DARPA is taking on one of the most ambitious tasks in cybersecurity -- creating a system capable not only of identifying...
attacks but performing cyber attribution to identify the threat actors themselves.
The Defense Advanced Research Projects Agency (DARPA) has begun "soliciting innovative research proposals in the area of cyber attribution." The goal of this "Enhanced Attribution" program is to develop technologies that can generate "operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators." The hope is that this information will allow the Department of Defense (DoD) to identify threat actors perpetrating attacks and potentially to predict future attacks.
Angelos Keromytis, the program lead at DARPA, admitted in announcing the project that this will be an extremely difficult undertaking but that malicious cyberactors currently operate with little fear of being caught and he wants to be more proactive in identifying threat actors.
"The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure. Cyber campaigns spanning jurisdictions, networks, and devices are only partially observable from the point of view of a defender that operates entirely in friendly cyber territory (e.g., an organization's enterprise network)," Keromytis wrote. "The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection. The current characterization of malicious cyber campaigns based on indicators of compromise, such as file hashes and command-and-control infrastructure identifiers, allows malicious operators to evade the defenders and resume operations simply by superficially changing their tools, as well as aspects of their tactics, techniques, and procedures. The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options."
Craig Young, cybersecurity researcher for Tripwire, said attacker profiling and attribution is "an extremely daunting problem."
"While it is helpful to recognize tools and infrastructure associated with individuals and groups, it is generally not sufficient for definitive claims as adversaries commonly try to disguise their actions through false flags," Young said. "In general, I would say this is a worthwhile plan, but it is also very ambitious and the results of such a system should be taken with a grain of salt."
Keromytis also noted that sharing data from the Enhanced Attribution program will be a problem to overcome.
"The Enhanced Attribution program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the government's ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods."
DARPA's deadline for research proposals is June 7 and the aim is to launch the program as soon as November. Keromytis said the cyber attribution technology could be ready to catch common adversaries, like financial criminals and hacktivists by 2018, and by the end of 2020, the system could be capable of catching nation-state threat actors.
Dr. Chase Cunningham, director of cyber threat research at Armor Defense Inc., based in Richardson, Texas, said meeting that deadline could be possible.
"I would think that it is possible to have some sort of measuring and statistical mapping platform in place that could give some insight mathematically into what the activities are behind certain attacks," Cunningham said. "It would be very hard to have clearly defined and totally accurate modeling in that short of a time, but with the volume of data that the DoD has, they could certainly be well on their way."
Michael Angelo, CRISC, CISSP, and chief security architect at Micro Focus, said that the current rate of acceleration for attacks and sophistication of attacks means that "2020 will be too late."
"The methodology for attacking systems has been automated to the extent that a single entity can attack hundreds of thousands of machines an hour," Angelo said. "While previous attacks were designed to deliver their impact relatively fast and destroy systems or attempt the exfiltration of data, evolving attacks may remain dormant for quite some time, attempt to lock and ransom data, or even be leveraged for other attacks. Even the ransoming of data seems to be evolving to cover the release of the basic fact you were hacked."
Cunningham said that while such a cyber attribution system may never produce a 100% accurate identification of the actor behind such an attack, it may be able to "make a well-educated guess about who the likely actors or groups are that are behind a particular action."
"However, because well trained and seasoned threat groups use things like proxies and a variety of other means to hide their tracks it would be very hard to have really actionable points for any one particular event," Cunningham said. "Essentially when it is all broken down, without actually having some method for having the bad guys get counter-hacked and the DoD installing some sort of telemetry or beaconing software on the actual bad guy's machine, they would always be making an analytic leap when they said that 'this group did this thing at this time.'"
Learn more about how the U.S. and China have agreed to fight cybercrime.
Find out how to track and prevent crimeware attacks.
Learn how to prevent IoT security threats and attacks.