Pentagon Wants to ‘Fingerprint’ The World’s Hackers

By tracking their tools and behaviors, DARPA aims to solve one of the thorniest problems of cybersecurity: attribution. 

Pentagon researchers by early 2018 expect to solve a problem that, so far, has often prevented law enforcement and hack victims from identifying cybercriminals with confidence.

Through the “Enhanced Attribution Program,” not only will the government be able to characterize the attacker, but also share the attacker’s modus operandi with prospective victims and predict where he or she will strike next.

The point is “to not only look at the bullets but also look at the weapon,” said Angelos Keromytis, the program leads at the Defense Advanced Research Projects Agency. The gun in the metaphor is a reference to hackers’ IT resources.

Vantage points into the hackers would include, for instance, the laptop they used to develop malware, their smartphones, and any other devices connected to the “Internet of Things”—many of which are traceable.

Currently, part of the pain for forensics investigators is that hackers’ footprints can be wiped or otherwise disappear, Keromytis said.

 “The insight that I had was, well, rather than look at attribution as something we try to do after the crime has happened, why don’t we become a little more proactive?” he said during an interview with Nextgov.

The initiative aims to offer visibility into all aspects of the cyber operator’s actions, without exposing sources or methods, according to an April 22 contract solicitation. Research proposals are due June 7.

Today, reluctance on the part of the government to tell affected sectors, the press and the public about ongoing attacks is partly due to a fear of tipping its hand.

“Many of the things that we might wish to do, such as a prosecution or invoking economic sanctions, or with even name and shame, those all require releasing the information that we would collect” through covert techniques, to outsiders, Keromytis said.

Knowing an attacker’s typical way of scouting out a target could help forecast where the bad guy will strike next.

Regardless of whether DARPA ultimately invents tech to solve the attribution problem, it will be up to U.S. officials to decide when and if to release the system’s findings.

In recent years, the United States has waited to identify the identities of online aggressors’ months, if not years, after the fact. The Justice Department waited until 2014 to file charges against Chinese military hackers for cyber espionage activities that dated back at least four years, and in one case, to 2006.

Keromytis acknowledges the risk of sharing too much information about an adversary with the public.

As former NSA security scientist Dave Aitel said in April, shortly after Justice indicted Iranian Revolutionary Guard hackers, “the US government showed the world, and showed Iran, what it knows about the Iranian effort … this announcement reveals more than just what the US is able to attribute. It also signals what it does not know.”

The United States accused seven Iranian hackers of paralyzing IT networks at Wall Street banks during a 2013 “distributed denial of service” attack, as well as penetrating a dam flood-control system in Rye, New York.

Aitel questioned the practicality of naming the nation state behind that attack and not disclosing the likely adversary behind a similar high-profile incident that crippled code-sharing site GitHub.

“Does the US have less information about last year’s DDoS attack on GitHub? That attack is believed to have been a Chinese operation. But if we are willing to indict the Iranians for DDoS’ing the banking system—and willing to indict the Chinese for other hacking activities—then, why not the Chinese team behind the GitHub attack?” questioned Aitel, now an offensive cyber specialist at his own company, Immunity.

If a different set of rules apply to dealing with Chinese hackers, “either we are revealing the limits of our knowledge regarding cyberattacks or we are revealing our lack of commitment to responding to DDoS attacks in court.”

The DARPA engine would continuously track personas and create “algorithms for developing predictive behavioral profiles,” so malicious activity can be tied to an actual human being, according to the contracting documents.

The program seeks to develop “technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures,” the solicitation states, using an acronym for command and control.

Knowing an attacker’s typical way of scouting out a target could help forecast where the bad guy will strike next. “All humans are creatures of habit,” and the way “they work against a particular target is going to be very similar to the way they work against the next one,” Keromytis said.

Within 18 months of the program’s November launch date, DARPA’s technology could be ready to catch common adversaries, like financial criminals and hacktivists, in the act. “That is my hope and it’s not an idle hope,” Keromytis said.

By the end of 2020, the system could be able to accumulate enough data points to nail “A-Team hackers”, groups sponsored by nation states, such as China or Iran.
DefenseOne: http://bit.ly/1YjjKva

« Automated Malware Analysis Central to Defense Strategies
Cyber "Best Practices" Are About To Change »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Chatham House

Chatham House

Chatham House is an independent policy institute based in London. Topics cover foreign affairs and defence including cyber security.

CERT.BY

CERT.BY

The National Computer Emergency Response Team of the Republic of Belarus.

Insta Group

Insta Group

Insta are a trusted cyber security partner for security-critical companies and organizations.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

Volexity

Volexity

Volexity is a leading provider of threat intelligence and incident suppression services and solutions.

DANAK

DANAK

DANAK is the national accreditation body for Denmark. The directory of members provides details of organisations offering certification services for ISO 27001.

TrustMAPP

TrustMAPP

TrustMAPP automates cybersecurity & privacy assessments, with universal workflow, allowing teams to generate analytics and recommendations to align priorities for improvement.

Adarma Security

Adarma Security

Adarma are specialists in threat management including SOC design, build & operation.

Isovalent

Isovalent

Isovalent deliver the most advanced Kubernetes networking & security capabilities to the most demanding of enterprise users.

Cybolt

Cybolt

Cybolt helps companies, organizations, and governments manage digital risks and live in an environment of confidence and certainty.

Security Risk Management (SRM)

Security Risk Management (SRM)

SRM provide a comprehensive security risk management service encompassing people, processes, technology, governance, compliance and risk management.

Information Technology Solutions (ITS)

Information Technology Solutions (ITS)

Information Technology Solutions is a single source provider for managing and securing mission-critical IT services.

GetHacked.ca

GetHacked.ca

GetHackded.ca is a certified company offering penetration testing and specialized cybersecurity services.

Onyxia Cyber

Onyxia Cyber

Onyxia's unique dynamic cybersecurity platform identifies gaps and prioritizes recommendations for proactive cybersecurity strategy, performance, remediation and management.

Crygma

Crygma

CRYGMA Quantum-Resistant Cryptographic Machines, the new standard in data encryption.

SecureClaw

SecureClaw

SecureClaw offers specialized cybersecurity consultation, various products, and a range of services to meet your company's business domain needs.

Center for Cyber Security Studies & Research (CFCS2R)

Center for Cyber Security Studies & Research (CFCS2R)

CFCS2R's mission is to empower individuals, organizations, and governments with the knowledge and tools necessary to protect against cyber threats.