The Military Is Building an Engine to Uncover the Humans Behind Hacks

Pentagon researchers by early 2018 expect to solve a problem that, so far, has often prevented law enforcement and hack victims from identifying cybercriminals with confidence.

Through the "Enhanced Attribution Program," not only will the government be able to characterize the attacker, but also share the attacker's modus operandi with prospective victims and predict where he or she will strike next.

The point is "to not only look at the bullets but also look at the weapon,” said Angelos Keromytis, the program lead at the Defense Advanced Research Projects Agency. The gun in the metaphor is a reference to hackers’ IT resources.

Vantage points into the hackers would include, for instance, the laptop they used to develop malware, their smartphones, and any other devices connected to the "Internet of Things" -- many of which are traceable.

Currently, part of the pain for forensics investigators is that hackers’ footprints can be wiped or otherwise disappear, Keromytis said.

"The insight that I had was, well, rather than look at attribution as something we try to do after the crime has happened, why don't we become a little more proactive?” he said during an interview with Nextgov.

The initiative aims to offer visibility into all aspects of the cyber operator’s actions, without exposing sources or methods, according to an April 22 contract solicitation. Research proposals are due June 7.

Today, reluctance on the part of the government to tell affected sectors, the press and the public about ongoing attacks is partly due to a fear of tipping its hand.

"Many of the things that we might wish to do, such as a prosecution or invoking economic sanctions, or with even name and shame, those all require releasing the information that we would collect" through covert techniques, to outsiders, Keromytis said.

Regardless of whether DARPA ultimately invents tech to solve the attribution problem, it will be up to U.S. officials to decide when and if to release the system's findings.

In recent years, the United States has waited to identify the identities of online aggressors months, if not years, after the fact. The Justice Department waited until 2014 to file charges against Chinese military hackers for cyber espionage activities that dated back at least four years, and in one case, to 2006.

Keromytis acknowledges the risk of sharing too much information about an adversary with the public.

As former NSA security scientist Dave Aitel said in April, shortly after Justice indicted Iranian Revolutionary Guard hackers, "the U.S. government showed the world — and showed Iran — what it knows about the Iranian effort ... this announcement reveals more than just what the U.S. is able to attribute. It also signals what it does not know."

The United States accused seven Iranian hackers of paralyzing IT networks at Wall Street banks during a 2013 "distributed denial of service" attack, as well as penetrating a dam flood-control system in Rye, New York.

Aitel questioned the practicality of naming the nation state behind that attack and not disclosing the likely adversary behind a similar high-profile incident that crippled code-sharing site GitHub.

"Does the U.S. have less information about last year’s DDoS attack on GitHub? That attack is believed to have been a Chinese operation. But if we are willing to indict the Iranians for DDoS'ing the banking system — and willing to indict the Chinese for other hacking activities — then, why not the Chinese team behind the GitHub attack?" questioned Aitel, now an offensive cyber specialist at his own company, Immunity.

If a different set of rules apply to dealing with Chinese hackers, "either we are revealing the limits of our knowledge regarding cyberattacks or we are revealing our lack of commitment to responding to DDoS attacks in court."

The DARPA engine would continuously track personas and create "algorithms for developing predictive behavioral profiles," so malicious activity can be tied to an actual human being, according to the contracting documents.

The program seeks to develop "technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures,” the solicitation states, using an acronym for command and control.

Knowing an attacker's typical way of scouting out a target could help forecast where the bad guy will strike next.

"All humans are creatures of habit," and the way "they work against a particular target is going to be very similar to the way they work against the next one," Keromytis said.

Within 18 months of the program’s November launch date, DARPA's technology could be ready to catch common adversaries, like financial criminals and hacktivists, in the act. "That is my hope and it's not an idle hope," Keromytis said.

By the end of 2020, the system could be able to accumulate enough data points to nail "A-Team hackers" -- groups sponsored by nation states, such as China or Iran.