The Plausibility of Forecasting Cyber Attacks
Experts examine if and how cyber attacks can be predicted.
Somewhere between “hype and hope,” experts posit that aspects of a cyber attack can be predicted. They caution that success so far has been limited. If it is possible, forecasting digital invasions in advance naturally could be an important capability.
The key is predicting with enough accuracy to be helpful and with sufficient lead time, experts shared at AFCEA International and the Institute of Electrical and Electronics Engineers’ (IEEE’s) MILCOM conference on October 29 in Los Angeles.
Malicious emails have been the more forecastable type of cyber attack, the experts said.
Panelists sharing their opinion or work on cyber forecasting at MILCOM included Shanchieh "Jay" Yang, professor and head of computer engineering, director of global outreach, Center of Cybersecurity at the Rochester Institute of Technology; Alex Memory, senior research scientist, Leidos Inc.; Aunshul Rege, associate professor, Temple University; Kristina Lerman, principal scientist, University of Southern California (USC) Information Sciences Institute; Moises Sudit, professor and associate vice president, Sponsored Programs and Commercialization, University at Buffalo, The State University of New York; Robert Rahmer, program manager, Intelligence Advanced Research Projects Activity (IARPA); Steven Noel, cybersecurity researcher, MITRE.
Memory, from Leidos, offered that being able to predict an event depends on its associated timing. One aspect that makes malicious emails more forecastable is that the associated attack has a corresponding timing of the adversaries’ action, for example the time stamp of when the email was sent. “It is harder to predict when I am going to be browsing and stumbling upon a website that affects my machine.”
He also noted that it is difficult to apply existing techniques, such as using a time series, to predict attacks. “Our network sensors can tell us maybe minutes within the time of an attack,” Memory stated. “That's certainly not enough time for us to act on that. And finally, it's not a simple time series [for forecasting]. If I make a forecast, I want it to be actionable.”
Memory added that cyber defenders should define or understand which attacks are more important to help feed into predictions. Looking out for so-called false alarms or warnings in a defense system are important, “as there may be things you don’t care about.” He refers to this as dial functionality, which Leidos is building into systems.
Rege admitted that she was more cautious than optimistic about the possibility of being able to forecast digital breaches. “I am coming at this with hope but with a very cautious hope,” she said. “I do my work [cyber defense research] a little bit differently, in that we go out and observe human behavior.”
With her colleagues at Temple, Rege observed 10 red team/blue team cyber exercises at Idaho National Laboratory. She said it is not enough to try and understand what adversaries are going to go after in cyber attacks. Cyber defenders also need to comprehend what adversaries are capable of doing in cyberspace. In examining adversaries’ possible targets, cyber defenders should see very different signatures in cyberspace from adversaries. In most cases, their objective varies based on the skill sets they have.
“In determining what kind of information we can give defenders to arm themselves, knowing the capabilities of adversaries is important,” Rege said. “We should know that they have a bounded or limited understanding of systems and they are going to make mistakes, so it is how to leverage these things against them in defense.”
Rege's is researching what happens when defenders introduce certain blocking approaches at certain times, and what kind of predictions, if any, can be gained from those actions.
Rahmer, from IARPA, cautioned that cyber defenders need useful, not generic warnings, such as the prediction to expect five malicious emails today. “Tell me something I don’t know,” he stated. “A forecasting system must produce timely and accurate predictions with actionable events. Rahmer added that understanding of victims and the Internet Protocol (IP) addresses of attackers, understanding those so-called observables, can be included in warnings.
MITRE’s Noel also was tentative on the ability to predict cyber attacks. “I said that I was on the hype side and that's probably not entirely accurate,” he noted. “This is actually on the horizon for me. I'm coming from the standpoint of having a history of focusing on improving defensive operations for organizations.” He is working on a project with a team to perform adversary modeling.
He explained that cyber defenders have to keep track of all kinds of information to effectively do their jobs. That information can be organized, but it is important to understand the relationships the pieces of information have to one another and how any applied preventative security measure creates a certain security posture in relation to that information. “The goal is to be able to provide a way for an analyst to have all that information on tap, a surgically defined way of understanding.
“The idea is that we need to go beyond a list kind of mentality, and capture these dependencies in cyberspace and in the mission space,” Noel stated.