Predicting Malicious Behavior ffirs.indd i 5/15/2012 11:36:48 AM ffirs.indd ii 5/15/2012 11:36:49 AM Predicting Malicious Behavior Tools and Techniques for Ensuring Global Security Gary M Jackson, PhD ffirs.indd iii 5/15/2012 11:36:49 AM Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security Published by John Wiley & Sons, Inc 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2012 by Gary M Jackson Published by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-118-16613-0 ISBN: 978-1-118-22625-4 (ebk) ISBN: 978-1-118-23956-8 (ebk) ISBN: 978-1-118-26418-8 (ebk) Manufactured in the United States of America 10 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Control Number: 2012933633 Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc., and/or its affiliates, in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book Disclaimer: All statements of fact, opinion, or analysis expressed are those of the author and not reflect the official positions or views of the CIA or any other U.S Government agency Nothing in the contents should be construed as asserting or implying U.S Government authentication of information or Agency endorsement of the author’s views This material has been reviewed by the CIA to prevent the disclosure of classified information ffirs.indd iv 5/15/2012 11:36:53 AM I dedicate this book to the Reverend Manuel Lee Jackson and Linnie Mae Jackson, my loving parents, recently deceased, and my sister, Reita (DeDe) Carringer, and brother, Kevin Lee Jackson ffirs.indd v 5/15/2012 11:36:54 AM ffirs.indd vi 5/15/2012 11:36:54 AM About the Author Dr Gary M Jackson is an Assistant Vice President and Technical Lead within the CyberSecurity Business Unit at Science Applications International Corporation (SAIC) A behavioral psychologist with specialties in artificial intelligence and automated assessment, Dr Jackson has designed and developed scores of advanced applications across both corporate and U.S Government settings Dr Jackson’s career has spanned academia as Assistant and Associate Professor (University of South Florida), Director of R&D and Treatment Development in various clinical settings, Research Psychologist within the U.S Secret Service Intelligence Division, Intelligence Officer and Chief of three advanced technology branches within the Central Intelligence Agency, Vice President and Director of Research and Development for Psychological Assessment Resources (PAR), Director of the Center for the Advancement of Intelligent Systems (CAIS) for the American Institutes for Research, and, until recently, the Founder, President, and CEO of Psynapse Technologies in Washington, D.C Dr Jackson has extensive R&D and field experience in counterterrorism, counterintelligence, and asymmetric warfare prediction He was a former President of the Florida Association for Behavior Analysis (FABA) He holds B.A and Ph.D degrees from Southern Illinois University–Carbondale and an M.A degree from University of Illinois He has completed additional postdoctoral training in neurophysiology at the University of South Florida Medical School Fusing the behavioral and computer sciences, Dr Jackson is the inventor of the patented automated behavioral assessment (AuBA) technology, CheckMate intrusion protection system, InMate misuse detection system for insider threat, and automated prediction of human behavior technology vii ffirs.indd vii 5/15/2012 11:36:54 AM ffirs.indd viii 5/15/2012 11:36:54 AM Credits Executive Editor Carol Long Senior Project Editor Kevin Kent Technical Editor Dr Eric Cole Production Editor Kathleen Wisor Copy Editors Caroline Johnson Gayle Johnson Editorial Manager Mary Beth Wakefield Freelancer Editorial Manager Rosemarie Graham Associate Director of Marketing David Mayhew Marketing Manager Ashley Zurcher Business Manager Amy Knies Production Manager Tim Tate Vice President and Executive Group Publisher Richard Swadley Vice President and Executive Publisher Neil Edde Associate Publisher Jim Minatel Project Coordinator, Cover Katie Crocker Proofreader Nicole Hirschman Indexer Johnna VanHoose Dinse Cover Designer Ryan Sneed Media Project Manager Laura Moss-Hollister Media Associate Producer Josh Frank Media Quality Assurance Doug Kuhn ix ffirs.indd ix 5/15/2012 11:36:54 AM ffirs.indd x 5/15/2012 11:36:54 AM bapp01.indd 500 5/15/2012 11:30:15 AM Index NUMBERS 9/11 attacks countermeasure lack, 74 new forms of attack and, 74 Pearl Harbor comparison, 70–71 Tillman, Mark, 113 A ABAB design, 208 ABC (antecedentbehavior-consequence sequence), BAF (Behavior Analysis Form), 209–210 behavior modeling and, 175–176 patterns of behavior and, 170 predicting behavior and, 170 abnormal behavior, behavior analysis and, acts of anger, surrogate targets and, 98 adversarial behavior AuBA, global, 190–192 consistency, 319–320 data gathering for understanding, 187–190 historical data, 191–192 influencing/preventing, 178–180 predicting, 178, 194–196 transitions, 434–435 adversaries, sophistication, 142–144 al-Qaeda attack targets, 41–42 basic tenets, 36 behavior analysis, 43–44 fatwas, 42–43 franchise comparison, 40–41 future targets, 44 group dynamics, 41–42 Israel common enemy with Hezbollah, 45 leadership, 40–41 deaths, 71 motivation, 42 structure, 41 ThemeMate, 37–41 as top terrorist threat to U.S., 71 U.S citizen members, 238 war and, 42–43 amateur insider threat, 287–288 Ames, Aldrich, 24, 240, 245–246 Analysis ToolPak (Microsoft), 340–344 ankle biters, 116 anomalies, 266–267 anticipating, 269–270 anomaly detection AuBA and, 456–457 