Crime script analysis: an ally against cyber-crime

On a regular basis, we share a guest columnist article from our archives about a topic which is still as relevant today as it was when it was first written. This piece is by Gianluca Riglietti, who at the time of publication was research and insight associate at the Business Continuity Institute. The article originally appeared in Issue 65 of The Risk Universe in May 2017.

In our latest From the Archives piece, Gianluca Riglietti looks at how risk managers can utilise crime script analysis – a technique used in law enforcement to dissect in detail the events leading up to a crime – to better understand and mitigate against cybercrime.

Cyber-attacks often catch companies off guard due to their complexity and unpredictability. It seems as though criminals are always one or two steps ahead of the game, finding ways into an organisation through increasingly sophisticated techniques. These can range from distributed denial of service attacks (DDoS) to spear phishing, or the actions of a disgruntled employee. The motivations for cyber-crime are also quite varied, as they can include financial purposes, activism or government operations. Due to this mix of methods and motives, it is becoming increasingly hard to understand how and why perpetrators operate. Sometimes it might take months or years before a cyber-attack is uncovered and even then, the chances of clearly understanding how it happened can be scarce. This is why those in charge of preventing risks and mitigating their impacts would benefit from tools that help them visualise the various stages of cyber incidents, making them clearer and possibly less intimidating. Crime script analysis (CSA), a technique used in law enforcement and academia, appears to be fit for purpose in this regard. It consists of recreating the way in which a certain crime occurred, in order to gain insights on how to counter it. This has been applied to several types of offences, such as financial fraud and cybercrime, allowing in each case the researchers to map-out the incident in great detail.

As correctly pointed out by a study from Leclerc in 2014, CSA comes from the field of environmental criminology, a discipline that focuses on the factors that create the necessary conditions for an offence to take place. Based on this principle, CSA consists of the observation of criminal activity and the creation of a multi-step map, or script, of the different phases of a crime. According to the UCL Department of Security and Crime Science, scripts prove useful in organising a sequence of events in order to understand the offenders’ behaviour. The ultimate goal is to recreate their modus operandi, focusing on information retrieved from a variety of qualitative sources (such as case studies, court cases, interviews) and less on quantitative ones. An effective CSA can thus be divided into four main steps, namely breaking the script into acts, writing the script, interpreting the analysis and identifying the response. Further, scripts can help make the best use of the available evidence, with new information that may be integrated at a later stage, making it a dynamic technique that allows the observer to track the development of criminal behaviour over time. While it might seem at first that this particular technique relates more to a police environment than an organisational one, professionals from different disciplines, such as risk management and business continuity, might find scripts a useful tool when dealing with cyber security problems. Indeed, looking at the best practices used by professionals, CSA could not only fit well but enrich the analytical capacity of those in charge of preventing threats, or managing their consequences.

Common goals

According to the Institute of Risk Management, root cause analysis (RCA) is an increasingly popular technique in risk management. This is used to understand the causes and the effects of a certain event, in order to prevent it (if negative) or replicate it (if positive). CSA takes this a step further, providing a very visible breakdown of a specific event. When applied to cyber-crime, having scripts makes even more sense, as they are an agile tool that can be used with partial information, as is often the case when looking at a cyber-attack. As criminology, security and risk management expert Dr Harald Haelterman points out his study on risk management practices and crime scripts, risk identification is a central activity to risk management, which “involves finding, recognising and describing the risks that could affect the achievement of an organisation’s objectives”. With these goals in mind, risk professionals can use scripts to better visualise the cyber threat with a mix of information retrieved from both internal investigations and external sources, such as public reports on previous attacks.

While it might be hard sometimes to distinguish between reliable and unreliable sources, CSA might still be one of the most viable options to understand and possibly prevent attacks. Furthermore, having a detailed account of a threat seems perfectly in line with other best practices of risk management. According to the widely-used risk management standard ISO 31000, the five steps of the risk management process share the principles of a CSA, as they include establishing context, identifying, analysing, evaluating and treating risks. Therefore, risk professionals should consider scripts as an in-depth tool to complete tasks that are already part of their main goals.

