Behavioral profiling plays an important role in the wider effort to counter cyber threats, explains Steve Bongardt, VP of Security Consulting Services at Fidelis Cybersecurity. When it comes to external threats, behavioral profiling helps when trying to“ understand motives in general and come up with typologies,” says Bongardt. In regard to insider threats, it can help “identify disgruntlement.”
The Cipher Brief: I understand you did behavioral profiling at the FBI. As a preface, can you describe what behavioral analysis is and what remote personality assessment is?
Steve Bongardt: It is looking at a crime or an intrusion from a behavioral, forensic, and investigative perspective. It doesn’t always give you the characteristics of an unknown offender, but it’s trying to give a different perspective on a case based on human behavior.
TCB: How does the FBI use that kind of analysis when it comes to cyber related incidents or crimes?
SB: Usually, one of the main goals is for interview. As an FBI agent, eventually you want to catch or put in jail the person who has done the hack. Understanding their mindset and where they’re coming from, and their motivation, helps you during the interview. But more and more, it’s about prediction - trying to understand if they’re actually going to do what they’re going to do, if they’ve completed doing what they’re doing, if they’re dangerous, and if they have any additional intentions of doing harm. This applies for both a network intrusion or a violent crime.
TCB: How can that kind of analysis be used in the broader cybersecurity field? It seems like it’s a very specialized skill, so how can more people make use of it cybersecurity?
SB: When it comes to external attackers, it’s important to try to understand motives in general and come up with typologies. What type of hackers are trying to attack certain types of targets?
From an insider perspective, it helps to identify disgruntlement. What’s important from a behavioral perspective is looking at behavior or at individuals in a company and determining “Are they dangerous? Are they really going to act out? What are the hot points in that organization?”
It’s really important resource-wise that businesses look at both external and insider threats. A lot of companies dedicate resources to incident response to an external attack, but if they have a problem with an insider, they don’t know. They don’t have any idea what to do and are usually reeling somewhat when they find out that an insider has abused his or her access.
TCB: In terms of this kind of remote personality analysis, behavioral analysis - how do you see it changing moving forward? How do you see the technique or technology changing in the future?
SB: I think behavioral analytics are going to be very important. I think we’re just now starting to see a lot of the practical applications of sentiment analysis and personality assessment, and I think it will help us understand more about our interactions online. In some of the cases – one or two cases that I was able to work in the FBI – I actually interacted with the offender while they had the data that they were threatening to get rid of. Using tools like language analysis to determine where they’re coming from, was very helpful in trying to interact with them and eventually lead them to a position where we could arrest them. It’s an additional heuristic I think that will help investigations.
TCB: I’ve spoken to a few people who have made the transition from law enforcement to private sector cybersecurity. Is that a trend that you have been seeing and what do you think that that dynamic brings to both fields?
SB: For the longest period of time, the FBI was trying to figure out: should it have cyber squads or not? One of the sayings in the FBI was “Well, I don’t have a gun squad, why do I need a cyber squad? Cyber is just a tool.”
But I think over the last fifteen years in particular, the FBI has become very, very sophisticated. You’re starting to see more and more people like me that at least spent some part of their career doing cyber, that are now retired, and transitioning to the private sector. I think that’s a good thing. I think it helps the dialogue back and forth between the private sector and the FBI, and helps the FBI learn a lot more about what’s going on in the private sector. I think moving forward you’re going to see a lot more of it, and I think it’s going to be very helpful for cybersecurity in general.