions in meetings that made him rather unpopular.

“I had the horse blinders on. I knew that there was stuff taking place that I was not comfortable with, and I chose to ignore it because it wasn’t the product I was working on,” he said. “But, that mental gymnastics got harder and harder and harder, until I finally realized that some aspects of the company I was working for were super scummy.”

What Jared came to realize after moving into a Q/A position was that he was, in fact, working for a potentially unwanted program (PUP) maker—a product created mostly to rip people off. He might not have been trying to participate in cybercrime, but he was complicit.

Despite trying to fight the corruption from the inside, Jared was stuck. He needed this job to stay financially afloat. Finally, after six years at the company, he was actively looking for a new job in IT when he was approached by a legitimate security company—and that’s where he is today. His bosses at the PUP maker, however, knew exactly what they were doing. And that’s why they’re considered black hats.

Black hats are the bad guys; the cybercriminals. They use a similar skill set as white hats, but their intentions are not to protect systems. Instead, they look to cause damage to their targets, whether that’s stealing personal data for monetary gain or coordinating attacks on businesses for revenge. Black hats’ criminal activity ranges from targeting individuals for state-sponsored espionage to widespread corporate breaches, and their efforts may be conducted from outside an organization or embedded within as an insider threat.

But the world is not black and white. A third set of hackers exists between opposite ends of the moral spectrum, and they are known as gray hats. They may not be trying to cause intentional harm, but they’re often operating outside the law. Gray hats might identify as cybervandals or rogue researchers, publicly announcing vulnerabilities to bring attention to a problem. For example, a gray hat could compromise a system without an organization’s permission, but then inform the organization after the fact in order to help them fix the problem. You might consider Jared a gray hat during his tenure at the PUP maker, even though he entered and left the establishment with the best of intentions.

What sets a cybercriminal apart from a security researcher, then, comes down to motive. Ethical hackers look to improve the security of software programs to protect users and their online experiences, whereas cybercriminals seek to undermine the integrity of those systems and programs for their own gain. It’s why people hack that shapes the nature of their being.

Putting together the profile

Without knowing the identity of cybercriminals (as most do a good job of covering their tracks), criminal profiling becomes a useful tool to begin drawing more accurate pictures of the people behind the proverbial hoodies.

Criminal profiling is a psychological assessment that includes personality and physical characteristics. “Fitting the profile” doesn’t necessarily mean a person committed the crime, but it can help narrow the field of suspects and exclude others from suspicion. Profilers use both inductive profiling (statistical data involving known behavioral patterns and demographic traits) and deductive profiling (common sense testing of hypotheses related to forensics, crime scene evidence, and victimology) to create personas of criminals. They are then able to identify criminals based on an analysis of their behavior while they engage in the crime.

Online, however, gathering this type of data can be nearly impossible. How can criminal profilers identity the crime scene, for example, when a victim might not even know how, when, or where he was infected?

According to an article in CIO, criminal profiling has a success rate of 77 percent in assisting traditional investigations. Unfortunately, no such headway has been made for cybercrime. Instead, both corporate and individual would-be victims rely on a combination of cybersecurity awareness (aka street smarts for computers) and technologies to prevent the crime from happening in the first place. These technologies include firewalls, encryption, two-factor authentication, antivirus, and other more advanced forms of cybersecurity software.

And while technology has been the main defense against cyberattacks, experts say a better understanding of the psychological, criminological, and sociological side of the equation can help fortify protection and possibly catch thieves in the act.

“Those that get caught never invest in sensible growth funds or get their families out of the country. They buy sports cars,” said William Tsing, Head of Intel Operations at Malwarebytes, whose work includes coordinating with law enforcement to take down cybercriminals. “Florida has had success getting people with outstanding warrants by the classic giveaways of sports cars and boats. These men have very specific ideas of who they’re ‘supposed’ to be, and buying expensive toys plays to their ego. They steal what they think they deserve.”

That being said, only 5 percent of cybercriminals are actually apprehended.

