Steve Bongardt: Predators and the Mental State of the Hack

Do bad actors share certain personality traits with serial killers? How do we think about security and technology when viewed through the lens of a serial predator?

Steve Bongardt is a retired FBI agent, cyber and criminal profiler, and digital forensic examiner specializing in cybersecurity solutions. Steve currently works as a Consulting Sales Director at BlackBerry Cylance, where he brings his lifelong expertise to bear on a new breed of opportunistic attacker.

Whether it’s external cyber attackers, carefully crafted malware, or trusted insiders who betray the organizations they work for, Steve’s unique blend of technical, behavioral and investigative knowledge, helps organizations – both private and governmental – defend their critical systems and networks.

About Steve Bongardt

A United States Naval Academy graduate and Naval Aviator, Steve is a C.I.S.S.P. and holds a Masters degree in forensic psychology. Highlights of his career include being with the first handpicked team of FBI agents that went into Afghanistan in December 2001 after 9/11; starting the Cyber Behavioral Analysis Program at the FBI's Behavioral Analysis Unit in Quantico, VA; and leading the digital forensics effort in the DC Navy Yard Shooting investigation in 2013. He was also a SWAT operator and sniper.

VIDEO TRANSCRIPT:

“I've been doing this (working at BlackBerry Cylance) for about eight months, but before that, for about 20 years, I was an FBI agent. As an FBI agent, one of the things I was fortunate enough to do was actually go to Quantico, where our Behavior Analysis Unit (BAU) is based. And for eight years, you learn all about the traditional kinds of violent crimes – so, serial homicide, crimes against kids, and things like that.

But in addition to that, my specialty, because you have to specialize in something, was looking at hackers and insiders. So I actually had a program to go out and actually interview hackers and insiders to try to get an idea as to how they think. Do they think in a different way to us?

So we're going to take 15 or 20 minutes today and talk about what I call the state of the hack from a mental perspective. And my experience was that these guys (cyber attackers) shared a lot of the same characteristics as some of the serial killers that you see out there, serial rapists and things like that.

They were predators, and I want to try to really quickly make that case to you. The other thing is before we try to say that anyone who we think is doing bad stuff is different, there's an assumption that's made that they’re different, right? Is really a hacker different than a black hat, a gray hat, or a white hat, or somebody in the IT community? There is a difference, right? Because we make an assumption that there is something in them that's different.

So is that always the case, and how do we think when it comes to technology and security and things like that? So we'll talk about that very, very briefly. I try to take the human side, and what we like to say at BlackBerry Cylance for services is there's a combination of human intelligence plus artificial intelligence (AI). Both of those things is what we try to use to secure your network.

And what I'm not saying is that all this stuff about technology and data science isn't important. It is, but it also does something to all of our brains when we start to think about it, and so sometimes as human beings, just thinking about technology can jam us up a little bit.

I'm going to tell you about a cyber extortion case I worked when I was at the Profiling Unit. It was one of the first behavioral analysis kind of cyber profiling cases that we looked at. And we're going to talk about predators.

So what are predators? What do they do? I'm going to tell you that I think that hackers are like predators. Not all of them, but a lot of them are. What does that mean? What does that mean for you?

Now this is very, very high-level stuff. My goal is that when you walk away from here, it'll give you a different perspective as to how to look at all this here, what we're doing at BlackBerry Cylance and everything else, blind spots that we have: we're going to talk real quickly about a blind spot that we have, as human beings, right? We all have them.

Your Protected Health Information - Hacked

So in 2007 when I was a Profiler at the FBI, one of the first cases that I worked was a cyber extortion matter, and this is probably a lot of our worst nightmares. An individual—a hacker—had broken into a major insurance company and had stolen over a million pieces of Protected Health Information (PHI) account data from that company. It's the worst possible PHI data.

This is a screen capture of a spreadsheet the hacker sent to the CEO, to say that, "Hey I have this, and if you don't deliver $200,000.00 in e-gold currency by X date, I'm going to put this all over the Internet and give it to whoever wants it. Like publish it out on the dark net."

And as you see up here, I blacked out a lot of the stuff, but (referencing the screen capture) it's herpes simplex without complication, HIV with specific infections, and so on, times a million different accounts that he had.

So in this kind of a scenario, what we try to do, they contact the profiling unit and I spent a lot of time—and this is tough coming from an aerospace engineer from Annapolis—but I spent a lot of time when I went to the profiling unit, not only going back to school to get my Master's in Forensic Psychology, but also learning Psycholinguistics.