criminal behavior, 272–273 network security, 80, 105–106, 124–128, 266–267, 271–272 advantages, 267 disadvantages, 267–268 methods, 269 normal definition, 126–128 reactivity of network security, 293–294 terrorism, 270–271 anonymity, hackers and, 18–19 Anonymous cyber threat, 51 501 bindex.indd 501 5/15/2012 11:30:35 AM 502 Index n A–A antecedent-behaviorconsequence sequence See ABC (antecedentbehavior-consequence sequence) antecedents, area of influence and, 171–172 AuBA, 366–367 behavioral chain, environmental, 167 militant action and, 72 stability, 172 anticipating events, 445–446 APTs (advanced persistent threats), 17 China’s Google attack (Operation Aurora), 289 growth, 150 insider threat, 292–293 McAfee definition, 51 area of influence, antecedents and, 171–172 ARPANET, 115 asymmetric warfare, 66 anticipating future, 145–146 terrorists, 106 ATM thefts, ThemeMate and, 341–342 atomic bomb, 64–65 attacks detection, first-time attacks, 107–109 element of surprise in, 105–106 informed security and, 155–156 first-time behavior analysis and, 273 identifying, 263–266 as focus rather than people, 93 handshake connection, 126 unanticipated, 128 terrorism, 146–147 bindex.indd 502 unknown, identifying, 263–266 zero-day, 108–109, 123 signature detection and, 169 AuBA (automated behavior analysis), 11 adversarial behavior, 175–176 global, 190–192 influencing/preventing, 178–180 predicting, 178 analytical brain extension, 402–404 ANNs (artificial neural networks), 156 anomaly detection, 456–457 antecedents, 366–367 anticipating events, 445–446 applied behavior analysis, extensions, 181 applying, 351–352 cyber attacks, 411–412 future threat, 406–407 network security, 412–422 AutoAnalyzer, 177 as predictive tool, 217 automated summarization, 29–32 automation, 481–485 methodology, 485–491 behavioral science automation, 201–205 behaviorprints, 118–119, 295 signature detection and, 326–327 state-sponsored threat, 322–325 benefits, 378 BPN (back propagation network), 157 CheckMate, 19 adversarial behavior, 178 deception measure, 134 domestic threat, 232 expertise measure, 134 external threats, 132, 413–417 first-time attack detection, 108–109 human behavior and, 173 network security, 396–399 phishing module, 187 predictive application, 418–419 proactive application, 417–418 protective application, 419–420 real-world event prediction, 198–199 signature detection, future signatures, 263 testing, 400–402 threat, early identification, 173–174 validation, 400–402 clinical case examples, 472–479 analysis and solution, 475–476 computer science automation, 201–205 confusion matrix, 313 current security fixes, 468–469 error reduction in manual predictive modeling, 87–89 extensions, 225–227 features, 378 first-time attack detection, 107–108 future, 469–470 global security and, 180–182 methodology, 312–313 modeling methods, 311–317 5/15/2012 11:30:36 AM Index human behavior assessment of threats from network packets, 135–136 information gathering, 430–432 document selection, 432–433 missing data, 435–440 InMate, 18–19, 83, 132–133 adversarial behavior, 178–179 Deception rating, 133 domestic threat, 232–233 human behavior and, 173 insider treat, 420–422 Intent ratings, 133 network security, 396– 397, 399–400 real-world event prediction, 198–199 L-1 (Leaving-One-Out) validation, 200–201, 207, 312–313 model focus, 227–228 modeling correlations, 441–442 frequency, 441 judgment, 441 predicting with model, 389–390 predictive modeling and, 395 results from multiple, 444–445 sensor output, 393–402 network security, 275–276 automated characterization, 447–448 network tools, 82 overview, 358–359 pattern classification, 156–158 predictive analysis engines, 296–297, 379–380 AutoAnalyzer and, 491–494 bindex.indd 503 predictive applications, 109–111 predictive indicators, 366–367 predictive modeling, 252–253 proactive action, 252–253, 458–459 procedures, 224 reasons for development, 176–177, 349 signature detection, 455–456 SPR (statistical pattern recognition), 156 technological advances and, 354–355 terrorism prediction, 336 text as input, 486–488 theme-guided smart searches, 59–61 ThemeMate, 30–32, 88, 177, 215–216, 341 accuracy, 375–376 al-Qaeda, 37–41 ATM thefts, 341–342 AutoAnalyzer and, 217–220, 377–379 compression, 366 cultural issues, 352 cyber threats, open source models, 390–393 document processing, 364–366 language and, 363–364 modeling, 384–393 news articles, 387–388 Old Testament trial, 365 overview, 359–360 as predictive tool, 216–217 processing text corpus, 488–491 significant features, 360–361 theme components file, 385, 436 n A–B 503 ThemeMate/ AutoAnalyzer combination, 217–220 tools versus applications, 383 versatility, 423 AuBASME (AuBA Subject Matter Expert), 200 automated behavior analysis, 313–317 CBRN and, 315–317 missing data and, 436–437 predicting behavior and, 437–440 predictive modeling and, 205–206 qualifications, 205–206 AutoAnalyzer, 88–89, 177, 359 data array construction, 367–372 internal workings, 493–494 neural networks and, 374 overview, 373–374 predictive engines, 491–494 as predictive tool, 217 ThemeMate combination, 217–220 integration, 377–379 automation bias removal and, 350–351 ThemeMate and, 361–362 B BAAs (Broad Area Announcements), 379 BAF (Behavior Analysis Form), 209–210 Bandura, Albert, modeling behavior, 103–104 Bayesian analysis, 344 behavior acquiring through modeling, 103–104 consequences, 165 definition, 167 5/15/2012 11:30:36 AM 504 Index n B–C different results from same event, 95–96 insider threat and, 283–292 motivation