Predicting Nefarious Cyber Activities

14 min readMar 2, 2020

Abstract

The tactics nefarious actors breach networks are well known to cyber gurus known as white hat hackers. Penetration testing and digital forensics labs can help investigate nefarious cyber activities after the data breaches. There was not much research on how law enforcement would predict the actual nefarious activities causing the most financial damage to multi-national corporations, state and local governments, and especially innocent citizens. The three most popular nefarious activities are traditional identity theft, synthetic identity theft, and ransomware attacks. All three nefarious activities have exploded in illicit popularity following Moore’s law in doubling malicious incidents every few years. The three nefarious cyber activities present a significant challenge from a law enforcement reduction and prevention view. The researchers did a large-scale longitudinal controlled trial of computer science and computer engineering students from the university. The cohort of 500 students’ knowledge, skills, and abilities were used to predict nefarious cyber activities from apprentice level through cyber craftsman level. This research proposal plans to explore predictive analytic methods for the three most popular cyber crimes.

Introduction

The Internet and the advent of electronic commerce (e-commerce) created a revolution in shopping. The Internet was originally created by the Department of Defense’s (DoD) advanced projects unit. The DoD built the Internet without cybersecurity in mind, only intended to be used by universities and governments. Building a revolutionary networked system without cybersecurity was the third worse United States (US) government mistake behind the genocide of the US’s aboriginal inhabitants and pro-slavery founders. Because the Internet was built without cybersecurity, traditional criminals easily transferred traditional illicit activities to nefarious cyber activities (Prasanthi & Ishwarya, 2015). E-commerce and online lending greatly expanded nefarious cyber activities. The nefarious cyber activities included traditional identity theft, synthetic identity theft, and ransomware (Naranjo, 2018). This research proposal seeks to test whether computer scientists and cyber engineers can predict cybercrime to help reduce cybercrime for law enforcement over the long term.

Hypothesis

Test the learning curve from cyber apprentice to cyber craftsmen on predictive cybercrime events in a controlled university cybercrime lab environment.

Literature Review

After doing a literature review, there are loads of data on predicting cyber crime events using a variety of methods. One of the methods to predict cyber crime events is location (Baker, 2005). For example, the Wall Street data centers are located in three different cities in New Jersey, not New York where Wall Street trader desks reside. The Wall Street data centers would be a prime target for cyber crime because the data centers contain every bit of data of every Wall Street trade per day, week, month, year, and beyond. Cyber crime intelligence operators would use the FISA rubber stamp court to get a surveillance warrant to monitor unauthorized traffic to and from the New York traders’ desk to the New Jersey data centers and back. If unauthorized access is detected then the cyber crime investigators from the US Secret Service (USSS) and the FBI would be ‘deployed’ to investigate the breach. Location is one good predictor of cyber crime.

Another predictor of cyber crime is increased broadband activity at non-peak times. Telecom services constantly monitor communications for the US empire surveillance needs as well as peak-times for selling adverts (Gandotra, Bansal, Sofat, 2015). Power grid operators also monitor energy usage. If telecom broadband usage increases during non-peak times and the power usage increases during non-peak hours then this might be a sign of nefarious cyber activities. Cyber crime intelligence operators can once again go to the rubber stamp FISA court to gain a surveillance warrant to monitor the broadband and associated power usage for nefarious actors as the increased workload might signal an impending distributed denial of service (DDoS) attack; a famous DDoS attack killed the power in Liberia for a few hours. The cyber crime intelligence operators monitoring the suspicious traffic could also setup a virtual honeypot (Sabillon, Cano, Cavaller, & Serra, 2016). A honeypot in the cyber realm is entrapment in the physical world, an alternate universe of the same system to catch the nefarious cyber actors (Paradise, Shabtai, Puzis, Elyashar, Roshandel, & Peylo, 2017). When the cyber crime intelligence operators have positively identified the nefarious cyber actors then the USSS and FBI cybercrime investigators are deployed. Monitoring increased broadband traffic and power usage at non-peak times was another method for predicting nefarious cyber activities.