Risk managers have an important role to play in handling threats to an organisation; however, they are not the only individuals who could benefit from adopting CSA against cybercrime. Business continuity (BC) professionals can also play a significant role in containing the losses derived from online attacks. It is often said that when it comes to cyber, it is not a matter of “if” but of “when” one will suffer a breach. This is why there is always need for a good recovery strategy, which business continuity professionals can deliver. Yet in order to do so, they should be involved in the monitoring of the threat landscape.

According to the ISO 22301 standard for business continuity, one of the core functions of BC management is to perform a business impact analysis (BIA), which means knowing what kind of disruptions the business might suffer and for how long systems would not be operative. RCA is also recommended by the standard, as it emphasises the need to be more proactive in evaluating a threat and its response. In addition, research from the Business Continuity Institute shows that more than two-thirds of BC professionals are either aware of the outputs of a trend analysis or they help develop the analysis itself. Further, BC professionals are often involved in horizon scanning exercises, meaning the evaluation of the risk landscape in the short, medium, and long term. CSA fits well within this framework, as it is a tool that focuses on clarity, deep understanding of a threat and the building of knowledge to formulate a response.

In order to show how CSA can be applied to cybercrime, it is useful to look at previous research that has adopted this method to analyse the cyber threat, such as a study from Hutchings et al. that focused on the market for online stolen data. The authors decided to analyse the content of thirteen different blogs where services on the procurement of stolen data were exchanged. Ten of these blogs were in Russian and three in English. They explained the need for CSA as due to the fact that current cyber security solutions tend to focus on disrupting cyber attacks without trying to understand their root causes and the conditions that make them possible. In one of their findings, they highlighted how these websites contained numerous tutorials on how to become an expert in stealing data. Interestingly, users went as far as naming possible companies with job openings that could be infiltrated to learn how to bypass their systems. Knowledge of a particular company included name, city, reason for relocation and duration of their plans to improve security measures.

The script detailed the interactions among sellers and buyers of stolen data, articulating them in ten steps. First, new members would start by setting up accounts and ensuring anonymity. Then they would familiarise themselves with the language and terms of the online community, before obtaining and advertising stolen products. In the process, users would also happen to share intelligence on law enforcement while negotiating and talking about their products. Finally, the last part of the sale would include payment (generally in digital currency) and the packaging and transport of the product in question.

In this study, breaking down cybercrime into specific steps showed the relevance of the human factor behind online attacks. While having appropriate software in place is paramount to cyber security, looking at the social interactions behind it can lay the foundations of a sound prevention strategy. Improving knowledge of the cyber marketplace would help formulate a clearer picture and therefore define a better strategy against one of the biggest current threats to businesses. Appreciating all of the dynamics that pave the way for attacks was possible in this case thanks to the crime scripts built by the authors, who dug deep into the core of the threat. After all, understanding the technology behind cybercrime is hard enough without ignoring the human dynamics that surround it.

Understanding the catalyst

On a similar note, Willison et al. conducted a study on disgruntled employees committing computer crime. In their research, they mapped out the different stages that led a successful database expert to turn against her own company and compromise internal data in retaliation for suffering abusive behaviour. In this study, the authors did not strictly adopt CSA; however, they still broke down the development of the offence in different phases to understand how and when it could have been mitigated or prevented. The first part of the analysis focused on how the database expert complained to her company’s HR department about sexual comments from her colleagues, who were also keeping her out of relevant conversations within projects she owned. In the second phase, the study showed how no actions were taken while the database expert continued to be subject to inappropriate behaviour. As a result, her performance deteriorated, turning the quality of her work from stellar to poor, which even led to her being demoted. The third segment revealed how, following further protests from the database expert, she was suspended from her job. Nonetheless, her troubles did not stop there, as once she began employment in another company, she came to know that only her most recent and worst appraisals had been passed on to her new employer. Only in the fifth and final section of the study did the authors actually talk about how this now disgruntled former employee accessed a database from her previous company and decided to erase data worth 1,800 hours of work from 115 employees.