and, 36 patterns (See patterns of behavior) predicting by past accounts, 35, 75, 170 behavior analysis, abnormal behavior, al-Qaeda, 43–44 antecedent, 167 automation, 350–351 behavior principles and, 166–169 bias, removing, 15 Bundy, Ted, 6, 11–15 complexities of malicious behavior, 13–15 consequences, 167 cultural perspective, 174–175 copycat behavior, first-time attacks, 273 hackers, Hezbollah, 48–50 human bias and, 345–349 identifying, 349–350 individuals advantages/ disadvantages, 25–26 The Chameleon, 27–28 The Loner, 27 The Social Misfit, 28–29 variances in individuals, 26–27 methodology, 163–166 observation, 168, 188–189 predicting behavior and, 167 Reid, Richard, 6–11 subjectivity, removing, 15 technology enhancement and, 134 behavior modeling, 175–176 ABC and, 175–176 predictive modeling, 175 bindex.indd 504 behavior principles, behavior analysis and, 166–169 behavioral chain, Richard Reid, behavioral methodologies, 207–208 ABAB design, 208 manual approach, 209–211 computer tools support, 211–213 within-subject design, 208 behavioral modeling, automated tools, 213–220 behavioral science, 325–326 paradigm shift, 459–463 technology and, 332–333 computer speed and memory, 337–345 polls, 333–334 software need, 340–345 stock market prediction, 334–336 behavior-based analytics, 192–194 behaviorprints (AuBA), 118–119, 295 signature detection and, 326–327 state-sponsored threat, 322–325 bias, 376–377 analysis and, 345–349 automation and, 350–351 behavior analysis, 15 identifying, 349–350 ThemeMate, 376–377 biological attack, 85 global threat, 308 threat, overview, 85–86 Black Hat meetings of hackers, 56 bombings dirty bombs, 86–87 suicide, 73 suitcase bombs, 309 BPN (back-propagation neural network), 428 Branch Davidians, Timothy McVeigh and, 93–94 brush pass/digital brush pass, 250 bullying, 98 adult involvement, 102 gender issues, 102 Bundy, Ted, 6, 11–15 as Chameleon, 27–28 C causation, inferring, 372 causes, terrorists and, 94 CBRN (chemical, biological, radiological, and nuclear) threats, 84–85, 147–148 AuBASME and, 315–317 biological attack, 85 chemical attack, 84 global threat, 307–308 biological, 308 chemical threat, 307–308 nuclear, 309–310 radiological, 308–309 nuclear attack, 85 radiological attack, 85 CERT team, 119 CheckMate, 18 adversarial behavior, 178 deception measure, 134 domestic threat, 232 expertise measure, 134 external threats, 132, 413–414 automated human behavior assessment, 415–417 human behavior, 414 first-time attack detection, 108–109 human behavior and, 173 network security, 396–397 intrusion protection system, 397–399 phishing module, 187 predictive application, 418–419 proactive application, 417–418 protective application, 419–420 5/15/2012 11:30:36 AM Index real-world event prediction, 198–199 signature detection, future signatures, 263 testing, 400–402 threat, early identification, 173–174 validation, 400–402 chemical attack, 84 global threat, 307–308 China APTs (advanced persistent threats), 51–57 cyber threat, 50 behavior analysis, 57–59 motivation, 56–57 to U.S technology secrets, 51–53 Google attack (Operation Aurora), 289 PLA (People’s Liberation Army), 53–54 Cho, Seung-Hui, 28–29 Clarke, Richard A., Cyber War: The Next Threat to National Security and What to Do About It, 304 Cole, Eric B., on APT, 292 Columbine High School shootings, 92 combinatorial explosion, 263–264 communications, timing, 64–65 compression, 366 computer assistance See also AuBA (automated behavior analysis) digital brush pass, 250 digital cutouts, 251 digital dead drop, 249–250 early, 248 Internet, development, 249 memory and speed versus humans, 337–345 Microsoft Analysis Toolpak, 340–345 portable computing, advent of, 248–249 software need, 340–345 bindex.indd 505 SPSS (Statistical Package for the Social Sciences), 345 statistical packages, 344–345 surveillance and, 261–262 tools, 338–340 confusion matrix, 313 consequences, 3, 165 behavioral chain, cultural perspective, 174–175 definition, 167 environmental conditions, 167 suicide bombers, 174 timing, 172 context in predicting behavior, 426–428 contingency management, 188 control, lack of in threats, 70 coordinated group cyber threats, 50–51 Anonymous, 51 copycat behavior, correlations, 370 country-level threats assault, 68 biological, 68 chemical, 68 cyber attack, 67 cyber theft, 67 explosives, 68 IED explosives, 68 national infrastructure, 64–69 nuclear, 68 radiological, 68 suicide attacks outside U.S., 68 technology and, 63–64 warfare asymmetric warfare, 66 atomic bomb, 64–65 nuclear warheads, 65 CREATE (Center for Risk and Economic Analysis of Terrorism Events), 152–153 n C–C 505 criminal behavior, anomaly detection, 272–273 criminal signatures, 260–262 al-Qaeda, 261 Bundy, Ted, 261 cultural issues, 352 cultural perspectives consequences, 174–175 ThemeMate and, 352 cyber attackers See hackers cyber attacks anomaly detection, 105–106 AuBA application, 411–412 global threat and, 301 state-supported, 304–306 objectives, 79 signature detection, 105–106 signature detection, known attacks and, 256–262 terrorists, unanticipated, 104–107 unanticipated, 128 U.S as target, 138–139 cyber theft group behavior, 187 hackers and, 23–25 national security, probability, 142 phishing, 187 state-supported terrorism and, 67 cyber threats Anonymous, 51 blacklist, 54 coordinated groups, 50–51 ThemeMate, open source models, 390–393 whitelist, 54 Cyber War: The Next Threat to National Security and What to Do About It (Clarke and Knake), 304 5/15/2012 11:30:37 AM 506 bindex.indd 506 Index n D–G D E