Because it makes a lot of sense when you're interacting with somebody cyber-wise; one of the things that is very, very helpful in these cases is learning about language. What words people use to know that they're actually going to do something when they say they're going to carry it out, and maybe to get some kind of a psychological edge on what type of person it is if I'm interacting with them.

So even though this guy thought he was interacting with the CEO of the company when he started emailing using a Tor browser and an offshore email account, he was actually interacting with me over a period of four weeks. I was reading his emails, I was writing back as the CEO. And so one of the plans we have is just to start to get the guy to communicate, and the thought is always that if we can get them to communicate, somewhere along the line they're going to mess up. And if they mess up, maybe it'll give us an opportunity to catch them. That's basically, at the FBI, one of our main strategies.

So I'm interacting with them, and I'm interacting with them as the CEO of the hacked insurance company, and one of the things I'm trying to tell them is, "Hey, I'm the CEO. I don't understand this e-gold stuff. You want me to transfer $200,000.00 in e-gold? I'm not going to be able to do that. I don't know anything about this. I got to keep this quiet. I can't bring in everybody in the company." Remember e-gold, right, and it was all brand new back then? Now, it’s no big deal.

So I'm trying to force him to do a physical drop. We always want to force suspects to physically show themselves, but I have no idea where this guy is in the world. And so this is the threat. If anyone is used to seeing those television shows, right, profiling television shows, what I'm showing you here is a geographic profile.

It turns out that what that guy was doing, was he was wardriving around a major suburban area in the United States where he actually lived. And periodically when he's interacting with me, he probably sent 20, 25 emails over the course of four months. While he was periodically signing in and out of the Tor browser, it was leaking his IP data. So what we did was we said, "Hey, hunting, right, hunting, wardriving, is a type of hunting and predatory behavior. So let's try to take that IP data and put it into a geographic profile software and see if we can get an idea as to where he is."

Wardriving and Geographic Profiling

Now, geographic profiling software, it's very, very specialized, developed by a guy named Kim Rossmo who's up in Canada. Fantastic guy, very smart guy. Geographic profiling deals with things like kill sites, abduction sites, body disposal sites. That's how the algorithms actually were. We were putting in there the IP address of the wireless access point that he was actually accessing.

And so this was the beginning part of our geographic profile that we put on. So if you look at this (referencing the screen), orange and red is hotter. There's a greater chance that he lives in these areas than something cool, like one of the cooler areas.

We got really lucky over about three or four weeks, and at one particular time, he went and signed into a recreational facility, a very large recreational facility, and started using the wireless access there. And so for one day we had a record of the 196 people that actually signed in to the gym, and we started crossing that with our geographic profile. And if you see, we ended up coming up with the name of the 196 people. We actually up cross-referencing DMV records with who signed into the gym that day, and for those 196 people, it's the only case where the FBI actually took the name of an offender and said, "Here, field office, this is the name of the bad guy."

And we found this out right before the day we had pushed the guy to do a physical drop. So we were going to start with $10,000.00, drop that in a physical location, and it was around this city. So that I remember handing the name of the guy and where he lived to the field, and they said, "That's great, but we really don't... " And it made a lot of sense to me, being an agent myself. We want to catch them red-handed. We want to catch them after we make the drop in the paper bag of $10,000.00. We want to see him drive up, grab the bag, and get him.

The Movies vs. Real Life

So this happened at night, it was 7pm, and like never happens in the movies, we have three or four air assets up for surveillance, we have probably 12 or 13 cars that are surveilling this particular area. And this guy drives up in a car, gets out, he's got a hoodie on. Classic. And he picks up the paper bag, jumps in the car, takes off, and with four air assets and 12 cars, guess what? We lose the surveillance. We lost the guy. Right? Never happens in the movies, right? Never happens.

But luckily since we had the address and the name, we all vectored to where he was. We kicked down the door and yelled "FBI!" And he's opening up the bag and we got him red-handed, right, with the bag.

But the reason I tell this story is because my belief, and I'll talk about it here in a second, is that a lot of the hackers that I interviewed and talked to, they were predators, right? And here we are using a software that actually does geographic profiling based on predatory type behavior, right? “Where are you going to dump the body? Where are you going to kill the person? Where do you first abduct them?” To actually help us identify who this person was. And in this case, we were very lucky, we got fortunate, and protected a million accounts.

So if anybody's interested in profiling, one of the probably the best books that's out there, it's The Crime Classification Manual. There's been three versions; it's 2013, but this comes from it:

"It is because this act of manipulation, domination, control, be it rape, murder, arson, or any other criminal enterprise, gives them a communication of power, satisfaction, and fulfillment that they achieve nowhere else in life."

