The New Science of Forecasting Cyber Attacks

In 1933, Poland’s leader, General Pilsudski, wanted to launch a preemptive attack on Hitler’s Germany. Pilsudski, an almost obsessive student of history and politics, had analyzed all the actions of the German government and determined that they were positioning themselves for an eventual attack on Poland and other European countries. Unfortunately for Pilsudski, and Europe, both France and England balked at the idea of a preemptive strike, and one can’t help but wonder how different Europe would be today had this attack occurred and succeeded.

Today’s cyber landscape is similar to that seen in the political landscape of Pilsudski’s time. Although no one wants to openly admit it, the US government is essentially on a cyberwar footing. Government agencies and US companies have not only been threatened, they have been attacked, and serious damage has been done. The nations behind the attacks have even been named, but, as far as we know, little has been done in response.

Security has historically been based on detecting a possible attack when it occurs. Firewalls do this by determining that something suspicious is trying to work its way into a computer or network. Often, the malware behind the attack is matched to previously known malware (code) and prevented from entering the system. But what happens when there is no match to the attacking malware? This is what happens during a so-called zero-day attack. These attacks circumvent security architecture by making the network believe all is well. After malware has already made it into a network, the main purpose of security architecture is forensic. Network security tries to identify such malware and, if possible, remove it. This discovery can take months or even years, during which time, the malware gathers information and sends it on to the attackers.

This unsatisfactory solution to cyber attacks has led the US government to pursue a different approach. They want to detect an attack long before it actually occurs. In other words, if they see that an institution or business is being ‘groomed’ for a future attack, they want to be able to detect this and stop the attack before it has a chance to occur. To this end, they have embarked on a new program called, CAUSE (Cyber-attack Automated Unconventional Sensor Environment), the goal of which is “to develop and test new automated methods that forecast and detect cyber-attacks significantly earlier than existing methods”. Well, that’s a nice idea, but how is it possible?

Despite the fact that there are millions of varieties of malware, they all follow more or less predictable stages. There is the reconnaissance stage, the planning stage, and the delivery stage. During the reconnaissance stage, the attackers will be doing research on their target. This may include social engineering research or probing a company’s/institution’s network to find vulnerabilities in the software that is being used. Once the research is finished, the attackers will try to match network vulnerabilities to known malware kits that can exploit these vulnerabilities. These kits can be tweaked by the attackers to compromise a target more effectively.

If the attackers plan an attack using social engineering, they will usually begin to research individual employees through their social media sites or by simply searching the internet for information. Once they have gathered the necessary information, the attackers can design a sophisticated, targeted phishing attack (spearphishing) on the employee they have researched. At this point, the targeted employee will likely receive a legitimate-looking email from someone they know and be asked to open a link or visit a web site. Actually, the attackers may research a number of employees until they find one that would be most vulnerable. It is also possible that the attackers will research which web sites company employees tend to visit. They can, then, compromise these sites in order to deliver the malware payload through them when visitors from the target company arrive. This is sometimes referred to as a waterhole attack.

It is clear from the above that detecting criminal actions at the reconnaissance stage is key to predicting a future cyber attack. As Jason Matheny, director of the Intelligence Advanced Research Projects Activity (IARPA), said, during a recent interview for Federal News Radio, cyber detection at the reconnaissance stage can be based on various sources, “some are chatter by the attackers themselves, web search queries that they run when mapping networks, as well as the black market prices of, say, zero day exploits that are used in cyber attacks. Many of those are actually hard to cover up. People leave sort of digital exhaust when they’re performing actions like this against a site.”

This all boils down to one thing – deciphering metadata. This is data that the government has or can gather while it is looking for something else. They have a lot of metadata simply gathered as a byproduct of security investigations. If they want to have control of search inquiries, they have to somehow gain control of search engines. If they are looking for subversive chat, they have to infiltrate chat rooms. If they want to see what’s going on in deep web markets, they have to compromise those markets and, possibly, gain control of the Tor browser that is used by denizens of the deep web to hide their activities. In the process of conducting such investigations, they may stumble upon other potential attacks. In other words, metadata may become real data. So in order for cyber forecasting to be most effective, these avenues must be monitored in real time. It is the only way effective cyber forecasting can work.

The problem here is that not all suspicious search inquiries, chats, or other behavior will signal a potential cyber attack. An attack cannot be determined from one node in an attack constellation. Cyber forecasting must be able to detect a logical pattern that stems from a potential attacker or attack group. Any security architecture that cannot detect the entire attack pattern holds the potential to over-detect attacks. If attacks are over-detected, the network could simply become overwhelmed and fail to detect true attacks.

One way around these false positives is to create security that uses plan recognition algorithms. Attacks generally occur in a predictable sequence, which means that when certain actions follow one another, the chances of a true cyber attack being underway increases. Algorithms can be designed that recognize these patterns from a database of previously known attack architectures. It is the pattern that would trigger a security alert.  Zero-day attacks pose another problem since their attack sequencing may be more idiosyncratic. However, even idiosyncrasies have their logical limits for an attack to be successful.  If self-learning algorithms are employed, they may be able to extract statistically significant attack sequences even when hidden within confounding attack strategies. If they can learn to still see patterns through this obfuscating fog, then these algorithms can trigger an intrusion alert even if no database reference exists. In other words, a zero-day attack can be neutralized. In fact, such a system has been described and tested by Iranian researchers.

The CAUSE initiative is looking for any firm, big or small, who would like to take part in a challenge to develop a cyber forecasting architecture. Matheny said those willing to try will engage in a research tournament, to “see who can forecast events soonest with the highest accuracy. We keep score, we act as the referee.”  According to the Defense One web site, “teams will have to meet various minigoals to pass on to the next round of competition, such as picking data feeds, creating probability formulas and forecasting cyberattacks across  multiple organizations.”

Although the competition is said to be open to all, it is clear that only those firms with access to supercomputers will be able to participate effectively. This is simply due to the overwhelming amount of metadata that would be generated and then have to be analyzed.

As one potential participant, David Burke, pointed out “if you were able to look at every single Facebook post and you processed everything and ran it through some filter, through the conversations and the little day-to-day things people do, you could actually start to see larger patterns and you could imagine that is a ton of data. You would need some sort of big data technology that you’d have to bring to bear to be able to digest all that.”

Another problem this project will have to overcome is the attempts of attackers to undermine the effectiveness of this pattern detection with deception. In other words, good pattern detection, cyber attack forecasting, must also be able to decipher patterns of deception as well. It will be a battle between human creativity and machine logic.

The entire project is expected to take over 3 years. Even then, the predictions the system makes will be nothing more than statistical. It will only be able to tell a company or institution that they may possibly be a target, what kind of attack is most likely, and what preventive steps can be taken. You can prepare for a hurricane, but nothing stops the hurricane from veering out to sea. Added to this is the problem of privacy. In order for the government to do its job well, it would need to operate within the network of private companies so as to observe suspicious behavior and make appropriate forecasts. Such a condition might not be acceptable to everyone. Yet, despite these shortcomings, this does seem to be the first step in the direction of a national cyber defense network.

The problem is that the cyber landscape has the irritating ability to change very quickly. A forecasting algorithm that works today may be outdated tomorrow. As I see it, the biggest problem will be forecasting what the cyber landscape will look like in 3 years when this defense system is ready to go into action.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s