Dahmer, Jeffrey, DARPA, 115 data arrays (AutoAnalyzer), 367–372 dead drop, 241, 244 digital dead drop, 249–250 death by cop, public violence and, 101 deception CheckMate and, 18 e-mail, 251 insider threat and, 290–291 Department of Homeland Security, formation, 66 digital brush pass, 250 digital cutouts, 251 digital dead drop, 249–250 dirty bombs, 86–87, 308–309 disgruntled employees insider threat and, 241 workplace shootings, 101 document processing in ThemeMate, 364–366 document selection for basic corpus, 432–433 domestic threat, 231 CheckMate, 232 foreign threat differentiation, 236–239 InMate, 232, 233 insider threat, 232 insider description, 239–240 sabotage, 242–243 spies, 239–240 targeting and, 234 terrorism, 235 surveillance and, 237–238 DOS (denial-of-service) attack, 16, 23 foreign attack on U.S networks, 55 dual terrorist attack, 22–23 element of surprise in an attack, 105–106 informed security and, 155–156 e-mail, malware, 143, 251 employees disgruntled, workplace shootings, 101 insider threat, 241 environment adaptation to, 164 antecedents, 167 consequences, 167 interactions and, 172 meaning in, 164 Skinner, B.F., 164 studying, 165 variables, 169–170 Espionage Against the United States by American Citizens 1947–2001 (Herbig and Wiskoff), 246 Excel, 212–213, 340–344 explosives dirty bombs, 86–87 IEDs, 73 suicide bombings, 73 suitcase bombs, 309 external data, predicting behavior and, 433–434 F false negatives in signature detection, 123–124 financial markets, national security and, 152–153 first-time attacks behavior analysis and, 273 detecting, 107–109 identifying, 263–266 focus words (ThemeMate), 38 food terrorism, 148 foreign threat/domestic threat differentiation, 236–239 foreign threats to network security, 82–83 forensics, 319–320 motivation and, 320 forensics (network), 317–319 analysis, 318 attack identification, 173 collection, 318 examination, 318 Ranum, Marcus, 273 reporting, 319 signature detection, 122 Fort Hood shootings, 234 future signatures, 453–454 G Gallup Poll, 334 genius portrayal of hackers, 115 global adversary behavior, AuBA and, 190–192 global security, AuBA and, 180–182 global threat AuBA modeling methods, 311–312, 440–442 correlations, 441–442 frequency, 441 judgment, 441 methodology, 312–313 multiple models, 442– 444 CBRN biological threat, 308 chemical threat, 307–308 nuclear, 309–310 radiological, 308–309 cyber attacks, 301 state-supported, 304–306 interconnectedness and, 299–300 state-sponsored, 300–301 cyber attacks, 304–306 organized support, 301–306 group behavior, 183 behavior-based analytics, 192–194 cyber theft, 187 MO (modus operandi), 186 objectives, 185 5/15/2012 11:30:37 AM Index terrorists, motivation emphasis, 186 threat, move to action, 185–186 groups characteristics, 35 description, 36 versus individuals, 29 individuals motivations, 97 members, behavior analysis and, motivation, malicious intent/behavior and, 36 pressure from other members, 36 H hackers, 6, 15–16 ankle biters, 116 anonymity and, 18–19 APTs (advanced persistent threats), 17 Black Hat meetings, 56 DOS (denial-of-service) attack, 16, 23 genius portrayal, 115 motivation, 20–21 national network security, 114–117 power of disruption, 21–23 recognition desires, 116 script kiddies, 116 state-supported terrorism and, 67 target detachment, 19–20 theft and, 23–25 threat identification, 16–17 hacking, malicious intent, 116 handshake connection, 121 attackers and, 126 Hanssen, Robert, 24, 241, 245 dead drop, 244 Harris, Eric, 92 Hasan, Nidal, 234 Hawkins, Robert, 92 bindex.indd 507 Herbig, Katherine L., Espionage Against the United States by American Citizens 1947–2001, 246 Hezbollah, 45 behavior analysis, 48–50 consistency, 46–48 forms, 46 Iranian support, 66 Iranian ties, 45 Israel common enemy with al-Qaeda, 45 Katyusha rockets, 48 motivation, 47 Nasrallah, Sayyed Hasan, 46 organization, 45–46 ThemeMate, 45 HFT (High Frequency Trading), 334–336 hiding information, 285–286 historical data, 199 adversarial behavior, 191–192 missing, 199–200 hollow-point ammunition, 28–29 human behavior CheckMate and, 173 InMate and, 173 network security and, 130–133 packet switching networks and, 131–132 threats assessment from network packets, 135–136 I-J IEDs (improvised explosive devices), 73 IEP (individualized education plan), 189–190 individual behavior modeling advantages/ disadvantages, 25–26 n G–J 507 The Chameleon, 27–28 The Loner, 27 The Social Misfit, 28–29 variances in individuals, 26–27 individual versus group, 29 information gathering, predicting behavior and, 430–432 document selection, 432–433 missing data, 435–440 information hiding, 285– 286 informed security, element of surprise and, 155–156 infrastructure computer/network dependencies, 140 country-level threats and, 64–69 future attacks, MOs, 140–141 National Infrastructure Protection Plan, 140 InMate, 18, 83, 132–133 adversarial behavior, 178–179 Deception rating, 133 domestic threat, 232–233 human behavior and, 173 insider treat, 420–422 Intent ratings, 133 network security, 396–397 misuse detection system, 399–400 real-world event prediction, 198–199 insider threat amateurs, 287–288 deception and, 290–291 disgruntled employees, 241 domestic threat, 232 flags, 282 hiding information, 285–286 ideology changes, 282–283 insider behaviors, 283–292 5/15/2012 11:30:37 AM 508 Index n I–N insider description, 239–240 Manning, Bradley, 118 methods of operation, 284–285 MOs, 284–285 motivations of insiders, 281–284 network security, 82–83, 117–118 InMate, 420–422 network thief, behavior