And in my interactions, I'm not saying that every hacker is this way, but my interactions with dealing with these guys, and they were all guys that I interviewed; I know there are females out there who actually do this. But what I saw was a pattern of, very early on, there's some dysfunction in their life, right? Some dysfunction, and they turn to technology to be able to reestablish some sense of self-esteem. And we all need to thump on the world a certain way, right, and so what they decided to do was turn to technology to be able to thump on the world. It gave them that ability to reestablish that self-esteem.

What I also found was, and I would guess and my theory would be, is that the issue for a lot of these guys (and they were guys), the guys that I interviewed, probably about two dozen, they didn't have a strong authority figure in their life, either. Surprise, surprise, right? Think about some of the hackers that you either have read about or think about, they didn't have somebody like my dad who told me, "Hey, I brought you into this world. If you don't obey me I'm going to take you out." Right?

Maybe that might've been a little drastic, but not so much. They didn't have someone to give them a rule set that they could internalize, and that's what I would say.

And this, this really sums up at least how I felt about the guys that I interviewed. They were predators, and people asked me all the time even before I worked at BlackBerry Cylance, they were like, "Would you hire a hacker?" And I'd say, "You know what? I had a bunch of hackers that were sources of mine when I was an FBI agent. I would run things off of them, right, I'd bounce it off, I'd pay them for their information, but I wouldn't hire a hacker, because I do believe on some level is it need-driven behavior. They need to color outside the lines, they need to thump, they need to reestablish the sense of self-esteem that they lost probably very early on.

Hunting Predators

In hunting predators, what can you learn? When you're looking at your networks, one of the things I like to say is that it's all about control, right? So no matter what your security stack is, make sure you understand how cyber criminals are coming in, how they move, how they would control you. Very, very similar to the way you would deal with a physical predator. Right?

At the profiling unit, we had a chance to do a lot of interviews with abductors, both child and adult, and one of the things that we learned—and I tell people in every presentation I give because this usually comes up—what would you recommend to your wife or child when it comes to a physical abduction?

Well, except for James Bond, it never gets better for anyone once they leave the scene of the abduction. And a lot of these guys that we had talked to (and again, they were all guys), said that had the child, had the woman, had the guy done anything when we first brandished a gun or a knife, we would've been out of there. Right? We would have been out of there.

But this sense of control is also very, very important to them. Part of it is pathological. They have such dysfunction early in their life, that having that over-controlled sense of how they live their life is part of it, like they like to do things certain ways.

Here's a big one that I think is really important for cyber security. They're single-minded, right? They look for the low-hanging fruit, but once they're onto you and they're focused on you, they're really focused on you. So you want to make sure that you're pretty much locked down, which is one of the most important things in containment. Just because you'd be able to get rid of all the bad stuff in your network, you better make sure they're not coming back, because generally they're going to be coming back. Once they lock onto a target, they want to focus on that target.

Loan Sharking and High Risk Victim Pools

Loan sharking. Anybody know what a loan shark is? Social engineering, right? One of the most powerful things in human behavior is reciprocity. I do something for you, Daniel, you're going to want to do something for me. That's part of being a human being, but predators take advantage of it. Not only that, but they escalate. You know: I'm going to help you carry your groceries out, and then I'm going to ask you for a ride because I don't have a car today. That's how they work. It's a little bit different with regards to doing favors for each other, but they're experts at it from a social engineering standpoint.

The biggest thing I would put out to all of the people that you work for, is when somebody's being really nice to you and they say they're going to give you something, the hair should go up on the back of your neck. We used to have a saying at Quantico, and it was one of the first things I learned as an FBI agent: "Treat everyone like a million dollars, but have a plan to kill them." It's kind of that kind of mentality. Everybody can be nice and go and interact and be nice to others, but look out for those loan sharks.

And here's probably the biggest one: loan shark love, love, love large attack surfaces. If they want to come in through the window, they don't want to be forced through the door. If they like to abduct somebody in a parking lot, they don't like to be forced onto the street. And this is really, really important for the cyber industry that I saw in the guys that I interviewed. They really like to do things in a certain way.

I deal with clients every day, and I see clients are so worried about living off the land, right? Not using malware, living off the land, being able to pivot, utilizing lateral movement, and never use any malware whatsoever. I go, "Wow, that's great, that's fantastic, but the vast majority of people that you're dealing with, you need to take care of your large, large attack surfaces and malware and some of your basic, basic stuff, and then worry about living off the land, right?” And I see people ignore that all the time, which makes them a high-risk victim. Sharks love high-risk victim pools. They're going to gravitate around it.

