The Military Is Building an Engine to Uncover the Humans Behind Hacks

welcomia/Shutterstock.com

The point is "to not only look at the bullets but also look at the weapon,” a DARPA researcher tells Nextgov.

Pentagon researchers by early 2018 expect to solve a problem that, so far, has often prevented law enforcement and hack victims from identifying cybercriminals with confidence.

Through the "Enhanced Attribution Program," not only will the government be able to characterize the attacker, but also share the attacker's modus operandi with prospective victims and predict where he or she will strike next.

The point is "to not only look at the bullets but also look at the weapon,” said Angelos Keromytis, the program lead at the Defense Advanced Research Projects Agency. The gun in the metaphor is a reference to hackers’ IT resources.

Vantage points into the hackers would include, for instance, the laptop they used to develop malware, their smartphones, and any other devices connected to the "Internet of Things" -- many of which are traceable.

Currently, part of the pain for forensics investigators is that hackers’ footprints can be wiped or otherwise disappear, Keromytis said.

"The insight that I had was, well, rather than look at attribution as something we try to do after the crime has happened, why don't we become a little more proactive?” he said during an interview with Nextgov.

The initiative aims to offer visibility into all aspects of the cyber operator’s actions, without exposing sources or methods, according to an April 22 contract solicitation. Research proposals are due June 7.

Today, reluctance on the part of the government to tell affected sectors, the press and the public about ongoing attacks is partly due to a fear of tipping its hand.

"Many of the things that we might wish to do, such as a prosecution or invoking economic sanctions, or with even name and shame, those all require releasing the information that we would collect" through covert techniques, to outsiders, Keromytis said.

Regardless of whether DARPA ultimately invents tech to solve the attribution problem, it will be up to U.S. officials to decide when and if to release the system's findings.

In recent years, the United States has waited to identify the identities of online aggressors months, if not years, after the fact. The Justice Department waited until 2014 to file charges against Chinese military hackers for cyber espionage activities that dated back at least four years, and in one case, to 2006.

Keromytis acknowledges the risk of sharing too much information about an adversary with the public.

As former NSA security scientist Dave Aitel said in April, shortly after Justice indicted Iranian Revolutionary Guard hackers, "the U.S. government showed the world — and showed Iran — what it knows about the Iranian effort ... this announcement reveals more than just what the U.S. is able to attribute. It also signals what it does not know."

The United States accused seven Iranian hackers of paralyzing IT networks at Wall Street banks during a 2013 "distributed denial of service" attack, as well as penetrating a dam flood-control system in Rye, New York.

Aitel questioned the practicality of naming the nation state behind that attack and not disclosing the likely adversary behind a similar high-profile incident that crippled code-sharing site GitHub.

"Does the U.S. have less information about last year’s DDoS attack on GitHub? That attack is believed to have been a Chinese operation. But if we are willing to indict the Iranians for DDoS'ing the banking system — and willing to indict the Chinese for other hacking activities — then, why not the Chinese team behind the GitHub attack?" questioned Aitel, now an offensive cyber specialist at his own company, Immunity.

If a different set of rules apply to dealing with Chinese hackers, "either we are revealing the limits of our knowledge regarding cyberattacks or we are revealing our lack of commitment to responding to DDoS attacks in court."

The DARPA engine would continuously track personas and create "algorithms for developing predictive behavioral profiles," so malicious activity can be tied to an actual human being, according to the contracting documents.

The program seeks to develop "technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures,” the solicitation states, using an acronym for command and control.

Knowing an attacker's typical way of scouting out a target could help forecast where the bad guy will strike next.

"All humans are creatures of habit," and the way "they work against a particular target is going to be very similar to the way they work against the next one," Keromytis said.

Within 18 months of the program’s November launch date, DARPA's technology could be ready to catch common adversaries, like financial criminals and hacktivists, in the act. "That is my hope and it's not an idle hope," Keromytis said.

By the end of 2020, the system could be able to accumulate enough data points to nail "A-Team hackers" -- groups sponsored by nation states, such as China or Iran.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.