of, 291–292 professionals, 288–290 protection, trends in, 292–295 sabotage, 242–243 significance of, 279–281 spies, 240–242 tradecraft known tradecraft, 243–244 new tradecraft, 246–247 traditional-new hybrid, 247 without intent, 278 insiders, definition, 278–279 intent, motivation and, 36 interconnectedness global threat and, 299–300 growing dependency, 138–139 internal threats InMate, 132–133 network security, 277–278 Internet, development, 249 ISC (Internet Storm Center), 119 K Kaczynski, Theodore (“Ted”), 27 Kikumura, Yu, 270 Klebold, Dylan, 92 Knake, Robert K., Cyber War: The Next Threat to National Security and What to Do About It, 304 knowledge engineers, 314 bindex.indd 508 known attacks, network security, signature detection, 256–262 known tradecraft, 243 brush pass, 244 steganography, 245 L language, ThemeMate and, 363–364 Libyan state-supported terrorism, 303–304 M mailbox limit exceeded spear phishing scam, 262 malicious hackers as geniuses, 115 malware, 143 e-mail, 251 Manning, Bradley insider threat and, 118 methods compared to Jonathon Pollard, 286 tradecraft, 247 manual approach to behavioral methodology, 209–211 computer tools support Excel, 212–213 MatLab, 211 SPSS, 211 Maslow, Abraham, 149, 163–164 Maslow’s Hierarchy of Needs, 149, 163–164 McVeigh, Timothy, 92 Branch Davidians and, 93–94 media depiction of violence, 103 “villain with technology” movie genre, 142–143 Microsoft Analysis ToolPak, 340–344 militant action, 72 miniaturization, theft and, 247 Minority Report, 453 missing data, 435–440 misuse detection system (InMate), 399–400 MNLF (Moro National Liberation Front), 304 MO (modus operandi), 46 eye for an eye principle, 50 group behavior, 186 insiders, 284–285 modeling behavior, 103–104, 175–176 predictive modeling, 175 motivation al-Qaeda, 42 Bundy, Ted, 12–13 criminal signatures, 260–262 forensics and, 320 hackers, 20–21 Hezbollah, 47 insider threats, 281–283 flags, 282 ideology changes, 282–283 revenge, 283–284 malicious intent/behavior and, 36 method pairing, 233 Reid, Richard, 8–9 movement tracking, sensor output and, 394–396 N Nasrallah, Sayyed Hasan, 46 national infrastructure country-level threats and, 64–69 future attacks, probable activity, 141–142 National Infrastructure Protection Plan, 140 national network security, hacking, 114–117 national security adversary’s capabilities, 142–144 Americans’ worldwide safety, 150–152 5/15/2012 11:30:37 AM Index cyber theft, probability, 142 financial markets, 152–153 future attacks MOs, 140–141 probable activity, 141–142 informed security, 155–156 networks, growing dependency, 138–139 NEW (new emergent weapon), 141 proactive methods, 154 moving from reactive, 154–155 water/food resources, 148–150 WMDs (weapons of mass destruction), 147–148 NEO, 280 network attacks See cyber attacks network behavior, human behavior augmentation, 130–131 network security, 78–79 9/11 attacks, 464 anomaly detection, 80, 105–106, 124–128, 266–267, 271–272 advantages, 267–268 disadvantages, 267–268 methods, 269 normal definition, 126–128 anticipating unknown, 106–107 attack detection technology, 81 AuBA application, 412–413 automated characterization, 447–448 CheckMate, 413–420 InMate, 420–422 AuBA network tools, 82, 275–276 bail out, 464–465 bindex.indd 509 CERT team, 119 CheckMate, 396–399 current, 79–82, 465–469 current technology, 83–84 cyber attacks, objectives, 79 economy fall, 464–465 effectiveness, 150 external threats, CheckMate, 132 first-time attack identification, 263– 266 fixing ineffective, 128–132 foreign threats, 82–83 forensics, 273, 317–319 analysis, 318 collection, 318 examination, 318 reporting, 319 future protection technology, 133–134 increases in damage and threat, 117–120 InMate, 396–397 misuse detection system, 399–400 insider threat, 82–83 internal threats, 277–278 InMate, 132–133 national, hacking, 114–117 paradigm shift, 294–295 proactive, 458–459 proactive state, 129–130 reactivity, 81, 293 anomaly detection and, 293–294 AuBA and, 295 shifting to proactive capabilities, 294–295 signature detection and, 293 SANS Internet Storm Center, 119 signature detection, 80, 105–106, 120–122, 258–259 false negatives, 123–124 forensics, 122 known attacks, 256–262 n N–O 509 problems with, 257–258 Snort rule, 260 terrorism comparison, 259–260 Sophos Security Threat Report 2011, 255 Soviet Union and, 463– 464 surrender principle, 80 unanticipated attacks, 128 unknown attack identification, 263–266 zero-day attacks, 123 networks handshake, 121 national security, growing dependency, 138–139 packet switching network, 121 human behavior assessment of threats on, 135–136 human intent identification, 131–132 predictive modeling and, 395 neural networks and AutoAnalyzer, 374 NEW (new emergent weapon), 141 new tradecraft, 246–247 news articles in ThemeMate, 387–388 nuclear attack, 85 global threat, 309–310 nuclear warheads, 65 O observation in behavior analysis, 168, 188–189 Occupy Wall Street movement, 20, 409–410 Oklahoma City bombing, 92 Oklahoma City National Memorial, 95 Old Testament trial, 365 5/15/2012 11:30:38 AM 510 Index n O–R Omaha, Nebraska, Westroads mall shooting, 92 open source cyber threat models (ThemeMate), 390–393 Osama bin Laden, 31–32 al-Qaeda leadership and, 71 overview, 359–360 P-Q packet switching network, 121 bundles of activity, 131 human intent identification, 131–132 predictive modeling and, 395 threats, human behavior assessment, 135–136 Padilla, Jose, 309 Pakistan state-supported terrorism, 303–304 paradigm shift in network security, 294–295 