You know, we used to have a saying, or we've done lots of different estimates in a year when I was in the profiling unit: how many serial killers do we have out there? And we had estimates from 15 to 20. And people are like, "15 to 20? You never hear about it." It's because they prey off victim populations, they prey off the degenerate, such as people that are homeless, right, and the prostitutes that we all have in our societies.

And in cyber, they're preying off you with regards to malware. If you're not taking care of your tier one alerts, which is 99.7 percent of your malware, you're not doing what you should be doing. Because they’re going to look for you, and there's too many of them out there, unfortunately, when it comes to cyber. There's more than 15 or 20 of them, that seek high-risk victim pools.

On Feeders, Staging, and Attribution

The other thing is that they're feeders. Anybody ever hear that term before? What's a feeder? A feeder wants you to react to them, right? A feeder hates when you're trying to predict and when they have to react to you. They want you to react.

Really one of the best things I like about BlackBerry Cylance is the preventative mindset: we're not saying to forget “detect and respond.” I mean, we do it all day long every day. We're talking to clients who are in a jam and needing us to help them with regards to response. But if your mindset is one of prevention, you're going to be mentally ahead of them, at least, in the game. So that’s something about predators to take away.

The other thing is that predators want anonymity. The only one thing a predator wants to be able to do is come back and do it again. I say this because in a lot of verticals that are out there, attribution is a big thing. I think (wanting attribution) is part of being a human being. If someone's going to come into your house and steal something, you want to know who it was, right?

Attribution's always an answer that you're going to want to have, but you have to be really, really careful because there's something we call in profiling called "staging". It's when it's so obvious who the actual perpetrator is, you got to make it look like it's somebody else.

And so I tell people that in the case of robberies going bad, the worst thing you can ever do if you walk into your house (and find a robber in there) is stand in front of the door. Get out of the way of the door if there's a burglar in there, right? Get out of the way. He does not want to interact with you. You get out of the way. It's not a personal type of a crime. So when we see a robbery that went bad where a spouse is dead, we immediately as profilers start looking at the other spouse. It's part of the profile.

Now, there's a lot of different ways we treat that, but that's the way to go. But when it's too obvious from an attribution standpoint—if we're talking about Fancy Bear or whatever advanced persistent threat (APT) we're talking about—that a IP address comes back to three or four blocks from the Kremlin, I get worried. Right, because we can stage all of this. You guys who are sitting down here can stage a lot of who they want to make it look like (committed the attack), especially once that malware is out there.

So what I tell people generally, because I give this presentation to a couple different types of clients, is to really look at the overall sense of the attack and realize that bad guys stage cyberattacks all the time. Iranians are trying to make it look like the Russians, the Russians are trying to make it look like the Chinese, the Chinese are trying to make like look like it's us, maybe even. You know, from different things. So they want anonymity, so generally look for more than one type of indicator.

How the Bad Guy Thinks

So we talked about the bad guy, how they think and what do they think. I want to finish up with one thought about how we think, because trust me, profilers are no better at a lot of this than the normal person is. Some of the best cases I've ever worked are some of the people in the group that have just got done working a serial homicide, and some of the worst are the guys that just got done working a serial homicide and were working a new one, because as human beings we have a tendency to take whatever paradigm we have, whatever mindset we think how the world operates, and put it onto whatever that current problem is, right? So if you're dealing with something a little different or slightly different, it can be very difficult.

But this is a real quick study, go back to 1975. Some of you may have heard of this; some of you may not have. But Stanford University, and what they did was they took 25 real suicide notes and paired them with 25 made-up suicide notes. Then they had a random group of people that they brought together, and they said, "Hey, we want to know how good you are able to distinguish in these 25 groups of two, what's the real suicide note and what's not the real suicide note."

And amazingly, one group of people was able to distinguish 24 out of 25 correctly. And amazingly, the other group of people, they were horrible at it. They were not, they had nine out of 25, right? Chance would be 12, 12 and a half. Amazingly those are the numbers. But whenever it comes to psychological tests, they're never about what you think they are, so those numbers weren't real. They were just made up. Right?

And they told them, they went in after they judged how they did and they said, "Well, tell me about how you think you did, because it looks like you did really well." The 24 out of 25 group, they said, "Hey, you did really, really well at this. How did you do so well at guessing this?" And people said things like, "Well you know, I've always had a knack with language. I watch a lot of cop shows. I'm really, really good, I'm very intuitive. I could really, really figure out this. I knew I was going to be really good at it." They said, "Okay, thank you very much." They captured their responses, and the same thing with the people that didn't do well.