Research Methods/Design

In the research proposal on predicting nefarious cyber activities, the researcher chose to do an experiment. The GIAC Systems and Network Auditor (GSNA) certification is a great example of a practical certification. In order to earn the GSNA, applicants get the opportunity to visit a broken server room. The GSNA applicants must then fix and document every step the applicants took to resolve the broken bits. This should be the golden standard for cybersecurity certifications. This is why experiments are much better than non-experiments to judge the quality of nefarious cyber activity predictions.

The research participants in the research proposal do a practical hands-on model for identifying nefarious cyber activities in a variety of simulations. Next, the research participants predict nefarious cyber activities based on the scenario. Experiments are meant for practicality. Over a four year period for the experiment, the apprentices should develop cyber skills to enhance the knowledge, skills, and abilities (KSAs) at identifying as well as forecasting when a cyber attack will take place. The researcher modeled the experience levels after the United States Air Force (USAF) training and education levels. In the USAF, training follows as apprentice 3-level to journeyman 5-level then to craftsman 7-level and culminates at leader 9-level.

Apprentices are expected to have minimal KSAs in detecting and predicting nefarious cyber activities. As the students, progress through the computer science and engineering programs via practical lab experience, then the apprentices will graduate to the next levels. The next level in this model is journeyman. A journeyman can work with light supervision. And the final level for computer science and engineering students is craftsman. A craftsman is capable to work without supervision and typically is considered an engineer.

Each research participant’s team will face the same simulation. As in the non-simulation world, penetration testers work in teams to solve puzzles. Cyber activities are puzzles. Each cyber puzzle is similar but different from an historical record. The puzzling experiments will build in level up challenges from the basic identity theft model. Basic identity theft is simple to find then predict. For example, the US tax season is the most lucrative time of the year to do basic identity theft because cyber thieves know taxpayers are poor at planning. Hence, most taxpayers are entitled to an average of $2.8k/year. If taxpayers were good planners then the taxpayers would owe close to zero. But, the majority of taxpayers would rather give the government a zero point loan than keep more of their monthly paychecks. As usual, the ignorant majority suffers the most from basic identity theft thanks to an administration that only cares about lax regulation and minimal Internal Revenue Service investigative funding. Thus, this ignorance gives cyber thieves incentives to exploit the taxpayers’ refund checks. When penetration testers are doing the KSAs, then the penetration testers need to know the big picture as well as why the tax refund exploit is easy pickings.

In the mixed methods approach, theory may either be used by researchers deductively like in the quantitative approach, inductively as in the qualitative approach, or both deductively and inductively. As the term “mixed methods” implies, it is a blending of the quantitative and qualitative approaches. (Creswell, 2003).

The current golden standard method for cyber defense programs is signature-based analysis. Think of signature-based analysis programs as old school fingerprinting in the virtual realm. Researchers identify characteristics and attributes of malware (Cortes & Gomez, 2019). Next, researchers add the signatures to a blacklist and update all the cyber defense programs e.g. anti-virus, anti-malware, and intrusion detection programs. Nefarious cyber actors can easily thwart the signature-based cyber programs by performing minor tweaks to the malware. The malware tweaks then would have a different signature and be invisible to the cyber defense programs.

A better method for cyber defense protection against nefarious activities is behavior-based analysis. Where as signature-based analysis does micro-managing of the malware, the behavior-based analysis looks at the macro-actions of the malware (Neha, Priyanga, Seshan, Senthilnathan, Sriram, 2020). For example, tweaking WannaCry will change its signature. However, WannaCry will still act or behave the same way with the tweaks. The evolution of the WannaCry software will still be detectable if a behavior-based cyber defense solution is applied.