To better understand their psychological, criminological, and sociological motives, former police officer and IT professional Deb Shinder put together a set of characteristics she says that most cybercriminals exhibit. These include:

• Some measure of technical knowledge
• Disregard for the law or rationalization about why particular laws are invalid or should not apply to them
• High tolerance for risk or the need for a “thrill factor”
• “Control freak” nature, enjoyment in manipulating or outsmarting others
• A motive for committing the crime—monetary gain, strong emotions, political or religious beliefs, sexual impulses, or even just boredom or the desire for fun

A generic cybercriminal profile, therefore, might look like this: “Male, under 25, history of anxiety, angry, sustained difficulties with in-person interaction, and distrustful of anything outside of science or tech,” said Tsing, who qualifies that it applies to North American and Chinese black hats only—Russian black hats likely fit a different profile.

Additional research conducted by online payment company Jumio finds that three-quarters of cybercriminals are male, and they work in organized groups, half of which have six or more members. (Though this is not to be confused with organized crime, which cybercriminals have, surprisingly, little connection with.) And they live all over the world, but are found especially in Asia, most notably China, Russia, and Indonesia.

As there as so many different forms of cybercrime, so too are there different profiles. Those who participate in online piracy have different traits from those who are scam artists, as well as those who are involved in human trafficking or child pornography.

Types of cybercrime

The various types of cybercrime committed by black hat hackers are highly influenced by technical skill, though socio-economic factors also play a part. Those who are able to participate in cybercrime that requires higher technical expertise often come from fairly comfortable, middle-class backgrounds. Yes, there are savants—your Good Will Huntings who come from extreme poverty and are self-taught—but for the majority of cybercriminals, a base level competence in computer science is acquired at home, with private access to a computer, and at school.

“In high school, I took computer science classes. That was actually my first exposure to cybercrime and the dark world,” said Derek. As a freshman, he was in class with seniors who were already involved with less-than-legal activities, and they taught Derek how to grow his own abilities, whether that was by finding better content or achieving faster download speeds.

Personal preference and opportunity certainly play a role, but technical skill is the major factor that separates the scammers from the ransomware authors. We separate types of cybercrime (and criminals) into categories as follows:

Online piracy: We’ve covered this fairly well with Derek’s actions, but online piracy involves illegally copying and sharing copyrighted material, such as movies, video games, and music. In the US, this is an infringement on the Digital Millennium Copyright Act (DMCA), which was enacted in 1998. It doesn’t require much technical skill to do the copying and sharing of files, but it does require some basic know-how to find torrent sites that won’t infect your own machine and stay under the radar enough to avoid fines.

Malware/PUP writing: To write programs that deploy malicious code generally requires a much higher level of technical prowess, whether that’s authoring a program that can discover vulnerabilities in other software and escort malware through the door (exploits) or creating ransomware that can seize and encrypt a system’s files, holding them hostage.

Creators of potentially wanted programs also fit under this umbrella, as they require the requisite programming skills of any software maker, with the added bonus knowledge of dark design—e.g. sneaking pre-checked boxes into end-user license agreements (EULAs) or creating extra search bars that obfuscate their true purpose, which is to redirect users to sites out of their control.

One caveat: A lot of malware creation can now be conducted by those with lesser technical capabilities, such as script kiddies, or people that use existing computer scripts or code to hack into computers. Malware-as-a-service, then, has popped up as a profitable form of cybercrime, where black hats actually write and sell code to other black hats in place of or in addition to participating in their own attacks.

Scamming/fraud/extortion: Scamming requires little in the way of technical skill, but does rely on knowledge of classic social engineering techniques, such as exploiting fear, carelessness, or a variety of other emotions to manipulate users. Scamming in the cyberworld includes phishing attacks that seek credentials, such as usernames and passwords and technical support scams, which dupe users into pay fake technicians to “fix” an issue in their computer that either doesn’t exist or that the technician has actually caused himself.

Those that write malware often look down upon the scammers for their lack of technical skill, and sometimes infiltrate scammer networks and drop their own viruses or worms.

“I liked causing pain to people who were trying to screw over grandma,” said Derek. “In the land of the blind, the one-eyed man is king.”

However, socio-economics probably has the largest impact on this subset of criminals. Massive caller banks have been set up in states and nations where poverty runs rampant, including Florida and India, where scammers target the mentally ill or the elderly for low-end technical support scams and vendor fraud. While seemingly vile, it puts much-needed money in the pockets of the poor.