Remember, this is all random, right? They just randomized it. They went in to the people with the bad experiences and said, "Why do you think you did so bad?" They said, "Well, you know what, I've never been really good about reading. I'm not really that kind of a person. I'm not a linguist person. I was an engineer." Whatever. And then they told them, they said, "All right, guess what? It was all made up. This was all made up. You really didn't do really bad on this test, right, it was just all random. How now do you feel?"

And what they found out was their opinions about themselves, those initial impressions, didn't change much at all. The people that still scored 24 out of 25 thought that they were really had a knack for it and they were really good at it. The people who were really bad at it said, "Wow, you know what, I think I still wouldn't do very well if you really gave me the real score on this."

And the reason I bring this up, and this is famous; it's been done a lot of different ways, is that impressions, even when faced with the truth... because you're going through here and we're all trying to figure out what the truth is.

What is the truth? What's the best thing for my network? Even when faced with the truth sometimes, impressions are very, very hard to overcome. Regarding whatever you think about, and even in the face of the truth that the logic behind you was false, this is the way our brains think.

A Note on Human Behavior

One of the profilers, a guy Ken Lanning. He's a giant. He's as big as Robert Ressler or John Douglas, if you've heard those names. I asked Ken one day, because he would come through and teach the new guys and I was a new guy at the time. I said, "Ken, what can you tell me about human behavior?" And he said, "You know what? Across every case I've ever worked, people will believe what they want or need to believe, despite all the evidence to the contrary. And that's what I find, right?”

Now that's okay, right, maybe in our everyday life. Maybe in our everyday life it's not that good, but when it comes to dealing with security and securing your networks and securing, physically, the people around you, you really want to be able to try to correct that.

So here's one of the points I give you. (Referencing screen). This is a sales slide, right? A compromise assessment from what we (BlackBerry Cylance) do. One of the things we do in services is that we come in and try to see if you're hacked. We come in, in this particular case, in 200 locations worldwide, 5000 endpoints, 10 million annual customers identified by the secret service that “hey, guess what, you're actually compromised”. We come in and we actually were able to find stuff that other people weren't able to find.

That's great, but that's not really, really good. That's not how we think. We're not going to convince you that this is good, by demonstrating how successful we are. One of the things is that we have found, at least from a psychology point of view, is when it comes to critiquing ourselves, we're really bad at it. But when it comes to critiquing others, we're really, really good.

One of the theories on this is that logic is a part of the brain that evolved late, and what it evolved for is not to help me figure out what antivirus product to buy, or what solution to look at that might help me. It helped me so that, if you and I are in the same tribe, and you say that you're sick one day and you can't go out and hunt, I can figure out logically, are you really sick or are you just bagging it?

So we're really, really good sometimes, thinking when it comes to critiquing others. Makes sense, right? I think all of us could probably use this example.

One of the things I often say is, "Think about the implications." Whenever you're trying to convince a boss or a client, that maybe they're going down the wrong path, think to yourself, what are the implications and consequences if you continue on this path? And also, what if you had a friend doing this? Or what if you had a hospital in this vertical and they were continuing to not address certain security concerns? What would you say to them? And sometimes we’re able to flip a little bit of that.

And then come emotional states. Even though we all think we're cognitive thinkers and we think logically, we're not and we don’t. We could talk about a bunch of other things, if we had time, about a lot of experiments that say we might think we're thinking cognitively and making logical decisions, but it's actually emotional. So try to think about the emotional states for your employees. How hard are you working them in instant response and things like that?

Why the Titanic’s House Band Played On

To finish up, here's a quote. "I know he often said that music was a bigger weapon for stopping disorder than anything on Earth." That was said by John Carr. He's talking about his former coworker, Wallace Hartley. Does anyone know who Wallace Hartley was? I’ll give you a hint: iceberg. Titanic. He was actually the band leader on the Titanic.

So this is a fantastic book that was written by Steve Turner in 2013. He was trying to figure out, okay, when the band was playing on the deck of the Titanic when the ship was going down, did they really realize what kind of a situation they were in? Or what was the deal?

And so they did a bunch of interviews and they talked to John Carr and their belief was that he (the band leader) probably did realize that the ship was going down, but his belief was that in order to make people feel better, he was going to play music.

So I like to finish up with this slide, because I'm not saying, “don't listen to the music”, right, but make sure you've done everything you can to save the ship from sinking first. I'd like to end with this.”

*(Editor's note: transcript has been lightly edited for clarity)