Participants

The cyber and engineering students were required to participate in the research study as part of the graduation requirement. The large-scale longitudinal controlled trial of computer science and computer engineering students from the university included the entire cyber class from 2017–2020 (Onwuegbuzie & Collins, 2007). The 2017 cyber students were classified as craftsman level. The 2018–2019 cyber students were classified as journeymen students. The 2020 cyber cohort were classified as apprentice students. There were 500 cyber students involved in the research study.

Materials

The cyber students used the cybercrime and digital forensics university labs. The software used in the research study was the CITRIX Workspace platform for the virtual cybercrime and digital forensics lab environments. The Splunk big data analytics platform was used for a mixed methods study on predicting the cybercrime activities in the cyber lab. Splunk is currently the best big data analytics platform on the market for real-time collection and analysis of data for enterprises and universities.

Procedure

The cyber PhDs setup cybercrime scenarios to test the cyber students’ skills of predicting cybercrime events. E-commerce theft was one of the scenarios setup where cyber students were tested on identifying, documenting, and analyzing methods to prevent traditional identity theft on a fictional e-commerce corporation’s website called MonkeyZoo.com. Another cybercrime scenario included the latest identity theft practice called synthetic identity theft where the cyber students had to identify, document, analyze, then predict synthetic identity theft behavioral patterns compared to legitimate borrowers on a fictional online lending platform called GreedyBananas.com. The final scenario included WannaCry ransomware attacks against a fictional city called Joy Mate BC where cyber students had to identify, document, and analyze the cybersecurity looking for vulnerabilities that the WannaCry ransomware exploited. Next, the participants were tasked with predicting where systems with similar vulnerabilities reside and patch the municipalities’ systems in the municipalities of Gorilla’s Nut and Champion Palace. Each trial was ran five times.

Results

The 2017 cyber craftsman student cohort had an 86 percent average pass rate on the trials. The 2018–2019 cyber journeymen student cohort performed an average trial pass rate of 66 percent. The 2020 apprentice cyber students had a 33% pass rate.

Discussion

The results showed the learning curve more than doubled from apprentice cyber student to craftsmen cyber student for cybercrime predictive analysis. The cybercrime scenarios increased in challenge levels. Traditional identity theft is easy to track, identify and predict. Synthetic identity theft was the second trial because nefarious behavioral patterns are more challenging to distinguish from legitimate borrowers. The most challenging trial was the WannaCry ransomware attacks as ransomware attacks are seemingly unpredictable. Because the trials were done in a controlled environment, the researchers predict real world cybercrime predictions from cyber craftsmen would be a more challenging endeavor (Gandotra, Bansal, Sofat, 2015). This research showed significant training from apprentice cyber personnel to craftsmen cyber personnel dramatically increased cybercrime prediction KSAs. Future research can investigate how alternative nefarious cyber activities and variation in scenarios will aid participants’ KSAs. Researchers could also look into what exactly might trigger a behavior-based intrusion detection program to send alerts versus the easy to bypass signature-based intrusion detection programs of the modern era. For further research in predicting nefarious cyber activities, a research experiment in the wild would be ideal.

References

Baker, T. (2005). Introductory criminal analysis: Crime prevention and intervention strategies. Upper Saddle River, N.J.: Pearson Prentice Hall.

Creswell, J. W. (2003). Research design: Qualitative, quantitative, and mixed methods approach. Thousand Oaks, CA: Sage.

Cortes, F. & Gomez, N. (2019). A hybrid alarm management strategy in signature-based intrusion detection systems. 2019 IEEE Colombian Conference on Communications and Computing (COLCOM). DOI: 10.1109/ColComCon.2019.8809121. Retrieved 27 Feb 2020 from https://ieeexplore.ieee.org/abstract/document/8809121

Gandotra E., Bansal D., Sofat S. (2015). Computational Techniques for Predicting Cyber Threats. In: Jain L., Patnaik S., Ichalkaranje N. (eds) Intelligent Computing, Communication and Devices. Advances in Intelligent Systems and Computing, vol 308. Springer, New Delhi

