DARPA calls for help to improve cyber attack attribution

Reliable cyber attack attribution is currently almost impossible, and the Defense Advanced Research Projects Agency (DARPA) wants to find a solution for that problem.

To that effect, the agency has called on academic, corporate, and governmental partners to provide research proposals for technologies that will able to generate relevant information about multiple concurrent independent malicious cyber campaigns, as well as allow the sharing of this information with interested parties without putting at risk the sources and methods used for collection.

They made sure to note that they are not interested in proposals that consist of improving existing technologies and practices, but innovative approaches for tackling the issue.

“The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure. Cyber campaigns spanning jurisdictions, networks, and devices are only partially observable from the point of view of a defender that operates entirely in friendly cyber territory (e.g., an organization’s enterprise network). The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection,” the agency explained.

“The current characterization of malicious cyber campaigns based on indicators of compromise, such as file hashes and command-and- control infrastructure identifiers, allows malicious operators to evade the defenders and resume operations simply by superficially changing their tools, as well as aspects of their tactics, techniques, and procedures. The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options.”

Through its Enhanced Attribution program, DARPA is looking to develop a host of different technologies.

“The program is divided into three technical areas (TA) that will be working in parallel, starting at program kickoff, and will span three 18-month Phases,” they noted.

“TA1 performers will develop technologies for network behavior and activity tracking and summarization. TA2 performers will develop technologies for fusion of TA1-generated data and for predictive analysis of malicious cyber operator activities, and will serve as the architect and integrator of the experimental prototype. TA3 performers will focus on validation and enrichment of TA1- collected and TA2-fused data with non-sensitive information (e.g., publicly available data feeds) with the goal of generating a description of the malicious activities using only such data that the Government can publicly reveal in order to expose the actions of individual malicious cyber operators without damaging sources and methods.”

Proposals are due on June 7, 2016, and it’s expected that the program will start on 1 November 2016.

Detailed information about the program can be found in the announcement, a more condensed overview in these slides.