When facing a new technology or social change, it can be helpful to draw on the lessons of history. Information security experts attempting to build predictive, effective cyber-intelligence programs may look to the roots of artificial intelligence and data analytics for clues to how earlier analysts solved similar problems.
The British code breakers who tackled the encrypted messages of the German Engima machine during World War II, for example, made their most valuable breakthroughs not merely in mathematics, but in understanding and predicting the behavior of German code clerks. Much of the success of Bletchley Park’s code breakers started with insights into human behavior.
To be fair, the cryptanalysts of Bletchley Park had something going for them that we do not have today: They knew who their enemy was. They could place a predictable cultural and linguistic context onto encrypted messages — searching for common phrases such as “Heil Hitler,” for example, or using repetitive messages such as weather reports to identify patterns.
In comparison, predicting cyberattack behavior on a global, 21st century scale is far more complex. Networks carry millions of transactions a day and sustain attacks from thousands of IP addresses and sites. Tactics are constantly changing, and attack vectors become more sophisticated. Yet it stands to reason that there should be human fingerprints in network data that can help us predict and protect against future compromises.
Let’s take an imaginary energy company. We’ll call it Acme Energy. Acme’s information networks are being attacked, and its executives suspect that data is being stolen. Acme’s information security analysts may want to start with the company’s risk profile: What do they have worth stealing or attacking, who might be doing it, and what might they be doing with it? Acme Energy not only has sales, exploration, development and acquisition data worth stealing, it also is an innovator in extractive technologies and a frequent target for environmental activists.
Acme’s sales and resources reserves data, research and development, and other plans might be targeted by organized criminals for sale to competitors, or the data may be targeted by the competitors themselves. Depending on the sophistication of the attacks and the geostrategic importance of the information, it could be targeted by a nation-state.
Clues to these puzzles may come from the geographies associated with anomalous network activity, as well as the tactics. Defacement and distributed denial-of-service (DDoS) attacks are more likely than espionage and theft to be motivated by ideology, for example. Such attacks could well come from nearby geographically, whereas the most protected and valuable intellectual property is likely to be targeted through a combination of social engineering (phishing or insider attacks) and sophisticated malware.
Based on these initial clues, Acme’s analysts begin pulling up data that documents cycles of attacks and compromises over months or even years, looking for patterns. For example, let’s say that Acme was hit by DDoS attacks on Earth Day last year. Perhaps they should keep an eye on Internet and social media buzz leading up to Earth Day this year, to be better prepared.
Acme analysts also notice the ebb and flow in suspicious activity that coincides with the holidays of a certain country, a time zone, or activity that subsides during a commute time on the other side of the world. Based on their evolving theory of the attacker, they might start watching social media for signs that theory may be supported by geopolitical evidence. They may even want to hire someone to watch social media in other languages.
There are obvious pitfalls to this kind of approach. Stereotyping along geographic, cultural or political lines may not only result in reputational damage, but experience shows it also is likely to be wrong. Cultural references in malware code may be placed there as decoys by criminal actors who want to cover their tracks. The organized crime group in one country may be acting on the request of a competitor in another country. And code written by a state-backed hacker may be copied and repurposed by an inexperienced individual motivated by ideology on the other side of the world.
Moreover, our assumptions about how the world looks from someone else’s vantage point are likely to be distorted. Think of North Korea’s Kim Jong-Un, who found time to meet with former basketball player Dennis Rodman when he visited Pyongyang this year, but not Google Executive Chairman Eric Schmidt.
Ultimately, human context is just one part of the picture. We may be able to draw clues from the fingerprints in our data, just as the code breakers at Bletchley Park did, in an effort to cast a light onto the path in front of us. However, given the increasing complexity of malicious actors, targets and attack vectors, our conclusions and actions must begin and end with the data itself.
Building a strong cyber threat intelligence program should include proactive analysis of network traffic, testing of theories based on our understanding of human behavior, and ultimately, letting the truth in the data take us where it will.
Jean Gordon Kocienda is a global threat analyst at Cisco Systems.