Cyberterrorism/state-sponsored espionage: Here live those with top-of-the-line hacking aptitude, such as the ability to reverse engineer malicious code or break military-grade encryption. Once cybercriminals become good enough at their trade, they’re often snatched up by nation-states that participate in this type of cyberwarfare. (Though there are those hacktivists that work independently from their governments.) In the US, those with a background in cybercrime are not invited to the cyber table, so to speak, but they are often courted and hired by private companies as security researchers

Child pornography/human trafficking: Sure, yes, technical skill is involved to some degree when you’re talking about this type of deviant behavior, but mostly you’re dealing with the soulless and sociopathic, here. When it comes to the deep end of this criminal pool, psychological motive is the factor that separates the truly sick from the opportunists.

What motivates a cybercriminal?

Indeed, motive is the most fascinating and also most illuminating factor that ultimately determines the full psychological profile of a cybercriminal. And while cybercriminals often have more than one motive for doing what they do, these motives can tell us the all-important why behind the hacking, as well as which type of cybercrime they’ll likely participate in.

“I didn’t brute force FTP servers as a kid because I was poor,” said Tsing. “I did it because I was bored, powerless, depressed, and smart enough to try it.”

Some of the main motives for different types of cybercrime break down as follows:

For fun/the challenge: According to a 2017 report from the National Crime Agency, 61 percent of cybercriminals begin before the age of 16. The young age of the offenders can be attributed to their access to technology and the perception that it’s a victimless crime.

“There’s a little bit of a Robin Hood complex there. I’m not saying it’s right, but I would say that for the most part, what I did was victimless crime,” said Derek of his video game hacking enterprise. “If anything, it was cheap marketing because they played the game and gave out reviews and loved the hell out of it.”

Shinder believes that many cybercriminals hack not out of malicious intent or financial benefit, but simply because they can. “They may do it to prove their skills to their peers or to themselves, they may simply be curious, or they may see it as a game,” she said.

One subject interviewed by the NCA said that illicit hacking made them popular, and they looked up to users with the best reputations. The NCA study also found that curiosity and a desire to increase skills were the most common factors that led to cybercrime. This assessment is corroborated by a recent report by Nuix, which found that 86 percent of surveyed threat actors said that they liked the challenge of hacking and hacked to learn. Additionally, 35 percent said they did it for the entertainment value or to make mischief.

If having fun or looking for a challenge is the main motive, then the buck likely stops for these budding cybercriminals at sharing copyrighted music and movies, defacing websites, or other low-impact crimes. If you combine this motive with others, however, the severity of the crime begins to increase.

Financial: Money can account for the motive behind almost all forms of cybercrime, from online piracy on down to scams and human trafficking. According to the Nuix report, 21 percent of surveyed respondents hacked for financial gain.

What pushes cybercriminals to continue down their path often amounts to putting more expendable cashin their pockets. As cybercriminals age, their financial needs change. What started as a yearning for new video games grows into wanting more cash to buy a car, date girls, and buy drinks at the bar. And often, criminals discover that their side hacking jobs pay way more than entry-level jobs in fast food or retail.

“The first time I started thinking about [hacking] for money was when I first started caring about money,” said Derek. “At 15, I started wondering how I was going to buy a car. [I was] making more than I should have been at 16-years-old—probably a couple grand a year. It was a lot more than my real job at the mall. At that point, I wasn’t thinking of stopping. Money talked.”

Cybercrime paychecks often stack up much higher against career IT jobs. For example, Jared made $45,000 a year while working for the PUP maker, which was much more than a basic computer technician could expect to make in his location and during the time he worked there. For those that are at the top of their crime field, the earnings are even higher. According to an April 2018 study by Dr. Mark McGuire, the highest-earning cybercriminals can make more than $166,000 per month, middle earners can make more than $75,000 a month, and the lowest-earning cybercriminals can still rake in more than $3,500 a month.

Still, money isn’t the only incentive for many threat actors, who prefer the anonymity and isolation of working in cybercrime over the human interaction required to work in a traditional office.