There are two main points of failure that should be highlighted in this story. The first one is the fact that a former employee still had access to a database that should have been restricted to her. Some steps in the security procedures of her former company were either missed or not followed properly (which could by itself be the focus of another script) and that allowed her to retain her password. The second point of failure is the unfair treatment of an employee, whose situation was dealt with inappropriately, leading to a security breach. This is not to justify the retaliation of the database expert, as criminal acts are not defendable regardless of their motivation. But, had the human factor behind this computer crime been handled more professionally, the breach could have been prevented. As in the first study presented in this article, there are two main lessons to learn. The first one is that the human aspects of cybercrime are often as important as the technical ones; whereas the second one is that crime scripts can help a company spot the organisational fallacies that lead to a breach before it even becomes a technical issue. Indeed, CSA is mostly useful to understand human behaviour. Organisations should obviously have sound threat-detection software in place, but having a comprehensive and effective cyber security function means to take care of the technical issues as well as of the human ‘weak link’ – and this is where scripts can play a significant role.

Insider fraud

Another interesting study on crime scripts and internal threats was carried out by Spyridon Samonas, where the author conducted a thought experiment on insider fraud with the use of a computer network. The author analysed three possible scenarios of fraud committed by a hotel employee through the lenses of routine activity theory (RAA). RAA is a sub-field of criminology and focuses on the situational factors that create the opportunity to commit a crime. According to this perspective, there are three essential pre-conditions to a crime (known as the crime triangle by some), namely: an absent guardian, a suitable target and motivation to offend. Following this reasoning, there are several aspects to consider when dealing with an (in)efficient information security strategy. These range from complacency and misperception of a company’s information security strategy, to technical, financial and implementation deficiencies.

In this particular study, Samonas highlighted three gaps in the security of an upper-tier hotel in the UK, by exploring three potential crime scenarios. These involved the willingness by a high-level insider (such as a manager) with access to advanced functions to commit fraud by manipulating the booking system. Therefore, three separate crime scripts were built to show each step of the process that ultimately could lead to the offender getting away with the crime. Each crime script included nine phases and showed mitigation strategies for every instance.

The first and least sophisticated scenario showed the employee simply withholding the receipt from a customer paying cash in order to revise the booking to show that the amount received was different than the actual paid sum. The fraud consisted of keeping the difference, which sometimes could be the entire sum. While the software in use would show red flags in the case of unjustified payment revisions, which granted some degree of safety, mitigation strategies included better employment screenings, password requirements at critical stages and double reviews for payments. Conversely, the second example presented a more viable and thus more dangerous type of fraud. It consisted of having customers pay the full amount for a booking, while registering it at a discounted rate and stealing the difference in price. In this case also, passwords, double reviews and better screenings were considered as relevant steps forward. The third and final case involved what is called routing: moving charges from a room’s account to a virtual one (a rather standard practice), then pocketing the money and deleting the newly created account. This was the most convoluted but low-risk (from the offender’s standpoint) type of fraud, which on top of the previously listed mitigation strategies also included random checks on routing practices.

Whilst this study focused on the hospitality sector, the lessons learned from its scripts can be easily applied to any industry or context. Stronger password systems, double-checks and accurate screenings should be the mantra of every organisation. Scripts can help a great deal when trying to visualise the necessary and most relevant security measures. In this case, the author was able to single out the weaknesses of the system under scrutiny, in order to recommend how to strengthen it. CSA, in addition, works particularly well with evolving and multi-faceted threats such as cybercrime, as it is a highly versatile research method. Risk and business continuity managers could find a precious ally in crime scripts when dealing with cybercrime, especially regarding its human aspects. As shown in the first part of this article, a number of techniques (RCA, BIA) and procedures in line with CSA are already in use in the risk prevention and mitigation industry. Looking at cyber-attacks with a step-by-step attitude might help provide a deeper understanding of the issue, borrowing a technique used within police and academic environments. How rigorously and in-depth this will be applied is ultimately down to the individual organisation; however, looking at the entire chain of events that led to the breach and not simply its final stage would provide meaningful insights on how to keep the business safe from online threats.