Spotting the Behavioral Signatures of Odd Ducks

You know the old adage, “if it looks like a duck, walks like a duck, and talks like a duck, it probably is a duck.”
However you might feel about such profiling, this is, in a nutshell, the basic idea behind the concept of the behavioral signature.
In the context of malware detection, behavioral signatures are an important part of the arsenal to detect and block attacks—attacks that commonly exhibit tell-tale signs as malicious code executes. These include such “behaviors” as memory/buffer overflow, system configuration or registry changes, turning off existing protections, privilege manipulations, exploits disguised as patches, and other readily identifiable indicators.
But what about the behavioral signatures of people? Can we spot the odd ducks as easily as we can malware? Because people now comprise a substantial area of the attack surface, does it not make sense to extend the definition of behavior-based security to include the human endpoint?
Actually, as the term suggests, the very notion of the behavioral signature has its roots in behavioral sciences. Duh! In this context, behavioral signatures are used to predict human behaviors in various situations. It accounts for such things as the ways in which people categorize information from external stimuli, their degree of self-regulation, expectations of consequences, their personal goals and values, and myriad affective responses, including their emotions in given situations. You know, all the things that converge when an employee is tempted to click on what is likely to be a malicious link, or respond to other situational demands (e.g., phishing attempts—is Tom likely to fall for it?) or physical circumstances (e.g., tailgating—will Brian shut the door behind him or let the stranger follow him into the building?).
Security expert Debra Littlejohn Shinder noted, “Behavioral security is useful for those cases where a person, program or file has not previously been classified as ‘good’ or ‘bad.’ It is an effective way to detect new threats without waiting for them to first do harm.” Whether applied to programs or people, isn’t that just the point?
Like malware, people, too, exhibit security-related modus operandi—some behaviors of which are out of the ordinary course of events, if only to those who have been trained to recognize them. Which brings us to the final point.
A vital competency of security-aware workforce is the ability to identify and interpret indicators of potential trouble. And because so many human behaviors follow patterns, they can, indeed, be profiled and used to avert negative consequences consistent with those behavioral signatures. To this end, a little training in security awareness will go a long way.

Share this Post

;