“The stated motive is always money. But that’s not necessarily true,” said Tsing. “It’s just that legit avenues to earn don’t appeal for various reasons. Often times, low level guys will make peanuts, but it’s peanuts where you don’t have to interact with others with respect, don’t have to be around women, and can take time off if you’re crippled with depression or anxiety. So, they go with $40–$60,000 selling DDoS or launching phishing attacks rather than take $75,000 in an office.”

Emotional: Shinder believes that the most destructive cybercriminals act out of emotion, whether that’s rage, revenge, “love,” or despair. This category includes ex-spouses, disgruntled or fired employees, dissatisfied customers, and feuding neighbors, to name a few. Cybercriminals motivated by emotion can often be found getting angry in forums, comments sections, and social networking groups, “trolling” users by baiting them with overly offensive, intentionally contrary content.

The emotional motive might be most personally destructive to the victims of lovers spurned. These criminals use their technical competence to cyber stalk their victims, access their accounts without authorization, or use Internet of Things (IoT) devices to commit domestic abuse, such as locking their loved ones inside the house via smart locks or cranking the heat up in the middle of the summer using Internet-controlled thermostats.

The malicious insider is another common subtype impacted by emotion. They are often upset about being overlooked for a promotion or raise, or are frustrated by a perceived injustice, which can send them on a critical path that includes defacement of company websites, DDoS attacks, stealing or destroying company data, or exposing confidential company information.

“As for the malicious insider, predispositions and professional dissatisfaction or a sense of being slighted in his job can serve as a trigger,” said certified forensic psychologist Dr. Harley Stock in an article for Dark Reading. “They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior.”

Ego: For those involved in a variety of cybercrime, but especially social engineering attacks, shoring up a weak ego is a motivation that combines several psychological provocations, including insecurity, financial woes (and gains), and emotional turmoil into one powerful punch. In fact, if you ask Tsing, he believes ego is at the root of all cybercrime evil.

“I’d say the one overarching motive is emotional if I wanted to troll—they tend to go on at length about how they don’t have emotions. But it’s probably ego or power,” he said. “It gets confused as money, because they use money as a means to power. I think if it were actually money, though, we’d see a lot more of these folks leaving their countries of origin.”

Cybercriminals driven by a weak ego and lacking the technical skill to drop malware on their chosen targets tend to have more visibility into and interaction with their victims, and they validate those actions by convincing themselves they’re actually on the defensive, attacking “back” at those who put them in the position in the first place.

“They have such a shaky sense of self that they feel constantly under assault by essentially everyone,” said Tsing. “So, it’s not that they don’t care [about hurting others], it’s that they’re ‘getting back’ what’s theirs.”

Poor grandma. She must have been a real jerk to deserve having her identity stolen, or to field a phone call from a fake, desperate granddaughter who needed money to bail her out of jail (a real scam scenario).

Political/religious: According to the Nuix report, six percent of respondents said they hacked for social or political motives. Often associated with cyber activism/terrorism, hacktivism, and nation-state supported cybercrime, those with political or religious motivations hack with the intent to take down foreign adversaries. Shinder asserts that this particular motive is closely related to the emotional category, as people’s political and religious beliefs are often intertwined with their personal feelings. “People get very emotional about their political and religious beliefs, and are willing to commit heinous crimes in their name,” she said.

Sexual impulses/deviant behavior: Cyberpsychologist Mary Aiken, whose work was the inspiration for the TV show “CSI: Cyber,” famously joked in a 2015 Web Summit conference about the Freudian impulse that drives people to hack as “a cyber-sexual urge to penetrate.” While meant as a tongue-in-cheek poke at psychologists’ attempts to understand cybercriminals, there does exist a group in the darkest corners of the web to whom sexual compulsion and deviant behavior apply.

Although also related to emotion, those with sexual impulses are some of the most violent cybercriminals, as they commit heinous crimes using the Internet as a tool to lure in their victims. Rapists, sexual sadists, pedophiles, and even serial killers either use their own skill or hire those lacking a moral compass to help aid in their sexual predatory behaviors. Child pornographers and human traffickers also fit into this category, or they may be merely exploiting the sexual impulses of others for profit.

