Imagine someone robs your house. The savvy culprit didn't leave behind fingerprints, shoe prints, or any other discrete, identifying details. Still, police manage to link the crime to a series of burglaries that happened the next town over, because of the criminal's behavior. Each robbery occurred in the same way, and in each case, the perpetrator stole many of the same items. Now, new research indicates that the techniques law enforcement use to tie crimes together through behavioral patterns might help in the digital world too.

That's a big deal: One of the most difficult tasks for cybersecurity researchers is determining who was behind a breach or coordinated attack. Hackers deploy a trove of tools to cover up their tracks, which can obfuscate important details like their location. Some cybercriminals even try to plant "false flags," purposely left clues that make it appear as though someone else was responsible for a breach.

Sometimes, a malicious actor is only definitively identified because they make a mistake. Guccifer 2.0, the now-notorious Russian hacker persona, was reportedly unmasked in part because they forgot to turn on their VPN, revealing their Moscow-based IP address. Absent such slip-ups, the so-called “attribution problem” makes connecting cybercrimes to specific individuals a daunting task.

The hope is that behavioral patterns may be harder to spoof, and as a result, useful in unmasking digital perpetrators. Matt Wixey, the head of technical research at PwC's Cyber Security practice in the UK, sees potential value in that "case linkage" or "linkage analysis," a statistical technique historically used by law enforcement to connect multiple crimes to the same person. Wixey adapted case linkage for cybercriminals and conducted a study to see if it works, the results of which he will present at the DefCon hacking conference Sunday.

Patterns of Behavior

Wixey looked at three different types of behavior that hackers exhibit: navigation, how they move through a compromised system; enumeration, which is how they work out what kind of system they’ve gained access to; and exploitation, how they try to escalate their privileges and steal data. Their real-world equivalents might be how a robber approaches a bank, how they assess which teller to talk to, and what they say to get them to hand over the money.

“It’s based on the assumption that once attackers are on a system, they’re going to behave in consistent ways,” Wixey says. Inspiration for the technique came four years ago, when he took a penetration testing course. “A lot of the students had consistent but distinctive ways of doing things,” he says.

To test whether his cybersecurity case-linkage system works, Wixey gave 10 professional penetration testers, hacking enthusiasts, and students remote access to two systems as low-privileged users. He then monitored how each of them tried to escalate their privileges, steal data, and gather information. Each tester completed two separate hacks.

Afterward, Wixey analyzed their keystrokes using his novel case linkage method to see whether he could identify which hacks were conducted by the same individual. He had 20 sets of keystrokes to work with, and 100 possible pairs.

He found that nearly all of his test subjects moved through compromised systems in a consistent, unique way. Using their navigation patterns alone, he was able to correctly identify that two hacks were done by the same person 99 percent of the time. Enumeration and exploitation patterns were similarly predictive; Wixey could accurately identify that a hack was done by the same person using those methods 91.2 and 96.4 percent of the time, respectively.