The Intelligence Advanced Research Projects Activity’s (IARPA) recent announcement that its Office for Anticipating Surprise held a “proposers’ day conference” for its Cyber-attack Automated Unconventional Sensor Environment (CAUSE) Program in anticipation of the release of a new solicitation in support of the program has provoked a variety of responses by cybersecurity authorities.
According to IARPA — which is under the Office of the Director of National Intelligence — CAUSE “is set to launch a four-year contest to develop new technology that can predict potential cyber attacks.”
“The CAUSE program seeks to develop cyber-attack forecasting methods and detect emerging cyber phenomena to assist cyber defenders with the earliest detection of a cyber attack (e.g., Distributed Denial of Service, successful spearphishing, successful drive-by, remote exploitation, unauthorized access, reconnaissance),” IARPA stated.
In addition, IARPA said, “The CAUSE program aims to develop and validate unconventional multi-disciplined sensor technology (e.g., actor behavior models, black market sales) that will forecast cyber attacks and complement existing advanced intrusion detection capabilities.
Anticipated innovations include: methods to manage and extract huge amounts of streaming and batch data, the application and introduction of new and existing features from other disciplines to the cyber domain, and the development of models to generate probabilistic warnings for future cyber events.”
Successful proposers will combine cutting-edge research with the ability to develop robust forecasting capabilities from multiple sensors not typically used in the cyber domain.
IARPA said, “The CAUSE program will consist of both unclassified and optional classified research activities and expects to draw upon the strengths of academia and industry through collaborative teaming. It is anticipated that teams will be multidisciplinary and might include computer scientists, data scientists, social and behavioral scientists, mathematicians, statisticians, content extraction experts, information theorists, and cyber-security subject matter experts having applied experience with cyber capabilities.
Dr. Mike Lloyd, CTO at RedSeal, a security analytics company, said, “There are two places you can look for early predictors of attacks: inside and outside. The CAUSE project is an initiative to look for signals in the outside world – sifting clues from around the Internet that might indicate someone preparing an attack.”
“However,” he noted, “just as with real world espionage, defenders need to consider both sides of this coin – you need to look inside for signs that someone is already inside your network, and performing reconnaissance ahead of a brutal attack. Outside agencies can only pick up general patterns; if you need to know whether you are already being mapped out by an adversary, you need to find that evidence yourself, in your own network. Organizations need to map their own defenses, and monitor continuously for the indicators of someone moving around, gathering intelligence. This is why RedSeal and other technology providers focus on mapping and understanding of your own defensive posture – this is a necessary complement to the CAUSE project.”
“Getting ahead of attacks by anticipating them needs to be the focus not only of the government, but of every organization with a network — both by tracking activity other organizations are defending and by analyzing all potential access, protecting and monitoring all possible access points, and maintaining ongoing vigilance for any changes,” said RedSeal chief architect Steve Hultquist.
And, “The only way to anticipate an attack is to use automation to analyze every possible access path into and out of the organization, and every access path into and out of areas of the network that store or transmit data worthy of theft or attack,” Hultquist continued. “Automated analysis is now a critical requirement, and organizations can no longer wait for the attack to happen and expect to respond. As CAUSE demonstrates, organizations must get ahead of the potential attacks by being aware of what is possible and being sure that every intended defense is in place and operating correctly.”
Michele Borovac, VP at HyTrust, a cloud control company, also weighed in, saying, “CAUSE is a step in the right direction. We have learned from many of the recent breaches that attackers are increasingly targeting administrative credentials, which allow them to navigate the datacenter without detection. If CAUSE can combine the right tools with the right intelligence, they should be able to identify attack patterns and breaches more quickly.”
“The examples used as success stories for thissystem in the past (predicting riots, protests, etc.) are fantastic, and if that kind of proactive approach were to be put in place, it could potentially save millions of dollars of data and public anguish,” commented Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, the research arm of the anti-malware company.
“However,” Kujawa said, “protests, riots and the political movements are things that people tend to talk about beforehand, in order to gather support for them. You will see it in the opinions of people through social media, YouTube videos and of course television before it truly takes off. The problem when trying to apply that to the cyber world is that these guys don’t make it a point to talk about their future attacks on social media.”
He said, “If you are talking about stopping highly organized cybercrime groups, their communication is shared with only a select, trusted few, using private encrypted channels. In addition, being able to identify secret information by following non-secret clues isn’t as effective online as it is in the real world, since activities can be done under numerous names and IP addresses.”
“This predictive measure might be useful against hacktivist attacks such as those that gather attention and support over social media and publicly accessed forums and message boards,” Kujawa said. “So this system is sure to prepare folks for a DDOS attack that might be coming their way from a hacktivist group. However, protection from an actual data-stealing attack seems unlikely, unless there is access to nearly-impossible-to-find information.”