Cyber Threat Actor Cultural and Psychological Factors: Part 2
Cross-posted on https://www.cybersecuritytrainingco.com
Disclaimer 1: This post is about the potential use of various data sources to enhance cyber threat intelligence, cybercrime investigations, cybercriminal offender profiling, and forensics. The selective use of data is for illustrative purposes only. Due to the multitude of available (sometimes contradictory) data and your own interpretation you may or may not support the presented analysis. This post is not about whether or not Marcus Hutchins is guilty of one or all of the crimes he is being charged with.
Disclaimer 2: Myers-Briggs Type Indicator® is used herein for illustrative purposes only. I am not an MBTI professional, however, I plan to enlist the help of a MBTI certified professional for future analysis. The details of this will be the subject of a future post.
On Wednesday, June 6, 2018 federal prosecutors levied additional charges against WannaCry ‘hero’ Marcus Hutchins. He is now accused of conspiracy to defraud the US, computer fraud, lying to the FBI and the manufacture, distribution, possession and advertisement of an intercept device. I have been conducting research on Hutchins I had planned to post a part in this series regarding him. However, due to this recent announcement from the government it seemed appropriate to me to change the order of my planned posts and publish some initial analysis.
The timing for this change in writing plans – discussing part of the Hutchins case study as opposed to discussing the cultural factors – works out well because I am currently seeking a more comprehensive source of attack source and destination data to use in the cultural correlation analysis. I have spoken to IBM recently but nothing firm has developed just yet. Please contact me if your company has access to global cyber attack data and would be interested in collaborating.
In psychology, marketing, and other fields it is a well-accepted theory that human language reflects a lot about us including our personality, thinking style, social connections, and emotional states. The words we use and the frequency with which we use them can give us insight into who we really are. In today’s hyper-social world we can find supporting evidence of predictable aspects of personality in blogs, tweets and other sources.
In early March, Reeves Wiedeman wrote an interesting story for New York Magazine titled Gray Hat based on interviews with Marcus Hutchins. Wiedeman wrote, “Hutchins is a self-described introvert and pessimist. (“I don’t really like people,” he [Hutchins] deadpanned.)” This deadpanned statement stuck in my head as I continued to read the story. It stuck in my head as I looked over the voluminous MalwareTech blog posts. It also stuck in my head as I scrolled through thousands and thousands of his tweets. It struck me as interesting that this self-professed introvert really seemed to enjoy a lot of extroverted activities. I wanted to know if Hutchins was telling the truth or was he simply lying to Wiedeman in an effort to portray the mysterious rogue hacker with a hoodie stereotype and salvage a reputation amongst his peers? Of course, it could be neither, both, or something completely different.
The first step I took to understand Hutchins was to extract the crumbs of directly attributable data points from the Wiedeman story that I could assign to a personality trait. I came up with 58 individual data points. I now needed a personality spectrum to which to align my data points. For this, I chose the Myers-Briggs Type Indicator® (MBTI®). I could have chosen from a variety of other personality analysis models but the MBTI has been confirmed to be useful in remote observation and analysis, which is what I was doing.
The purpose MBTI personality inventory is to make the theory of psychological types described by C. G. Jung understandable and useful in people's lives. Developed by Isabel Briggs Myers, and her mother, Katharine Briggs, the MBTI sought to make the insights of type theory accessible to individuals and groups. The MBTI identifies and describes 16 distinctive personality types as shown in the following chart.
MBTI is known to be good for self-awareness for better self-management, identification of behavior trends that have positive outcomes, identification of behavior trends that have less desirable outcomes, and to link trends with other data points to clarify personal or professional developmental opportunities. MBTI is not good for trying to predict other’s behavior, trying to estimate another individual’s type (e.g. a person must be an extrovert because they are gregarious), assuming that how a preference plays for you is exactly how it would play out for someone else, and justifying behavior.
As I was working through the MBTI mapping and analysis I knew that I would need other methods to gain insight into who Hutchins really was and to correlate or contradict the findings. For this I used IBM’s artificial intelligence platform, Watson.