“I can tell you that there are people out there who just want to do harm and cause chaos. I saw some really messed up shit and decided I didn’t want to be part of it,” said Derek, who witnessed hitmen for hire, human trafficking, and bioengineering attack schemes while conducting research. “There are guys and girls out there who are ready to break people. They turn a human being’s psyche into a math problem and then subsequently solve the problem.”

Sometimes, a bad apple is just a bad apple.

What would make a cybercriminal reform?

Armed with the knowledge of what drives a cybercriminal to do what he does, we ask the question: How can we get black hats to turn into white hats? The answer shouldn’t surprise you: It’s likely the same things that made them hack in the first place. Of course, there are those that are psychopathic by nature—generally one in 100 people—and they just want to wreck the place. But others could be swayed by the following:

Money: Pay a cybercriminal well enough to work as a malware analyst, and they won’t be able to justify to the IRS where all this extra cash from cybercriminal side jobs is coming from. If you tip the balance of the risk/reward ratio, you can court many of those whose motivations are financial to the side of the light.

According to Payscale.com, the median salary of an ethical hacker is around $72,000 a year and consultants can expect to be paid $15,000 to $45,000 per assignment. However, as discovered by the recent Osterman report, medium-sized companies aren’t offering their security teams enough money right now. Salaries and retention numbers lag because their starting salaries average only $3,000 more than small companies, but $17,000 less than enterprises. In fact, the Osterman survey found that nearly 60 percent of security pros think that black hats make more money than security professionals.

How can companies fix the imbalance? Malwarebytes’ CEO Marcin Kleczynski said, “We need to up-level the need for proper security financing to the executive and board level discussions. This also means properly recognizing and rewarding the best and brightest security pros.”

Challenge: While money is a major factor for attracting cybercriminals to white hat positions, providing them with interesting and challenging work, and surrounding them with other talented researchers can keep them there.

“What really made me turn the corner was when a select group of people in the company who were known as the smartest took notice of me and the abilities I had shown, and invited me to mess around with a target,” said Derek, whose white hat work includes actively searching out criminal activity to stymie. “Being in the white hat community, I was exposed to many more skilled people. It was really good for me because it pushed me to learn so much more.”

Age: Many simply grow out of this behavior. There’s a reason why security is on average older than any other IT field: It’s mostly composed of those who’ve seen the error of their ways or are looking for more stability.

“The ones that seem to think that cybercrime is victimless tend to be very young—generally, under 25, which is when the good judgement part of the brain finishes forming,” said Tsing. “You don’t see the consequences in front of you, therefore there aren’t any. Eventually, a huge amount of these guys age out of the profile and start acting like humans.”

In addition, the longer they go, the more skilled they become. The more skilled they become, the deeper waters in which they wade. Eventually, those whose consciences are alive and well will find themselves in uncomfortable positions. They’ve seen too much.

“In the wrong hands, these skills can be used to do some seriously scary shit,” said Derek. “I met a guy who had hypothesized targeting a primate gene that would effectively reset the world clock. One guy, through this tech, had the capability of watching the world burn, if he so chose…I like to think that at my core, I make the right decisions. I’m comfortable with me having the knowledge, but I know there are people out there who have a very different moral compass.”

Flipping the system: A paradigm shift in education might be one of the most difficult changes to achieve, but it also could help thwart teens with technical capability from participating on the fringes of society in the first place. Give your outside-the-box thinkers the platform to use their skills in a positive way, and they won’t be so tempted to go after the low-hanging, unscrupulous fruit.

Educational reform has been hard pressed to include 21^st century learning initiatives, at least in the US, where many public schools in the K–12 system use barely-functioning tech—a single, shared iPad on a decrepit, crumbling network—and avoid topics such as digital citizenship and literacy in favor of standardized testing. For the kids already hacking video games, their classroom experience is, in Tsing’s words, “stifling and borderline traumatic.”

“At 19, I was going to community college and thought it was a joke. College was to show that you could complete a project start to finish and to build a network of people,” said Derek. “I had already learned to do that in high school with my enterprising.”

In addition, if the US government could get over their aversion to hiring former cybercriminals, there’d be a place for many more skilled individuals to do some good, especially as cybersecurity continues to be a concern surrounding our elections and infrastructure.

