Paulo Shakarian: So what if cyber attacks could be pre­dict­ed? What if before a major attack occurred, we would know pre­cise­ly the right pre­cau­tions to take? I’m Paulo Shakarian, and I have the priv­i­lege of lead­ing a very tal­ent­ed group of researchers here at ASU work­ing on this very top­ic. But truth be told, I didn’t always have that job. I used to be in the Army. But odd­ly enough, those expe­ri­ences have proved handy in our work on cyber attacks.

So there I was, over a decade ago, in the spar­tan field bar­racks in North Fort Hood, Texas, Gathered in a cramped brief­ing room with thir­ty oth­er sol­diers. We were get­ting ready to deploy to Iraq. And we were receiv­ing a brief­ing on road­side bombs. The pre­sen­ter told us that what we would learn could poten­tial­ly save our lives. And went on to say that the bombs could be placed any­where. They could look like any­thing. Now I thought that was pret­ty worth­less. If the ene­my could real­ly make the bomb look like any­thing, or place it any­where, then it must be hope­less. And this didn’t seem right.

Now the real­i­ty is that those plan­ning these attacks are peo­ple. They have cer­tain goals, and real‐world con­straints on their abil­i­ties. And this is actu­al­ly some­thing we know quite well in the mil­i­tary, that faulty pre­sen­ta­tion at Fort Hood aside. And in fact, as my time in Iraq pro­gressed we got bet­ter and bet­ter at iden­ti­fy­ing the indi­ca­tors of an oncom­ing insur­gent attack. So for instance if part of the road was dug up, we would watch out for that; it might indi­cate buried explo­sives. We’d also be on the look­out for mark­ers, visu­al cues that the insur­gents would use to time their det­o­na­tions.

Now, can we apply these ideas to cyber secu­ri­ty, where we’re up against mali­cious hack­ers? Well, despite the fre­quen­cy of these attacks, hack­ers have their lim­i­ta­tions too. So did you know that over 90% of breach­es are due to known soft­ware vul­ner­a­bil­i­ties? This means that the soft­ware flaws that enable these attacks were actu­al­ly known to the pub­lic ahead of time. And even more inter­est­ing is hack­ers are only using about 3% of these vul­ner­a­bil­i­ties. And so if you con­sid­er these num­bers, we should be able to stop most cyber attacks.

Except we don’t. In 2017, major attacks like WannaCry, Petya, CopyCat, and the Equifax breach all tell us oth­er­wise. And these were huge­ly sig­nif­i­cant. WannaCry infect­ed over 300 thou­sand machines. The Equifax breach exposed per­son­al infor­ma­tion for 143 mil­lion peo­ple. Yet in both these cas­es patch­es exist­ed ahead of time that could’ve stopped the attack.

That aside, cyber attacks are actu­al­ly a lit­tle bit chal­leng­ing to con­duct in a way that makes mon­ey for the attack­er. So just as with the insur­gents plac­ing road­side bombs, there are con­straints on the cyber crim­i­nals. So how do hack­ers increase their chances of suc­cess when con­duct­ing such an attack? Well, hid­den parts of the Internet known as the Deep and Dark Web host com­mu­ni­ties that allow them to share exper­tise, trade source code, as well as the lat­est soft­ware that enables these attacks.

Now can we col­lect such infor­ma­tion? Can we use it to be bet­ter pre­pared for cer­tain attacks? And it turns out we can, but we have to col­lect the right kinds of infor­ma­tion. We need to find data that will indi­cate an upcom­ing attack. This is actu­al­ly a small amount of infor­ma­tion buried in moun­tains of Dark Web data. And just like the dug‐up pave­ment would indi­cate the pos­si­bil­i­ty of a buried explo­sive, cer­tain aspects of these Dark Web con­ver­sa­tions can indi­cate weaponiza­tion of soft­ware tools that will be lat­er used in an attack. And these indi­ca­tors include what the hack­ers say, who they’re con­nect­ed with, what lan­guage they use, and even meta­da­ta.

Leveraging these bits of infor­ma­tion from the Dark Web allows us to auto­mat­i­cal­ly piece togeth­er a puz­zle. And using such tech­niques, our research group was able to train soft­ware to iden­ti­fy soft­ware vul­ner­a­bil­i­ties that hack­ers used in emerg­ing cyber attacks. And this pro­vides an alert that allows offend­ers to pri­or­i­tize cer­tain soft­ware patch­es that can help pre­vent the attack from occur­ring.

And our core group has actu­al­ly cre­at­ed a new start­up com­pa­ny called CYR3CON based on the tech­nol­o­gy. And we’ve part­nered with sev­er­al cyber secu­ri­ty com­pa­nies, many right here in Arizona, to bring it to users. So for instance we have not only found the abil­i­ty to pre­dict exploits used in major cyber attacks such as WannaCry, but we also found that cer­tain indi­ca­tors point to attacks against spe­cif­ic orga­ni­za­tions. So for instance in one case, hack­er dis­cus­sion about Adobe Flash vul­ner­a­bil­i­ties meant that it was near­ly four times more like­ly that that orga­ni­za­tion expe­ri­enced an attack in the fol­low­ing week.

So the next time your IT staff alert you to patch your com­put­er, think of the hack­er. Think of his dis­ap­point­ment he will expe­ri­ence when he dis­cov­ers you’ve patched the pre­cise vul­ner­a­bil­i­ty he was intend­ing to use in his attack. And just like how we got bet­ter at iden­ti­fy­ing indi­ca­tors of oncom­ing insur­gent attacks in Iraq, tak­ing pre­emp­tive actions against mali­cious hack­ers will allow us to do the same in the cyber realm and help keep our sys­tems and our data safe. Thank you.

Further Reference

ASU KEDtalks homepage


Help Support Open Transcripts

If you found this useful or interesting, please consider supporting the project monthly at Patreon or once via Square Cash, or even just sharing the link. Thanks.