Getting a handle on cyberattacks

The intelligence community’s advanced research organization wants to find live, real-world cyberattack data to test incursion detection techniques used by large organizations.

In a request for information posted March 4 on the Intelligence Advanced Research Projects Activity web site, the group said it wants to find a better way to evaluate detection techniques as cyberattacks proliferate from different types of assailants and from varied geographical locations using multiple technologies.

ARPA said it is particularly interested in talking to vendors about structured databases used to document and report cyberattacks, with an eye toward minimal latency between report and the event. It also wants real-time enterprise data, such as host logs, security application logs and alerts, and help desk ticket details that cover the period of a cyber event.

The RFI said IARPA wants to get a better handle on which existing structured databases consistently document and report cyberattacks and how complete their global, regional or industry-specific reach is.

Additionally, it wants to find out what cyberattack attributes – including source and target IP ranges, time, intent, indicators of compromise, attacker attribution, victim details and magnitude -- are documented in the databases.

The agency also inquired about the possibility of partnering with a large organization with more than 5,000 users in a sponsored research program as a test bed.