IBM Watson Personality Insights provides “linguistic analytics to infer individuals' personality characteristics, including Big Five, Needs, and Values, from digital communications such as email, blogs, tweets, and forum posts.” I collected 3,200 of Hutchins’s Twitter tweets (nearly 42,000 words) and more than 45,000 words from his MalwareTech blog and ran them through IBM Watson separately. I did this because I felt these two social media channels are often used very differently, which may provide contrasting insights. For example, Twitter tweets tend to be posted more quickly with less forethought and often in response to a trigger event (e.g. something someone else tweeted, a recent news article, a life event, etc.) as opposed to a lengthy blog entry which is typically written over time and edited before its published.
I wasn’t certain if the volume of data I was using would be adequate to get meaningful results, however, in both cases IBM Watson returned “Very Strong Analysis” so I felt good in continuing the work with the current data.
The Personality Insights service infers personality characteristics based on three primary models. The first, and most widely used model, is the Big Five, which identifies the personality characteristics of how a person engages with the world. It includes five primary dimensions: Agreeableness, Conscientiousness, Extroversion, Emotional range, and Openness. Each dimension has six facets that further characterize an individual according to the dimension.
The second model are needs, which describes the various aspects of a product that resonates with a particular person. Given this does not relate to the work at hand I chose not to focus on this model.
The third and final model are values, which are the driving factors that influence a person's decision making. The model includes five values: Self-transcendence / Helping others, Conservation / Tradition, Hedonism / Taking pleasure in life, Self-enhancement / Achieving success, and Open to change / Excitement.
In this particular post the focus is on the FBI’s charge that Hutchins lied to them. As such, let’s concentrate on those models and facets related to that behavior. The following sunburst chart visualizations reflect the separate IBM Watson analysis of Hutchins’s blog posts and Twitter tweets.
For this post we will work exclusively within the Big 5 model and select facets of the agreeableness, emotional range, and openness domains.
Agreeableness is a person's tendency to be compassionate and cooperative toward others. Compassion doesn’t really play a part in our case but cooperation does. For example, how inclined was/is Hutchins to cooperate with the FBI? His cooperation facet score for carefully thought out blogs is considered moderately low (36%) whereas when it comes to the more gut instinct reactive nature of tweets the score is very low (6%).
Another facet of agreeableness is uncompromising, which is a measure of morality and sincerity. A person with a high score is considered uncompromising and one who sees no need for pretense or manipulation when dealing with others and are therefore candid, frank, and genuine. A person with a low value indicates they are comfortable using every trick in the book to get what you want. Hutchins blog score is moderately low (27%) and tweet score very low (5%).
Emotional range, also known as natural reactions, is the extent to which a person's emotions are sensitive to the person's environment. In the case of Hutchins we see someone with moderately high anger (fiery scores of 70% and 81%), someone who reacts quickly to the highs and lows of life (melancholy scores of 96% and 95%), and someone who has a moderately high degree of susceptibility to stress (65% and 85%).
Finally, if we jump over to the openness domain, which is about whether or not a person is open to experiencing a variety of activities, moderately high scores (89% and 75%) for authority-challenging jump out. However, it’s important that these high scores wouldn’t necessarily indicate a person who would resist cooperating with the FBI but perhaps speak more to the general fight against “the man” or authority in general.
If the FBI had performed this analysis beforehand - I don't know if they did or didn't - how might that have influenced their interview tactics, techniques or protocols? Given the new insights given above does it alter your beliefs of how likely is Hutchins to have lied to the FBI? Looking more broadly at the data, how might it influence the prosecution or defense?
Exploring and analyzing the psychology of all criminals is a fascinating and complex world. Those professionals tasked with identifying cyber criminals may want to consider the use of artificial intelligence platforms like IBM Watson to gain a different perspective of suspects when conducting offender profiling. In a future post I will dig deeper into the potential use of the MBTI and the Hare Psychopathy Checklist Revised (PCL-R) but for now consider the value of the written word paired with machine learning to uncover new insights into cybercriminals.