Pentagon Wants to ‘Fingerprint’ The World’s Hackers

By tracking their tools and behaviors, DARPA aims to solve one of the thorniest problems of cybersecurity: attribution. 

Pentagon researchers by early 2018 expect to solve a problem that, so far, has often prevented law enforcement and hack victims from identifying cybercriminals with confidence.

Through the “Enhanced Attribution Program,” not only will the government be able to characterize the attacker, but also share the attacker’s modus operandi with prospective victims and predict where he or she will strike next.

The point is “to not only look at the bullets but also look at the weapon,” said Angelos Keromytis, the program leads at the Defense Advanced Research Projects Agency. The gun in the metaphor is a reference to hackers’ IT resources.

Vantage points into the hackers would include, for instance, the laptop they used to develop malware, their smartphones, and any other devices connected to the “Internet of Things”—many of which are traceable.

Currently, part of the pain for forensics investigators is that hackers’ footprints can be wiped or otherwise disappear, Keromytis said.

 “The insight that I had was, well, rather than look at attribution as something we try to do after the crime has happened, why don’t we become a little more proactive?” he said during an interview with Nextgov.

The initiative aims to offer visibility into all aspects of the cyber operator’s actions, without exposing sources or methods, according to an April 22 contract solicitation. Research proposals are due June 7.

Today, reluctance on the part of the government to tell affected sectors, the press and the public about ongoing attacks is partly due to a fear of tipping its hand.

“Many of the things that we might wish to do, such as a prosecution or invoking economic sanctions, or with even name and shame, those all require releasing the information that we would collect” through covert techniques, to outsiders, Keromytis said.

Knowing an attacker’s typical way of scouting out a target could help forecast where the bad guy will strike next.

Regardless of whether DARPA ultimately invents tech to solve the attribution problem, it will be up to U.S. officials to decide when and if to release the system’s findings.

In recent years, the United States has waited to identify the identities of online aggressors’ months, if not years, after the fact. The Justice Department waited until 2014 to file charges against Chinese military hackers for cyber espionage activities that dated back at least four years, and in one case, to 2006.

Keromytis acknowledges the risk of sharing too much information about an adversary with the public.

As former NSA security scientist Dave Aitel said in April, shortly after Justice indicted Iranian Revolutionary Guard hackers, “the US government showed the world, and showed Iran, what it knows about the Iranian effort … this announcement reveals more than just what the US is able to attribute. It also signals what it does not know.”

The United States accused seven Iranian hackers of paralyzing IT networks at Wall Street banks during a 2013 “distributed denial of service” attack, as well as penetrating a dam flood-control system in Rye, New York.

Aitel questioned the practicality of naming the nation state behind that attack and not disclosing the likely adversary behind a similar high-profile incident that crippled code-sharing site GitHub.

“Does the US have less information about last year’s DDoS attack on GitHub? That attack is believed to have been a Chinese operation. But if we are willing to indict the Iranians for DDoS’ing the banking system—and willing to indict the Chinese for other hacking activities—then, why not the Chinese team behind the GitHub attack?” questioned Aitel, now an offensive cyber specialist at his own company, Immunity.

If a different set of rules apply to dealing with Chinese hackers, “either we are revealing the limits of our knowledge regarding cyberattacks or we are revealing our lack of commitment to responding to DDoS attacks in court.”

The DARPA engine would continuously track personas and create “algorithms for developing predictive behavioral profiles,” so malicious activity can be tied to an actual human being, according to the contracting documents.

The program seeks to develop “technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures,” the solicitation states, using an acronym for command and control.

Knowing an attacker’s typical way of scouting out a target could help forecast where the bad guy will strike next. “All humans are creatures of habit,” and the way “they work against a particular target is going to be very similar to the way they work against the next one,” Keromytis said.

Within 18 months of the program’s November launch date, DARPA’s technology could be ready to catch common adversaries, like financial criminals and hacktivists, in the act. “That is my hope and it’s not an idle hope,” Keromytis said.

By the end of 2020, the system could be able to accumulate enough data points to nail “A-Team hackers”, groups sponsored by nation states, such as China or Iran.
DefenseOne: http://bit.ly/1YjjKva

« Automated Malware Analysis Central to Defense Strategies
Cyber "Best Practices" Are About To Change »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Astra

Astra

Astra's website security solution provides real-time protection against malware, hackers, SQLi, XSS, DDoS, LFI and RFI.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

FixMeStick

FixMeStick

FixMeStick is a virus removal device, a USB key that removes malware conventional antivirus software often can’t detect.

Vanbreda

Vanbreda

Vanbreda Risk & Benefits is the largest independent insurance broker and risk consultant in Belgium and the leading insurance partner in the Benelux.

Civic Technologies

Civic Technologies

Civic’s Secure Identity Platform (SIP) uses a verified identity for multi-factor authentication on web and mobile apps without the need for usernames or passwords.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

Earlybird Venture Capital

Earlybird Venture Capital

Earlybird is a venture capital investor focused on European technology innovators.

Breadcrumb Cybersecurity

Breadcrumb Cybersecurity

Breadcrumb Cybersecurity is a cybersecurity and advisory firm. We specialize in penetration testing, threat hunting, incident response, regulatory compliance, and employee training services.

BitTrap

BitTrap

BitTrap helps companies worldwide detect attackers and put an early end to breaches, preventing data exfiltration and ransomware altogether.

Auriga Consulting

Auriga Consulting

Auriga is a center of excellence in Cyber Security, Assurance and Monitoring Services, with a renowned track record of succeeding where others have failed.

Tromzo

Tromzo

Tromzo's mission is to eliminate the friction between developers and security so you can scale your application security program.

Cyber Management Alliance

Cyber Management Alliance

Cyber Management Alliance is closing the divide in cyberspace by bringing together the best qualities of thought leadership and operational mastery of cyber security management.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

CyberloQ Technologies

CyberloQ Technologies

CyberloQ Secure is a cybersecurity solution that enables clients to implement highly robust Multi-Factor Authentication (MFA) that includes client-defined location-based geofencing constraints.

Security Discovery

Security Discovery

Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform.

Raito

Raito

Raito's unique solution integrates with the data development process and lets data teams monitor, manage, and automate data security across the data stack.