behavioral science-based, 459–463 past information predicting behavior and, 274 usage updates, 274–275 pattern classification (AuBA), 156–158 patterns of behavior, ABC and, 170 Patterns of Global Terrorism (State Department), 235 Pearl Harbor, 9/11 comparison, 70–71 penny stock investments, 350 PFLP (Palestine Front for the Liberation of Palestine), 304 phishing CheckMate module, 187 spear phishing, 262 PLO (Palestine Liberation Organization), 304 bindex.indd 510 Pollard, Jonathon, 246 methods compared to Bradley Manning, 286 polling, 333–334 portable computing, advent of, 248–249 pre-crime methods, 453–454 predicting behavior adversarial, 178, 194–196 analysis groups, 429–440 individuals, 429–440 antecedents and, 170 stability and, 172 anticipating events, 445–446 applied behavior analysis and, 167 area of influence and, 172 AuBASME and, 437–440 automation, 481–485 methodology, 485–491 AutoAnalyzer, 217 consequences and, 170 timing, 172 context and, 426–428 environment, interactions with, 172 external data, 433–434 future signatures, 453–454 historical information, 199–200 information gathering, 430–432 manual methods, 331–332 new adversary threat, 452–453 past accounts, 35, 75, 170, 184, 199 past accounts and, 274 ThemeMate, 216–217 predicting events, 198 prediction definition, 196 methodology versus statistics, 197 reliability, 197 validity, 197 predictive applications AuBA, 109–111 False Negative, 195 False Positive, 195 True Negative, 195 True Positive, 195 predictive indicators (AuBA), 366–367 predictive modeling, 175 data processing, 206–207 input data, 204–205 AuBASME, 205–206 historical events, 205 model construction, 203–207 model development, 206–207 SMEs (subject matter experts), 204 testing, 207 validation, 207 predictive security model, terrorism and, 77 predictive surveillance, 225 presidential polls, 333–334 proactive methods for national security, 154 moving from reactive, 154–155 proactive security, 458–459 professional insider threat, 288–290 protocol anomaly detection, 105 public violence, 92–104 death by cop, 101 precursors, 101 as suicide mission, 101–102 surrogate targets in acts of anger, 98 workplace shootings, 101 R radiation, dirty bombs, 86–87 radiological attack, 85 dirty bombs, 86–87 global threat, 308 5/15/2012 11:30:38 AM Index rare event prediction, 306–310 reactivity of network security, 81 Reid, Richard, 6–11 reliablity, definition, 311 repeated behavior, signature detection and, 257 resources, national security, 148–150 revenge, insider threat and, 283–284 RFP (Requests for Proposal), 379 Russian state-supported terrorism, 303 S sabotage, 242–243 sampling, 333–334 SANS Internet Storm Center, 119 Scheuer, Michael, 31–32 script kiddies, 116 security global, AuBA and, 180–182 malicious behavior reduction and, 76–77 national (See national security) network security, 78–79 anomaly detection, 80, 124–128 anticipating unknown, 106–107 attack detection technology, 81 AuBA network tools, 82 current, 79–82 current technology, 83–84 cyber attack objectives, 79 fixing ineffective, 128–132 foreign threats, 82–83 future protection technology, 133–134 bindex.indd 511 increases in damage and threat, 117–120 insider threat, 82–83 national, 114–117 proactive state, 129–130 reactivity, 81 signature detection, 80, 120–124 surrender principle, 80 unanticipated attacks, 128 zero-day attacks, 123 predictive security model, terrorism and, 77 public places, 99 sensor output, 393 movement tracking, 394–396 Shia muslims, Hezbollah, 45 shoe bomber See Reid, Richard signature detection AuBA and, 455–456 behaviorprints (AuBA) and, 326–327 CheckMate, future signatures, 263 combinatorial explosion and, 263 criminals, 260–262 al-Qaeda, 261 Bundy, Ted, 261 network security, 80, 105– 106, 120–122, 258–259 false negatives, 123–124 forensics, 122 known attacks, 256–262 problems with, 257–258 repeated attacks and, 169, 257 Snort rule, 260 terrorist attacks, 141 zero-day attacks, 169 reactivity of network security, 293 terrorism, 259–260 significant features, 360–361 n R–S 511 Silk Stalkings, 244 Skinner, B.F., environment and, 164 SME (subject matter expert) descriptions, predictive modeling and, 204 qualifications, 205–206 Snort rule, network security, 260 Sophos Security Threat Report 2011, 255 spear phishing, 262 speed, 375 spies, 240–242 spy gear ease of purchase, 246–247 state-sponsored threat, 300–301 behaviorprints (AuBA), 322–325 cyber attacks, 304–306 evidence gathering, 321–322 organized support, 301–302 foreign-supported terrorist attacks, 302–304 state-supported terrorism, 66 threat types, 67–68 statistical software packages, 344–345 steganography, 245 insider threat and, 286 notes in images, 251 stimulus control, 219 stock market predictions HFT (High Frequency Trading), 334–336 penny stock investments, 350 student suicide, 98 gender differences, 102 warning sign awareness, 102–103 subjectivity, behavior analysis, 15 5/15/2012 11:30:39 AM 512 Index n S–T suicide public violence and, 101–102 student, 98 gender differences, 102 warning sign awareness, 102–103 suicide bombings, 73 consequences, 174 suitcase bombs, 309 Sunni Islam, 41 surprise in an attack, 105–106 surrender principle, 80 surveillance criminal activity and, 261–262 domestic terrorism and, 237–238 predictive, 225 T Taleb, Nassim Nicholas, The Black Swan: The Impact of the Highly Improbable, 306 technology See also computing power attack detection, first-time attacks, 107–109 behavior analysis enhancement and, 134 behavioral science and, 332–333 computer speed and memory, 