The Next Software Aimed At Predicting Chances of a Cyber-Attack

Written by
  • 4 years ago
  • Posted: February 26, 2015 at 2:06 pm

With all these super-computers being built and already exist (such as IBM’s star Uber-computer-“Watson”), it only makes sense that they would make them even more intelligent. Well, here’s the talk of the town- academics and industry scientists are in league to build software that can analyze publicly available data and a specific organization’s network activity to find patterns implying the probability of an imminent hack. Essentially, they want Watson to predict a likely data breach before they occur. If I am to extrapolate this correctly, they want to make computers psychic, or rather give them an ‘algorithmic intuition’ of some sort (remember folks, you heard it here-I should ring the editors of the Oxford dictionary or TED, I may have INTUITIVELY coined an ingenious phrase). That, my dear lords and ladies, is the ambitious, long-haul goal of a contest being held by the U.S. intelligence community (imagine if NIS had such capability, or any capability for that matter, the reality would be…).

The dream of the future is: A State House supercomputer spewing out forecasts on the probability that, say, a non-identified state with immense cyber capabilities will try to intercept presidential room video that day on some vague (classified) conversation between China and Kenya, or that again, a nation with immense cyber capabilities will eavesdrop a conversation between president Uhuru and his lawyers at the ICC, now, won’t that be a sight to behold, yeah!

IBM has even expressed interest in the “Cyber-attack Automated Unconventional Sensor Environment,” or CAUSE, project. You’re probably wondering what in the Queen’s name CAUSE is, Americans, with their abbreviations, but I find them curiously exciting.

Well, CAUSE is the brainchild of the Office for Anticipating Surprise under the director of national intelligence. A “Broad Agency Agreement” competition terms and conditions is expected to be issued any day now. Imagine if we could hold such ‘healthy’ (I use this term lightly) competition amongst our ‘security apparatus’ agencies, it doesn’t even have to be on super-computing software, it could be on finding the best way to collect intelligence in this region using technology.

According to ‘intelligence’ from those in the know, current plans call for a four-year race to develop a totally new way of detecting cyber incidents — hours to weeks earlier than intrusion-detection systems, according to the Intelligence Advanced Research Projects Activity (do we even have a such a division, you know that obscure part of a building that would make an agent of the state feel like James Bond).

IARPA program manager Rob Rahmer noted that the hacks at Sony and health insurance provider Anthem were evidence that traditional methods of identifying “indicators” of a hacker afoot have not sufficiently enabled defenders to get ahead of threats. We might not have enough cyber-attacks in the country, but as the populace becomes more intelligent, with increased access to technology, not to mention, increased ‘international exposure’, our susceptibility as a country to cyber-attacks grows ever grim and probable. But, I am sure, there are cyber-attacks that go on in the country that never hit the airwaves, ooh, but it’s coming….

According to Rahmer, this is “an industry that has invested heavily in analyzing the effects or the symptoms of cyber-attacks instead of analyzing and mitigating the — cause — of cyber attacks,” Rahmer, who is at the helm of CAUSE emphasizes that “instead of reporting relevant events that happen today or in previous days, decision makers will benefit from knowing what is likely to happen tomorrow.”
CAUSE’s cyber-psychic bots will estimate when an intruder might attempt to break into a system or install malicious code. Forecasts also will report when a hacker might flood a network with bogus traffic that freezes operations (wonderfully dubbed a Denial of Service attack).

I should note that such computer-driven predictions have worked for anticipating the spread of disease (like the Ebola outbreak), and political uprisings (if only they could have predicted 2007). Notably, few researchers have ever explored such technology for cyber-attack forecasts (it may have been suggested even in a film, and am sure I have thought of it sometime during my rumble in the brain sessions).

So, Who’s Interested?

Numbers stand at 150 would-be participants from the private sector and academia that showed up for the January informational workshop. Rahmer remained zipped about the size of the prize pot, which will be announced later into the year. Thing is, teams will be required to meet various mini-goals to proceed to the next round of competition, such as lifting data feeds, constructing probability formulas, and forecasting cyber-attacks across multiple organizations.

Ultimately, here is a scenario about how a conversation between a client and the predictive-data service provider-What you are most intentionally likely to be able to do is say to a client, “Given the state of the world and considering the asset you’re trying to protect or that you care about, here are the [events] you might want to worry about the most”. In lieu of having to obsess over every single bulletin that comes across your desk about possible zero days or previously unknown vulnerabilities, it would be wonderful if some machine declared, “these are the highest likelihood threats.”

Research is focused on “advanced persistent threats” (APTs), involving well-resourced, well-coordinated hackers who conduct recon on a system, find a security weakness, wriggle in and invisibly traverse the network. I shudder to think of the damage.

The fact that APTs are on networks for a long period of time gives you not only the sociopolitical pieces of data or clues that you need to offer a prediction, you also have all sorts of clues on your network that you can integrate. Of course, it’s not an exact science. Chances are, there will be false alarms. We are not talking about completely supplanting the human brain, because it must provide some support after the machines do their thing. However, I envision a future where the human is absolutely not part of the equation!

The goal is not to replace human analysts but to assist in making sense of the massive amount of information available and while it would be ideal to always find the needle in a haystack, CAUSE seeks to significantly diminish the size of the haystack for an analyst. I have never understood this analogy, needle in a haystack, correct me if am wrong, but isn’t a needle easily visible on a haystack, I am just saying. So, I will say (in the interest of efficient analogy precision (EAP), what CAUSE plans to do is basically teach us to see in a darkroom-it’s easier to navigate a filled, dark room when you know where everything is, right; there, a more complete analogy.

Social Media and CAUSE

Currently, CAUSE is planned to be an unclassified program. Performers need to be creative in identifying these new signals and data sources that can be used.
Participants will be judged on their speed in identifying the future victim, the method of attack, time of future incident and location of the attacker, based on IARPA.

Clues might be found on Twitter, Facebook and other social media, as well as online discussions, news feeds, Web searches and many other online platforms. Unconventional sources tapped could include black market storefronts that peddle malware and hacker group-behavior models. AI will do all this work, not people. Machines will try to infer motivations and intentions. Then mathematical formulas, or algorithms, will parse these streams of data to generate likely hits. Better check your social media activity.

An interesting piece of research in cyber-warfare is the nature of deception and counter-deception. Cyber adversaries rely on deceptive attack techniques, and comprehending patterns of deception enables accurate predictions and proactive counter-deceptive responses. Basically, intelligence and counter-intelligence. It’s highly expected that supercomputer-like systems will be needed for this kind of analysis.

Imagine this, say you were able to look at every single Facebook post and processed everything, ran it through some filter, through the conversations and the little day-to-day things people do, you could actually start to see bigger patterns and could imagine that is a ton of data. Of course, you would need some sort of big data technology that you’d have to bring to bear to be able to digest all that, right?

Point of Fact: Recorded Future, a CIA-backed firm that has been in operation for six years already knows how to generate hacker behavior models by assimilating public information sources, like Internet traffic, social networks and news reports. Nonetheless, the company’s analyses do not factor in network activity inside a targeted organization, because such data typically is confidential.

Being able to do this successfully is not simply the sociopolitical analysis applied to current flashpoints. One needs to have observables on a network: signs possibly of malware or penetration as many campaigns that happen go on for weeks or months. This way, you have a lot of network data that you are going to end up including in the FINAL CRUNCH!

The twenty-first century man is the Quantified Self, and the things that he designs DESIGN him LIKEWISE.

What is your opinion on the topic?
Stefan Wolf
Article Tags:
· · ·
Article Categories: