Pentagon Wants to ‘Fingerprint’ The World’s Hackers

Uploaded on 2016-05-13 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW

By tracking their tools and behaviors, DARPA aims to solve one of the thorniest problems of cybersecurity: attribution. 

Pentagon researchers by early 2018 expect to solve a problem that, so far, has often prevented law enforcement and hack victims from identifying cybercriminals with confidence.

Through the “Enhanced Attribution Program,” not only will the government be able to characterize the attacker, but also share the attacker’s modus operandi with prospective victims and predict where he or she will strike next.

The point is “to not only look at the bullets but also look at the weapon,” said Angelos Keromytis, the program leads at the Defense Advanced Research Projects Agency. The gun in the metaphor is a reference to hackers’ IT resources.

Vantage points into the hackers would include, for instance, the laptop they used to develop malware, their smartphones, and any other devices connected to the “Internet of Things”—many of which are traceable.

Currently, part of the pain for forensics investigators is that hackers’ footprints can be wiped or otherwise disappear, Keromytis said.

 “The insight that I had was, well, rather than look at attribution as something we try to do after the crime has happened, why don’t we become a little more proactive?” he said during an interview with Nextgov.

The initiative aims to offer visibility into all aspects of the cyber operator’s actions, without exposing sources or methods, according to an April 22 contract solicitation. Research proposals are due June 7.

Today, reluctance on the part of the government to tell affected sectors, the press and the public about ongoing attacks is partly due to a fear of tipping its hand.

“Many of the things that we might wish to do, such as a prosecution or invoking economic sanctions, or with even name and shame, those all require releasing the information that we would collect” through covert techniques, to outsiders, Keromytis said.

Knowing an attacker’s typical way of scouting out a target could help forecast where the bad guy will strike next.

Regardless of whether DARPA ultimately invents tech to solve the attribution problem, it will be up to U.S. officials to decide when and if to release the system’s findings.

In recent years, the United States has waited to identify the identities of online aggressors’ months, if not years, after the fact. The Justice Department waited until 2014 to file charges against Chinese military hackers for cyber espionage activities that dated back at least four years, and in one case, to 2006.

Keromytis acknowledges the risk of sharing too much information about an adversary with the public.

As former NSA security scientist Dave Aitel said in April, shortly after Justice indicted Iranian Revolutionary Guard hackers, “the US government showed the world, and showed Iran, what it knows about the Iranian effort … this announcement reveals more than just what the US is able to attribute. It also signals what it does not know.”

The United States accused seven Iranian hackers of paralyzing IT networks at Wall Street banks during a 2013 “distributed denial of service” attack, as well as penetrating a dam flood-control system in Rye, New York.

Aitel questioned the practicality of naming the nation state behind that attack and not disclosing the likely adversary behind a similar high-profile incident that crippled code-sharing site GitHub.

“Does the US have less information about last year’s DDoS attack on GitHub? That attack is believed to have been a Chinese operation. But if we are willing to indict the Iranians for DDoS’ing the banking system—and willing to indict the Chinese for other hacking activities—then, why not the Chinese team behind the GitHub attack?” questioned Aitel, now an offensive cyber specialist at his own company, Immunity.

If a different set of rules apply to dealing with Chinese hackers, “either we are revealing the limits of our knowledge regarding cyberattacks or we are revealing our lack of commitment to responding to DDoS attacks in court.”

The DARPA engine would continuously track personas and create “algorithms for developing predictive behavioral profiles,” so malicious activity can be tied to an actual human being, according to the contracting documents.

The program seeks to develop “technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures,” the solicitation states, using an acronym for command and control.

Knowing an attacker’s typical way of scouting out a target could help forecast where the bad guy will strike next. “All humans are creatures of habit,” and the way “they work against a particular target is going to be very similar to the way they work against the next one,” Keromytis said.

Within 18 months of the program’s November launch date, DARPA’s technology could be ready to catch common adversaries, like financial criminals and hacktivists, in the act. “That is my hope and it’s not an idle hope,” Keromytis said.

By the end of 2020, the system could be able to accumulate enough data points to nail “A-Team hackers”, groups sponsored by nation states, such as China or Iran.
DefenseOne: http://bit.ly/1YjjKva

« Automated Malware Analysis Central to Defense Strategies
Cyber "Best Practices" Are About To Change »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ReadWrite

ReadWrite

ReadWrite is a leading media platform dedicated to IoT and the Connected World.

Radisys

Radisys

Radisys offers software, products, integrated systems, and professional services for communication service providers and telecom solution vendors.

Swivel Secure

Swivel Secure

Swivel Secure is an award winning provider of multi-factor authentication solutions.

Casaba Security

Casaba Security

Casaba are specialists in software security providing managed Software Development Lifecycle services as well as products for security testing.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

Dermalog Identification Systems

Dermalog Identification Systems

Dermalog Identification Systems is a pioneer in biometry and the largest German manufacturer of biometric devices and systems.

IDnow

IDnow

IDnow is the world’s fastest, most flexible and most secure identity verification platform, delivering instant verification of the identity documents used by 7 billion people.

Relyum

Relyum

Relyum provides innovative solutions for networking, synchronization and cybersecurity in critical systems.

Sompo International

Sompo International

Sompo International is a global specialty provider of property and casualty insurance and reinsurance services including Cyber & Network Risk.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

TekSek Cyber Security

TekSek Cyber Security

Preparing you for tomorrow's security threats.

Cyber Security for Europe (CyberSec4Europe)

Cyber Security for Europe (CyberSec4Europe)

CyberSec4Europe is designing, testing and demonstrating potential governance structures for a European Cybersecurity Competence Network.

Devolutions

Devolutions

Devolutions make best-in-class Privileged Access Management, Password Management, and Remote Connection Management solutions available to ALL organizations — including SMBs.

Avalon Cyber

Avalon Cyber

Arm your organization in the fight against cyberattacks by partnering with the experts at Avalon Cyber.

Covenant Technologies

Covenant Technologies

Make Covenant Technologies the only choice for your IT and cybersecurity recruitment needs. We deliver quality candidates at the forefront of the cybersecurity and IT industry.