337–345 polls, 333–334 software need, 340–345 stock market prediction, 334–336 country-level threats and, 63–64 future capabilities, 118–119, 133–134 versus human suicide bomber, 73 network security, 83–84 uses, 219–223 “villain with technology” movie genre, 142–143 bindex.indd 512 terrorism al-Qaeda top threat to U.S., 71 U.S citizens members, 238 anomaly detection, 270–271 asymmetric warfare, 106 attack prevention in U.S., 75–77 AuBA prediction, 336 causes, current threats to U.S., 70–75 cyber attacks, unanticipated, 104–107 domestic, 235 surveillance and, 237–238 dual attack, 22–23 food terrorism, 148 IEDs (improvised explosive devices), 73 increase ineffectiveness, 66 security, predictive security model, 77 signature detection, 259–260 specific attack threat, 69–70 state-supported, 66, 302–303 Libya, 304 Pakistan, 303–304 Russia, 303 threat types, 67–68 unanticipated attacks, 146–147 weapons of mass destruction and, 71 terrorists causes, 94 group formation, 75 group motivation emphasis, 186 repeat perpetrators, 75 sharing resources, 74 U.S citizens acting alone, 408–409 al-Qaeda, 238 foreign agents, 408 leaving country, 408 testing, CheckMate, 400–402 text as input, 486–488 text summarization (compression), 366 The Black Swan: The Impact of the Highly Improbable (Taleb), 306 The Chameleon, 27–28 theft See also cyber theft miniaturization and, 247 network thieves, 291–292 tradecraft known tradecraft, 243–244 new tradecraft, 246–247 traditional-new hybrid, 247 theme-guided smart searches, 59–61 ThemeMate, 30–32, 88, 177, 215–216 accuracy, 375–376 al-Qaeda, 37–41 ATM thefts, 341–342 AutoAnalyzer combination, 217–220 integration, 377–379 cyber threats, open source models, 390–393 modeling adversarial groups, 386–387 adversaries, 386–387 model testing, 388–389 text accounts from past behavior, 384–393 news articles, 387–388 processing text corpus, 488–491 theme components file, 385, 436 themes, 156–157 threat identification early, CheckMate, 173–174 5/15/2012 11:30:39 AM Index hackers, 16–17 threats analysis, 184 biological attack, overview, 85–86 CBRN (chemical, biological, radiological, and nuclear), 84–87 domestic foreign threat differentiation, 236–239 insider threat and, 232 targeting, 234 terrorism, 235 external, CheckMate, 132 global cyber attacks, 301 interconnectedness and, 299–300 state-sponsored threat, 300–306 group behavior, move to action, 185–186 internal, InMate, 132–133 lack of control and, 70 state-supported behaviorprints (AuBA), 322–325 evidence gathering, 321–322 tracking abilities, 118–119 movement, 394–396 tradecraft known tradecraft, 243–244 brush pass, 244 steganography, 245 new tradecraft, 246–247 traditional-new hybrids, 247 traditional-new hybrid tradecraft, 247 bindex.indd 513 U Unabomber, 27 unanticipated attacks, 128 terrorism, 146–147 underwear bomber, unknown attacks, identifying, 263–266 U.S aggressiveness, 99–100 allies against Middle Eastern militants, 71 cyber attack, as leading target, 138–139 safety in, 99 terrorism al-Qaeda as top threat, 71 attack prevention, 75–77 current threats, 70–75 worldwide security for Americans, 150–152 U.S citizen terrorists, 407 acting alone, 408–409 al-Qaeda, 238 foreign agent, 408 leaving country, 408 V validation, CheckMate, 400–402 validity, definition, 311 variables in environment, 169–170 video camera surveillance, 225 video game violence, 103 “villain with technology” movie genre, 142–143 violence media depiction, 103 public death by cop, 101 precursors, 101 as suicide mission, 101–102 n T–Z 513 surrogate targets in acts of anger, 98 workplace shootings, 101 reasons for, 99–104 video depiction, 103 Virginia Tech University shootings, 28–29 W war, al-Qaeda and, 42–43 warfare, asymmetric warfare, 66 anticipating future, 145–146 terrorists, 106 water/food resources, national security, 148–150 weapons of mass destruction (WMDs) national security, 147–148 terrorism fear and, 71 Westroads mall shooting (Omaha), 92 WikiLeaks, insider threat and, 118 Wiskoff, Martin F., Espionage Against the United States by American Citizens 1947–2001, 246 within-subject design, 208 words with similar meanings, 376 workplace shootings, 101 worldwide security for Americans, 150–152 X–Y–Z zero-day attacks, 108–109, 123 signature detection and, 169 5/15/2012 11:30:39 AM John Wiley & Sons, Inc End-User License Agreement READ THIS You should carefully read these terms and conditions before opening the software packet(s) included with this book “Book” This is a license agreement “Agreement” between you and John Wiley & Sons, Inc “WILEY” By opening the accompanying software packet(s), you acknowledge that you have read and accept the following terms and conditions If you not agree and not want to be bound by such terms and conditions, promptly return the Book and the unopened software packet(s) to the place you obtained them for a full refund License Grant WILEY grants to you (either an individual or entity) a nonexclusive license to use one copy of the enclosed software program(s) (collectively, the “Software”) solely for your own personal or business purposes on a single computer (whether a standard computer or a workstation component of a multi-user network) The Software is in use on a computer when it is loaded into temporary memory (RAM) or installed into permanent memory (hard disk, CD-ROM, or other storage device) WILEY reserves all rights not expressly granted herein Ownership WILEY is the owner of all right, title, and interest, including copyright, in and to the compilation of the Software