Paulo Shakarian: So what if cyber attacks could be pre­dict­ed? What if before a major attack occurred, we would know pre­cise­ly the right pre­cau­tions to take? I’m Paulo Shakarian, and I have the priv­i­lege of lead­ing a very tal­ent­ed group of researchers here at ASU work­ing on this very top­ic. But truth be told, I did­n’t always have that job. I used to be in the Army. But odd­ly enough, those expe­ri­ences have proved handy in our work on cyber attacks. 

So there I was, over a decade ago, in the spar­tan field bar­racks in North Fort Hood, Texas, Gathered in a cramped brief­ing room with thir­ty oth­er sol­diers. We were get­ting ready to deploy to Iraq. And we were receiv­ing a brief­ing on road­side bombs. The pre­sen­ter told us that what we would learn could poten­tial­ly save our lives. And went on to say that the bombs could be placed any­where. They could look like any­thing. Now I thought that was pret­ty worth­less. If the ene­my could real­ly make the bomb look like any­thing, or place it any­where, then it must be hope­less. And this did­n’t seem right. 

Now the real­i­ty is that those plan­ning these attacks are peo­ple. They have cer­tain goals, and real-world con­straints on their abil­i­ties. And this is actu­al­ly some­thing we know quite well in the mil­i­tary, that faulty pre­sen­ta­tion at Fort Hood aside. And in fact, as my time in Iraq pro­gressed we got bet­ter and bet­ter at iden­ti­fy­ing the indi­ca­tors of an oncom­ing insur­gent attack. So for instance if part of the road was dug up, we would watch out for that; it might indi­cate buried explo­sives. We’d also be on the look­out for mark­ers, visu­al cues that the insur­gents would use to time their detonations. 

Now, can we apply these ideas to cyber secu­ri­ty, where we’re up against mali­cious hack­ers? Well, despite the fre­quen­cy of these attacks, hack­ers have their lim­i­ta­tions too. So did you know that over 90% of breach­es are due to known soft­ware vul­ner­a­bil­i­ties? This means that the soft­ware flaws that enable these attacks were actu­al­ly known to the pub­lic ahead of time. And even more inter­est­ing is hack­ers are only using about 3% of these vul­ner­a­bil­i­ties. And so if you con­sid­er these num­bers, we should be able to stop most cyber attacks. 

Except we don’t. In 2017, major attacks like WannaCry, Petya, CopyCat, and the Equifax breach all tell us oth­er­wise. And these were huge­ly sig­nif­i­cant. WannaCry infect­ed over 300 thou­sand machines. The Equifax breach exposed per­son­al infor­ma­tion for 143 mil­lion peo­ple. Yet in both these cas­es patch­es exist­ed ahead of time that could’ve stopped the attack. 

That aside, cyber attacks are actu­al­ly a lit­tle bit chal­leng­ing to con­duct in a way that makes mon­ey for the attack­er. So just as with the insur­gents plac­ing road­side bombs, there are con­straints on the cyber crim­i­nals. So how do hack­ers increase their chances of suc­cess when con­duct­ing such an attack? Well, hid­den parts of the Internet known as the Deep and Dark Web host com­mu­ni­ties that allow them to share exper­tise, trade source code, as well as the lat­est soft­ware that enables these attacks. 

Now can we col­lect such infor­ma­tion? Can we use it to be bet­ter pre­pared for cer­tain attacks? And it turns out we can, but we have to col­lect the right kinds of infor­ma­tion. We need to find data that will indi­cate an upcom­ing attack. This is actu­al­ly a small amount of infor­ma­tion buried in moun­tains of Dark Web data. And just like the dug-up pave­ment would indi­cate the pos­si­bil­i­ty of a buried explo­sive, cer­tain aspects of these Dark Web con­ver­sa­tions can indi­cate weaponiza­tion of soft­ware tools that will be lat­er used in an attack. And these indi­ca­tors include what the hack­ers say, who they’re con­nect­ed with, what lan­guage they use, and even metadata. 

Leveraging these bits of infor­ma­tion from the Dark Web allows us to auto­mat­i­cal­ly piece togeth­er a puz­zle. And using such tech­niques, our research group was able to train soft­ware to iden­ti­fy soft­ware vul­ner­a­bil­i­ties that hack­ers used in emerg­ing cyber attacks. And this pro­vides an alert that allows offend­ers to pri­or­i­tize cer­tain soft­ware patch­es that can help pre­vent the attack from occurring. 

And our core group has actu­al­ly cre­at­ed a new start­up com­pa­ny called CYR3CON based on the tech­nol­o­gy. And we’ve part­nered with sev­er­al cyber secu­ri­ty com­pa­nies, many right here in Arizona, to bring it to users. So for instance we have not only found the abil­i­ty to pre­dict exploits used in major cyber attacks such as WannaCry, but we also found that cer­tain indi­ca­tors point to attacks against spe­cif­ic orga­ni­za­tions. So for instance in one case, hack­er dis­cus­sion about Adobe Flash vul­ner­a­bil­i­ties meant that it was near­ly four times more like­ly that that orga­ni­za­tion expe­ri­enced an attack in the fol­low­ing week. 

So the next time your IT staff alert you to patch your com­put­er, think of the hack­er. Think of his dis­ap­point­ment he will expe­ri­ence when he dis­cov­ers you’ve patched the pre­cise vul­ner­a­bil­i­ty he was intend­ing to use in his attack. And just like how we got bet­ter at iden­ti­fy­ing indi­ca­tors of oncom­ing insur­gent attacks in Iraq, tak­ing pre­emp­tive actions against mali­cious hack­ers will allow us to do the same in the cyber realm and help keep our sys­tems and our data safe. Thank you.

Further Reference

ASU KEDtalks homepage