Similarly predictable behavior patterns can be found incyber-crime. Ahlberg's company ran an automated system that collected data on 750 criminal or hacker forums on the web and the darkweb that use seven different languages, including Chinese, Russian and Arabic. Data on 1.4 million handles was processed and indexed, with some interesting results.
They found that over 96 percent of forum handles were used only once, indicating that the vast hackers that frequent these forums are keenly aware of the need to take measures to hide their identities.
But that's not always the case, and the exceptions provided Ahlberg with the opportunity to find out more about those hackers and their activities. "If I can see two (handle) patterns moving in sync then it could be that it is the same person using two different handles, or it could be two guys who are working together," he says. "The trick is to find handles that display similar usage behavior. By identifying ‘hang-arounds,’ we can begin to identify a crew."
By looking at the language used in different forums, it was possible to extract other information from the captured data. It turns out that distinct groups of hackers work at very different times of the day or night. For example, Iranian hackers tend to work during the day (perhaps indicating that many of them are students), while Russian hackers tend to operate in the evening (which suggests that many have daytime jobs and carry out cybercrime as a second job to supplement their incomes).
And groups of hackers that operate on Russian language sites frequent these sites at different times, which suggests they may be in different time zones, perhaps one group in Vladivostok and another in Moscow.
And other patterns provide experts with even stronger indications of where hackers may be from. For example, Russian hacking activity falls away during New Year's Eve (for obvious reasons), while Arab hackers' activity ramps up during the month of Ramadan (when perhaps there is little else to do).
What's clear from all this is that while some level of attribution is possible, it is very much an inexact science: two years after the Sony hack it's not entirely obvious how the U.S. government can be sure that North Korean hackers were responsible.
But using techniques such as Pattern of Life analysis the security community is increasingly able to shed some light on the "who?" and "why?" of cyberattacks, and it is information that enterprises can take advantage of to minimize the damage when intrusions do occur and to help keep themselves safer in the future.
Sign up for Computerworld eNewsletters.