Darknet forums can look like a chaotic mess of technical jargon and coded language to those unfamiliar with them. But to intelligence analysts, they are digital watering holes that draw together all sorts of cyber threat actors. They are also a window into how these threat actors do what they do.

Most cybersecurity strategies focus on the ‘what’ and ‘how’ of cybercrime. Threat actor profiling focuses on the ‘who’ and ‘why’. Analysts can learn a lot about cyber threat actor identity and motivation by paying attention to and analyzing darknet forum chatter. They do so by applying behavioral analysis that gives a clearer understanding of the psychological state of a targeted threat actor.

What does this behavioral analysis reveal? It reveals motivations, threat actor conflicts, and even the stressors that influence what threat actors do. Tying it all together opens the door to predicting a threat actor’s next move before a single line of malicious code is ever written.

A Behavioral Analysis Framework

DarkOwl is a cybersecurity provider and a specialist in threat actor profiling. They say that traditional cybersecurity looks at hackers as faceless machines. Behavioral analysis changes this. It deploys profiling techniques that treat cyber threat actors like employees in a high stress but illegal industry.

Security analysts use the same types of behavioral markers as their counterparts in HR. They look at three primary psychological indicators:

1. Linguistic Markers and Skills

The way a cyber threat actor speaks says a lot about his experience and geographic origin. A threat actor whose discussions are limited to the basics is demonstrating a low level of skill. Another who gradually progresses from SQL injection to topics involving zero-day exploits is demonstrating an ability and willingness to learn.

2. Interpersonal Conflicts

Because the darknet is populated by people of questionable character, it is also a breeding ground for infighting and disputes. Scams and ego-driven arguments are common. So is a practice known as ‘ripping’ – essentially stealing from other hackers. All these interpersonal conflicts provide context that could explain why a particular threat actor does what he does.

For example, a hacker who has been shamed on multiple darknet forums may feel the need to prove himself to regain lost respect. What better way to do so than plan a high-profile breach that gets a lot of attention?

3. Perceived Stressors

Just like more traditional employees, hackers deal with on-the-job stress. Their perceived stressors are things like financial pressure, pressure from affiliate groups or those higher up in the chain of command, potential law enforcement threats, and more. Perceived stressors can actually change a threat actor’s behavior.

Security analysts harvest observations of these stressors to measure the urgency a threat actor might be facing. A high sense of urgency suggests a threat actor might be planning something big. More importantly, if a threat actor’s stress level is high enough, he could be prone to taking higher risks or making serious mistakes.

Why It All Matters

Threat actor profiling is about making better decisions. In light of that, decision-makers are better at what they do when raw data is supplemented by strategic context. Threat profiling creates that context. It gives security analysts a window into the mind of the cyber threat actor. By understanding what a threat actor might be thinking and feeling, predicting his next move becomes easier.

Behavioral analysis can be injected into threat actor profiling to create a much clearer picture. If your security team is not yet using this particular tool, now would be a good time to learn as much as possible about it.