Naranjo, Kevin. (2018, Dec 12). “Frankenstein Fraud: The Rising Threat of Synthetic Identity Theft.” Tufts University. Retrieved 24 Jan 2020 from http://www.cs.tufts.edu/comp/116/archive/fall2018/knaranjo.pdf

Neha N., Priyanga S., Seshan S., Senthilnathan R., Shankar Sriram V.S. (2020) SCO-RNN: A Behavioral-Based Intrusion Detection Approach for Cyber Physical Attacks in SCADA Systems. In: Ranganathan G., Chen J., Rocha Á. (eds) Inventive Communication and Computational Technologies. Lecture Notes in Networks and Systems, vol 89. Springer, Singapore. Retrieved 27 Feb 2020 from https://link.springer.com/chapter/10.1007/978-981-15-0146-3_88

Onwuegbuzie, A. J., & Collins, K. M. T. (2007). A typology of mixed methods sampling designs in social science research. The Qualitative Report, 12(2), 281–316. Retrieved 23 Jan 2020 from https://nsuworks.nova.edu/tqr/vol12/iss2/9/

Paradise, A., Shabtai, A., Puzis, R., Elyashar, A., Roshandel, M., & Peylo, C. (2017, Sep). “Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks.” IEEE Transactions on Computational Social Systems (Volume: 4, Issue: 3, pg. 65–79) Retrieved 24 Jan 2020 from https://ieeexplore.ieee.org/abstract/document/7981377/

Prasanthi, M. & Ishwarya, T. (2015, Mar). Cyber Crime: Prevention & Detection. International Journal of Advanced Research in Computer and Communication Engineering Vol. 4, Issue 3. Retrieved 16 Jan 2020 from https://pdfs.semanticscholar.org/8e69/9a49f0a83aa30c9969ddf980e55c6653a24b.pdf

Sabillon, R., Cano, J., Cavaller Reyes, V. & Serra Ruiz, J. (2016). Cybercrime and Cybercriminals: A Comprehensive Study. International Journal of Computer Networks and Communications Security, 4(6), 165–176. Retrieved 24 Jan 2020 from http://openaccess.uoc.edu/webapps/o2/handle/10609/78507

Appendix A

Annotated Bibliography

The latest advance in the cyber crime arena is synthetic identity (ID) theft. Where as normal ID theft is rather elementary for law enforcement to solve because normal ID theft is a hard link to an individual. However, synthetic ID thefts use one address from one person, another phone number from another person, then another email from a third person, etc. The synthetic ID thefts are sometimes called Frankenstein thefts because the nefarious cyber actors stitch the personal identifiable information (PII) from multiple individuals to create a fictitious person. The cyber thieves use imaginary links when establishing credit for the fictitious person then build credit for a few years. When the cyber ID thieves have a FICO credit score above 800 for the hoard of fictitious people then the cyber thieves request and are immediately approved for unsecured loans and high-limit credit cards. The cyber ID thieves then max out the cards, and the cyber theft is complete.

The banks rarely report the credit losses as theft because the banks would lose customers if the theft went public. The banks report the thefts as credit losses. The banks will write-off the credit losses because the credit losses are Internal Revenue Service tax deductible, what a country. Synthetic ID theft reads much like a credit default obligation (CDO) of the banking industry. One could ponder if the synthetic ID thieves were formally Wall Street bankers as the two fraudulent scams nearly mirror each other. However, CDOs are legal while synthetic ID fraud is not government-sponsored.

