Paulo Shakarian: So what if cyber attacks could be predicted? What if before a major attack occurred, we would know precisely the right precautions to take? I’m Paulo Shakarian, and I have the privilege of leading a very talented group of researchers here at ASU working on this very topic. But truth be told, I didn’t always have that job. I used to be in the Army. But oddly enough, those experiences have proved handy in our work on cyber attacks.
So there I was, over a decade ago, in the spartan field barracks in North Fort Hood, Texas, Gathered in a cramped briefing room with thirty other soldiers. We were getting ready to deploy to Iraq. And we were receiving a briefing on roadside bombs. The presenter told us that what we would learn could potentially save our lives. And went on to say that the bombs could be placed anywhere. They could look like anything. Now I thought that was pretty worthless. If the enemy could really make the bomb look like anything, or place it anywhere, then it must be hopeless. And this didn’t seem right.
Now the reality is that those planning these attacks are people. They have certain goals, and real-world constraints on their abilities. And this is actually something we know quite well in the military, that faulty presentation at Fort Hood aside. And in fact, as my time in Iraq progressed we got better and better at identifying the indicators of an oncoming insurgent attack. So for instance if part of the road was dug up, we would watch out for that; it might indicate buried explosives. We’d also be on the lookout for markers, visual cues that the insurgents would use to time their detonations.
Now, can we apply these ideas to cyber security, where we’re up against malicious hackers? Well, despite the frequency of these attacks, hackers have their limitations too. So did you know that over 90% of breaches are due to known software vulnerabilities? This means that the software flaws that enable these attacks were actually known to the public ahead of time. And even more interesting is hackers are only using about 3% of these vulnerabilities. And so if you consider these numbers, we should be able to stop most cyber attacks.
Except we don’t. In 2017, major attacks like WannaCry, Petya, CopyCat, and the Equifax breach all tell us otherwise. And these were hugely significant. WannaCry infected over 300 thousand machines. The Equifax breach exposed personal information for 143 million people. Yet in both these cases patches existed ahead of time that could’ve stopped the attack.
That aside, cyber attacks are actually a little bit challenging to conduct in a way that makes money for the attacker. So just as with the insurgents placing roadside bombs, there are constraints on the cyber criminals. So how do hackers increase their chances of success when conducting such an attack? Well, hidden parts of the Internet known as the Deep and Dark Web host communities that allow them to share expertise, trade source code, as well as the latest software that enables these attacks.
Now can we collect such information? Can we use it to be better prepared for certain attacks? And it turns out we can, but we have to collect the right kinds of information. We need to find data that will indicate an upcoming attack. This is actually a small amount of information buried in mountains of Dark Web data. And just like the dug-up pavement would indicate the possibility of a buried explosive, certain aspects of these Dark Web conversations can indicate weaponization of software tools that will be later used in an attack. And these indicators include what the hackers say, who they’re connected with, what language they use, and even metadata.
Leveraging these bits of information from the Dark Web allows us to automatically piece together a puzzle. And using such techniques, our research group was able to train software to identify software vulnerabilities that hackers used in emerging cyber attacks. And this provides an alert that allows offenders to prioritize certain software patches that can help prevent the attack from occurring.
And our core group has actually created a new startup company called CYR3CON based on the technology. And we’ve partnered with several cyber security companies, many right here in Arizona, to bring it to users. So for instance we have not only found the ability to predict exploits used in major cyber attacks such as WannaCry, but we also found that certain indicators point to attacks against specific organizations. So for instance in one case, hacker discussion about Adobe Flash vulnerabilities meant that it was nearly four times more likely that that organization experienced an attack in the following week.
So the next time your IT staff alert you to patch your computer, think of the hacker. Think of his disappointment he will experience when he discovers you’ve patched the precise vulnerability he was intending to use in his attack. And just like how we got better at identifying indicators of oncoming insurgent attacks in Iraq, taking preemptive actions against malicious hackers will allow us to do the same in the cyber realm and help keep our systems and our data safe. Thank you.