recorded on the physical packet included with this Book “Software Media” Copyright to the individual programs recorded on the Software Media is owned by the author or other authorized copyright owner of each program Ownership of the Software and all proprietary rights relating thereto remain with WILEY and its licensers Restrictions on Use and Transfer (a) You may only (i) make one copy of the Software for backup or archival purposes, or (ii) transfer the Software to a single hard disk, provided that you keep the original for backup or archival purposes You may not (i) rent or lease the Software, (ii) copy or reproduce the Software through a LAN or other network system or through any computer subscriber system or bulletin-board system, or (iii) modify, adapt, or create derivative works based on the Software (b) You may not reverse engineer, decompile, or disassemble the Software You may transfer the Software and user documentation on a permanent basis, provided that the transferee agrees to accept the terms and conditions of this Agreement and you retain no copies If the Software is an update or has been updated, any transfer must include the most recent update and all prior versions Restrictions on Use of Individual Programs You must follow the individual requirements and restrictions detailed for each individual program in the “About the CD” appendix of this Book or on the Software Media These limitations are also contained in the individual license agreements recorded on the Software Media These limitations may include a requirement that after using the program for a specified period of time, the user must pay a registration fee or discontinue use By opening the Software packet(s), you agree to abide by the licenses and restrictions for these individual programs that are detailed in the “About the CD” appendix and/or on the Software Media None of the material on this Software Media or listed in this Book may ever be redistributed, in original or modified form, for commercial purposes Limited Warranty (a) WILEY warrants that the Software and Software Media are free from defects in materials and workmanship under normal use for a period of sixty (60) days from the date of Eula.indd purchase of this Book If WILEY receives notification within the warranty period of defects in materials or workmanship, WILEY will replace the defective Software Media (b) WILEY AND THE AUTHOR(S) OF THE BOOK DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SOFTWARE, THE PROGRAMS, THE SOURCE CODE CONTAINED THEREIN, AND/OR THE TECHNIQUES DESCRIBED IN THIS BOOK WILEY DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE SOFTWARE WILL BE ERROR FREE (c) This limited warranty gives you specific legal rights, and you may have other rights that vary from jurisdiction to jurisdiction Remedies (a) WILEY’s entire liability and your exclusive remedy for defects in materials and workmanship shall be limited to replacement of the Software Media, which may be returned to WILEY with a copy of your receipt at the following address: Software Media Fulfillment Department, Attn.: Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security, John Wiley & Sons, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, or call 1-800-762-2974 Please allow four to six weeks for delivery This Limited Warranty is void if failure of the Software Media has resulted from accident, abuse, or misapplication Any replacement Software Media will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer (b) In no event shall WILEY or the author be liable for any damages whatsoever (including without limitation damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising from the use of or inability to use the Book or the Software, even if WILEY has been advised of the possibility of such damages (c) Because some jurisdictions not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation or exclusion may not apply to you U.S Government Restricted Rights Use, duplication, or disclosure of the Software for or on behalf of the United States of America, its agencies and/or instrumentalities “U.S Government” is subject to restrictions as stated in paragraph (c) (1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS 252.227-7013, or subparagraphs (c) (1) and (2) of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR supplement, as applicable General This Agreement constitutes the entire understanding of the parties and revokes and supersedes all prior agreements, oral or written, between them and may not be modified or amended except in a writing signed by both parties hereto that specifically refers to this Agreement This Agreement shall take precedence over any other documents that may be in conflict herewith If any one or more provisions contained in this Agreement are held by any court or tribunal to be invalid, illegal, or otherwise unenforceable, each and every other provision shall remain in full force and effect 5/15/2012 11:36:40 AM ... AM Predicting Malicious Behavior Tools and Techniques for Ensuring Global Security Gary M Jackson, PhD ffirs.indd iii 5/15/2012 11:36:49 AM Predicting Malicious Behavior: Tools and Techniques for. .. only behavior principles but also security practices and methods Overview of the Book and Technology The purpose of Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security. .. describe the present, and this book describes how we can accurately predict future human behavior I wrote Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security to highlight