Naranjo, Kevin. “Frankenstein Fraud: The Rising Threat of Synthetic Identity Theft.” Tufts University. 2018, Dec 12. Accessed 16 Jan 2020. http://www.cs.tufts.edu/comp/116/archive/fall2018/knaranjo.pdf

With the Internet age coming into fruition in the 21st century, traditional criminals have found new ways to commit crimes. The 21st century’s newest genre of crime is called cyber crime. Cyber crime mimics traditional crimes such as theft, killing, cheating, etc. The biggest difference between traditional crime and cyber crime is cyber crime must have an electronic device accompanying the crime. For example, if a burglar breaks into a house and steals a piano with a mobile device used to unlock the security code then this theft would constitute a cyber crime. Another example of a traditional casino crime gone electronic is cheating in online poker games. In traditional face-to-face poker, cheaters might bring a mate along to hand signals communicate premium poker hands sometimes called a ring game. In cyber-cheating, the cheaters sit in the same room using virtual private networks to mask the locations then bet with the best hands to win at poker. People with healthcare implants like pacemakers, diabetes monitors, etc, can also be hacked to kill the people. Also, vehicle computerized engine monitoring systems can shut off the power steering, brakes, etc, to cause vehicle ‘accidents’ e.g. the Princess Diana accident. There are several traditional crimes of the past that are applied to the cyber domain. The cyber domain surprisingly provides better privacy and anonymity for the dark grey hats that understand how to use the cyber domain for personal and or professional gain then go about exploiting the easily penetrable networked systems in play.

Marcum C.D., Higgins G.E. (2019). Cybercrime. In: Krohn M., Hendrix N., Penly Hall G., Lizotte A. (eds) Handbook on Crime and Deviance. Handbooks of Sociology and Social Research. Springer, Cham Retrieved 24 Jan 2020 from https://doi.org/10.1007/978-3-030-20779-3_23

There are several ways to catch nefarious cyber actors. One of the most popular ways to nab nefarious cyber actors is by creating a virtual honeypot. A traditional honeypot was a female spy posing as an innocent civilian to have sex with the target then steal the target’s important information and or blackmail the target with lewd and exotic pictures later e.g. the current US president’s Russian hooker pee pictures and video experiences. Targets, especially those with female spies wanting the booty, usually have loads to blackmail. In the virtual honeypots, targets also come into a trap which is setup like a normal system. Virtual honeypots like traditional honeypots can then glean a variety of information about the cyber spies and cyber thieves. Like normal criminals, cyber criminals leave bread crumbs on how to apprehend the criminals. Cyber-behavioral analysis is one of the methods honeypots can use to monitor the cyber spies. The cyber-behavioral analysis will identify the cyber spies with signatures. Because cyber spies tend to act the same across different platforms then the cyber thieves are more likely to leave the same signatures which would help law enforcement to capture the cyber spies and thieves. Also, the computing rhythm like a voice print, fingerprint, DNA, etc, is unique to each user, so law enforcement could create computing rhythm profiles then match the profiles to previously known cyber heists. Honeypots are one of many ways to monitor, identify signatures, produce behavioral analysis profiles, and eventually prosecute the nefarious cyber actors.

Identity (ID) theft is a cyber crime that caused much heartache to single individuals and families. The cyber ID thieves used personal identifiable information (PII) sold on the deep web. The deep web is a privacy-minded and anonymous platform where nefarious actors can buy and sell contraband as well as ID theft-worthy information. There are thousands of security breaches that happen each year. One of the biggest data breaches in history was the Equifax data breach which exposed 146 million users’ names, addresses, phone numbers, electronic PII, etc. Thus, ID thieves have a treasure trove of information to use at the nefarious actors’ beck and call.

In many criminal justice investigations, the most prevalent location of the crime will provide the investigators with the preponderance of evidence needed to prosecute the crimes. Cyber criminals may work from specific locations, then cyber criminals cover the tracks by masking the locations. And most local and state police departments do not have the funding to do multi-jurisdictional investigations. Thus a different form of monitoring and predicting ID theft should be addressed, time. During each year, shoppers have big discounted promotional opportunities e.g. Singles Day, Black Friday, tax refund season, etc. In the US, the time of the year when the most ID theft occurs is during the individuals’ tax season from February to April. United States workers receive an on average tax refund of $2800. Which means the tax season is a prime opportunity for ID thieves to steal the US workforce’s refunds.

Predicting Nefarious Cyber Activities

Written by Big Tows322, PhD