*******************************************************************************************

There’s a razor thin line separating the white hats from the black. Cybercriminals are equally passionate and skilled at what they do, but the lens through which the view the world may be blurred by socio-economic circumstances or psychological hang-ups. There are those that may be beyond hope, but there are also those who are simply too young or too insecure to work a system that feels like it’s set up to watch them fail.

Give them an off-ramp from the treadmill and hand them the tools sooner for doing some good online. Then we just might be able to hold out hope that we can, in fact, make the Internet a safer place to be, without having to clutch our passwords tight.

*Names have been changed to protect the anonymity of the cybercriminals interviewed for this piece.

This post was written by Michael Osterman of Osterman Research.

Osterman Research recently completed a major survey on behalf of Malwarebytes to determine the actual cost of cybercrime to businesses. Many studies have focused on the cost of lost reputation, lost future business, and other consequences of cybercrime—and while these are certainly valid considerations—we wanted to understand the direct costs of cybercrime. To do so, we surveyed mid-sized and large organizations on a variety of issues, but focused on three cost components:

• Security budgets
• The cost of remediating “major” events, e.g., events like a widespread ransomware infection or major data breach that would be highly disruptive to an organization and might take it offline for some period of time
• The cost of cybercrime perpetrated by “gray hats;” those employees who dabble in cybercrime without giving up their day job as a security professional

Here’s what we discovered:

Cybercrime isn’t cheap

Organizations of all sizes can expect to spend significant amounts on various cybersecurity-related costs. For example, our research found that an organization of 2,500 employees in the United States can expect to spend nearly $1.9 million per year for cybersecurity-related costs (that’s nearly $760 per employee).

While the costs are lower in most of the other countries that we surveyed, the global average exceeds $1.1 million for a 2,500-employee organization.

Gray hats are a problem

Globally, one in 22 security professionals are perceived by their security-professional peers to be gray hats, but this figure jumps to one in 13 for organizations based in the United Kingdom. Mid-sized organizations (500 to 999 employees) are getting squeezed the hardest, and this is where the skills shortage, and the allure of becoming a gray hat, may be the greatest.

Underscoring the depth of the gray hat problem is the fact that 12 percent of security professionals admit to considering participation in black hat activity, 22 percent have actually been approached about doing so, and 41 percent either know or have known someone who has participated in this activity. This is by no means a rare or isolated problem!

Once more unto the breach

We found that the vast majority of organizations have suffered some type of security breach and/or attack during the 12 months preceding the survey. The most common avenue of attack was from phishing, but others that were experienced included adware/spyware, ransomware, spearphishing, accidental and intentional data breaches, nation-state attacks, and hacktivist attacks.

Only 27 percent of organizations reported no attacks during the 12 months leading up to the survey, and even that figure may underestimate the depth of the problem: some organizations can be infiltrated by stealthy attacks that may not be discovered for several months after the initial infiltration.

The middle child syndrome

Corroborating what Osterman Research has discovered in other research, mid-market companies—those with 500 to 999 employees—face the most difficult challenges from a security perspective. They encounter a higher rate of attack than smaller companies and similar rates of attack as their larger counterparts, but they have fewer employees over which to distribute the cost of the security infrastructure.

In short, mid-market organizations have big company problems and small company budgets with which to solve them.

Major attacks

We found that a “major” attack occurs with alarming frequency. Globally, we found that during 2017, such attacks occurred to the organizations we surveyed at an average of once every 15 months. But US organizations were the hardest hit in 2017, with an average of one attack every 6.7 months. These are highly disruptive events that can take a company off-line for days or weeks.

As just one example of such an attack, consider the City of Atlanta that was infected with ransomware in April 2018 and has spent more than $2.6 million on remediating the compromise. The attack impacted five of the City’s 13 departments and the police department’s records system, as well as causing other mayhem for city employees and the public.

The bottom line is that cybercrime costs enormous amounts that go well beyond the annual security budget. And if companies don’t find a way to put a stop to the cybercrime happening both inside and outside of their walls, they’ll have to pay the price.

ABOUT THE AUTHOR