In the physical world of criminal investigation, police investigators aim to build a profile of the criminal in an effort to help catch the guilty party. The same basic idea is now being applied in the cyber world.
With WOMBAT, existing data as well as new data was collected and enriched to provide additional information. In many cases, the raw data is not enough to explain what is really going on so there is a need for more contextual information.
“If you make an analogy between a cyber crime and a real crime, like say a murder where there is a dead body, you will not just look at the dead body,” Marc Dacier, senior director at Symantec told InternetNews.com. An investigator at a murder crime scene will look at the overall crime scene to note the environment and other circumstantial data. With the WOMBAT data enrichment, the raw data gets that type of environmental data to help deliver a better understanding of the cyber crime scene.
Rounding out the effort, the project aimed to find a method that would link events together that are all related to the same root cause — an attack that utilizes the same method or is perpetrated by the same organization.
“For example, if you’re LAPD and you have thousands of crime scene files and you think there is a serial killer that is responsible for a number of crimes how could you figure that out?,” Dacier said. “The way you find a serial killer is they use the same modus operandi (MO) again and again.”