Imagine someone robs your house. The savvy culprit didn’t leave behind fingerprints, shoe prints, or any other discrete, identifying details. Still, police manage to link the crime to a series of burglaries that happened the next town over, because of the criminal’s behavior. Each robbery occurred in the same way, and in each case, the perpetrator stole many of the same items. Now, new research indicates that the techniques law enforcement use to tie crimes together through behavioral patterns might help in the digital world too.
That’s a big deal: One of the most difficult tasks for cybersecurity researchers is determining who was behind a breach or coordinated attack. Hackers deploy a trove of tools to cover up their tracks, which can obfuscate important details like their location. Some cybercriminals even try to plant “false flags,” purposely left clues that make it appear as though someone else was responsible for a breach.
Sometimes, a malicious actor is only definitively identified because they make a mistake. Guccifer 2.0, the now-notorious Russian hacker persona, was reportedly unmasked in part because they forgot to turn on their VPN, revealing their Moscow-based IP address. Absent such slip-ups, the so-called “attribution problem” makes connecting cybercrimes to specific individuals a daunting task.
The hope is that behavioral patterns may be harder to spoof, and as a result, useful in unmasking digital perpetrators. Matt Wixey, the head of technical research at PwC’s Cyber Security practice in the UK, sees potential value in that “case linkage” or “linkage analysis,” a statistical technique historically used by law enforcement to connect multiple crimes to the same person. Wixey adapted case linkage for cybercriminals and conducted a study to see if it works, the results of which he will present at the DefCon hacking conference Sunday.
Patterns of Behavior
Wixey looked at three different types of behavior that hackers exhibit: navigation, how they move through a compromised system; enumeration, which is how they work out what kind of system they’ve gained access to; and exploitation, how they try to escalate their privileges and steal data. Their real-world equivalents might be how a robber approaches a bank, how they assess which teller to talk to, and what they say to get them to hand over the money.
“It’s based on the assumption that once attackers are on a system, they’re going to behave in consistent ways,” Wixey says. Inspiration for the technique came four years ago, when he took a penetration testing course. “A lot of the students had consistent but distinctive ways of doing things,” he says.
To test whether his cybersecurity case-linkage system works, Wixey gave 10 professional penetration testers, hacking enthusiasts, and students remote access to two systems as low-privileged users. He then monitored how each of them tried to escalate their privileges, steal data, and gather information. Each tester completed two separate hacks.
Afterward, Wixey analyzed their keystrokes using his novel case linkage method to see whether he could identify which hacks were conducted by the same individual. He had 20 sets of keystrokes to work with, and 100 possible pairs.
He found that nearly all of his test subjects moved through compromised systems in a consistent, unique way. Using their navigation patterns alone, he was able to correctly identify that two hacks were done by the same person 99 percent of the time. Enumeration and exploitation patterns were similarly predictive; Wixey could accurately identify that a hack was done by the same person using those methods 91.2 and 96.4 percent of the time, respectively.
The behavioral traits Wixey looked at were far more predictive than other sorts of metadata he collected, like how much time lapsed between each subject’s keystrokes. One of these characteristics, however, was somewhat useful: The number of times they hit the backspace key. Using that alone, he could correctly link two hacks together 70 percent of the time. That’s somewhat intuitive; a more experienced penetration tester will likely make fewer mistakes.
Wixey’s preliminary experiment suggests that cybercriminals behave like their real-world counterparts: They have consistent, individual ways of carrying out their deeds. That means it might be possible to link a cybercriminal to a series of hacks without evidence that can be easily spoofed or concealed, like an IP address, or the time zone during which they’re active.
For now though, it would be difficult to use Wixey’s technique during a real-time breach, since it requires a keystroke logger running while the hacker is on a compromised system. Wixey says his technique could instead be set up to run on a honey pot—a purposely designed trap—to monitor what kinds of hackers might be targeting a specific government or corporation.
While Wixey’s results are promising, his study also had a number of limitations, including that it only had 10 participants, who had varying levels of expertise. It’s possible, for example, that it might be more difficult to differentiate between experienced hackers than novice ones. His test subjects also all used linux operating systems and were given remote access rather than physical access. Different circumstances could yield varying results.
And then there’s the limitations of case linkage theory itself. It doesn’t work as well in the real world with extremely personal crimes, or those that involve contact with a victim, like homicide, because a victim’s actions may alter how the perpetrator behaves. The same might hold true in cybersecurity. For example, “an attacker might have to adapt their behavior if there are [different] security mechanisms in place,” Wixey says.
Even if Wixey’s case linkage technique isn’t precise enough to identify an individual, it could still have value in helping to confirm that the same type of hacker executed a breach. For example, it might indicate that they were trained to penetrate a system the same way as other confirmed North Korean or Russian hackers had in the past, suggesting they might share the same mentor or be part of the same team.
Case linkage analysis certainly isn’t a silver bullet. If it’s ever used in breach attribution, it will likely need to be used in tangent with other methods. Still, deciphering who’s behind the keyboard when a cyberattack hits remains one of the most troublesome tasks for law enforcement and researchers. Every new tool helps—especially if it involves an attribute that can’t be easily hidden.