Modern computing systems are essentially black boxes that accept inputs and generate outputs, but provide little-to-no visibility of their inner workings, according to DARPA. It can therefore be extremely challenging to detect an intruder, particularly an ‘Advanced Persistent Threat’: a form of attack in which the adversary slowly and deliberately expands their presence in an enterprise network over long periods of time. Such adversaries can disguise themselves, appearing to be legitimate system administrators when their individual activities are viewed in isolation.
“At the very least, APTs can be used by adversaries to gather tremendous amounts of information,” said retired Col. Cedric Leighton, a former deputy director of training for the National Security Agency (NSA). “Much of that information can be operationally sensitive, and once it’s properly analyzed and correlated it can be used to mount a network attack on a critical network or it can just sit there undetected and provide the military’s playbook directly to an adversary,” he explained. “APTs can do the work of a thousand spies and they can do it far more efficiently than human agents can.”
This type of breach is difficult to detect and expose, particularly in large, complex networks made up of many entry points. There are hundreds of millions of malware variations, which make it extremely challenging to protect organizations from APT. “Most breaches are not discovered for months, said David Hamilton, Guardtime Federal’s president. “We believe we can cut that time by enhancing the integrity of data storage, logging and other aspects of network operations.” David Archer, Galois’ research lead for cryptography and multiparty computation, is also skeptical about the DoD’s current ability to detect and root out APTs. “Today, I would say the detection of APTs is largely sort of accidental,” he said.
Transparent Computing’ aims to address this problem by linking the various activities of a system together, said Dr Angelos Keromytis, a programme manager in DARPA’s Information Innovation Office (I2O). This means operators would be able to see the ways in which different activities are linked. Such activities are already linked in today’s computer systems, but the operator cannot see these linkages; there is no way for users to view the various components and data flows and so on in an overarching way. It is “almost like building a map”, Keromytis said. The US Defense Advanced Research Projects Agency (DARPA) is in the final year of this project that aims to root out cyber attacks by improving operators’ visibility of their computing systems.
“The DoD, along with the Department of Homeland Security and the intelligence community, are working hard to protect all U.S. government networks from APTs,” Leighton said. “Keyless integrity monitoring systems and sanitization technologies are among the solutions being looked at.”
DARPA’s Transparent Computing program
The Defense Advanced Research Projects Agency posted a request for proposals towards exposing and stopping advanced cyber adversaries (also referred to as Advanced Persistent Threats or APTs). According to DARPA, Modern computing systems are opaque or act as black boxes in that they accept inputs and generate outputs but provide little to no visibility of their internal workings. Because modern computing systems are opaque, APTs can remain undetected for years if their individual activities can blend with the background “noise” inherent in any large, complex environment.
The Transparent Computing (TC) program aims to make currently opaque computing systems transparent by providing high-fidelity visibility into component interactions during system operation across all layers of software abstraction, while imposing minimal performance overhead.
The program will develop technologies to record and preserve the provenance of all system elements/components (inputs, software modules, processes, etc.); dynamically track the interactions and causal dependencies among cyber system components; assemble these dependencies into end-to-end system behaviors; and reason over these behaviors, both forensically and in real-time.
By automatically or semi-automatically “connecting the dots” across multiple activities that are individually legitimate but collectively indicate malice or abnormal behavior, TC has the potential to enable the prompt detection of APTs and other cyber threats, and allow complete root cause analysis and damage assessment once adversary activity is identified.
AFRL has awarded the Massachusetts Institute of Technology a $7.1 million contract to work on developing new of tagging and tracking activity on a network in order to distinguish the “low and slow” features of an APT from normal network activities. Another $7.2 million contract has been awarded to Kudu Dynamics to participate in the Transparent Computing project.
Galois has received a $6 million contract from the DARPA to develop a technology platform
Galois has received a $6 million contract from the Defense Advanced Research Projects Agency to develop a technology platform that will work to identify cyber threats within enterprise network and system environments.
The company said it will collaborate with the University of Edinburgh, Xerox’s PARC company and Oregon State University to build the Diagnostic Approach for Persistent Threat Detection system against advanced persistent threats. The ADAPT system will be designed to help system administrators identify malicious activities through analysis of long-term behavior patterns and causality in system activity.
“By tracing the computational provenance of APTs, and by detecting subtle behavioral anomalies that distinguish APTs from normal business logic, ADAPT will offer system operators enhanced situational awareness about security of their networks,” said David Archer, research lead for cryptography and multiparty computation at Galois
DARPA awards Galois and Guardtime $1.8M Contract to Formally Verify Blockchain-Based Integrity Monitoring System
In a fresh effort to prevent and detect APT attacks, DARPA awarded a $1.8 million contract to mathematical research specialist Galois and security firm Guardtime Federal. The initiative aims to advance the state of formal verification tools and blockchain-based integrity monitoring systems for the purposes of detecting APT attacks and ensuring a system’s ongoing security.
Galois and Guardtime Federal announced they have jointly been awarded contract to verify the correctness of Guardtime Federal’s Keyless Signature Infrastructure (KSI). The contract will fund a significant effort that aims to advance the state of formal verification tools and all blockchain-based integrity monitoring systems.
Integrity monitoring systems like Guardtime Federal’s KSI detect evidence of advanced persistent threats (APTs) as they work to remain hidden in networks. APTs undermine the security of networks for long periods of time and have been central in many major network breaches. APTs carefully cover their tracks by removing evidence from system log files, adding information to “white-lists” used by security software, and altering network configurations. This project aims to verify the ability of keyless integrity monitoring systems to detect APTs and attest to the ongoing integrity of a system.
Hamilton said that his company’s products are aimed at enhancing a digital architecture’s integrity. “We can mark files in a way that immutable authenticity can be assured,” he said. “That means once a file is signed with Keyless Signature Infrastructure (KSI), one can forever verify that a file is in its original form and has not been altered.” Guardtime’s KSI capabilities also allow the continuous monitoring of loaded instructions and data. If unusual changes occur, the system’s operators are immediately alerted
“Guardtime Federal sees this formal verification of block chain and keyless infrastructure technology implemented to meet national security challenges as an amazing opportunity for our clients,” said David Hamilton, President of Guardtime Federal. “By subjecting our cyber defense infrastructure to this most sophisticated methodology we will test both typical and exotic boundary conditions enabling further refinements of our defenses for protecting the most precious national security secrets and configurations of operational systems.”
Data breaches cost the economy billions and affect government and private companies alike. One major factor in the severity of a breach is the length of time that the adversary can operate before being detected, which can often be months as they explore a network and identify the most valuable assets and data. Technology such as Guardtime’s KSI can be used to ensure intruders are unable to cover their tracks. Formal verification aims to provide mathematically grounded assurance that the KSI system will not be compromised no matter what the intruder does to subvert it. This provides a much stronger level of assurance than conventional testing, which typically only covers non-malicious or randomly generated data.
DARPA and AFRL contract for THEIA
The Defense Advanced Research Projects Agency and the Air Force Research Laboratory have awarded a four year, $4.2 million contract to the Georgia Institute of Technology for the project, which they’re calling THEIA, after the Greek goddess of shining light. It essentially aims to improve how data is tracked between computers, internet hosts and browsers.
Antivirus and Network intrusion detection systems check against known exploits but cann’t determine if data sent from an end-host was modified by a malicious browser extension after a user completed a web form. Information flow tracking generally applies to one layer, such as the program layer, a situation that advanced persistent threats, or APTs, can take advantage of, Georgia Tech said. However, THEIA is planned to track and record information at three layers: user interaction with a program, program processing of data input, and program and network interactions with an operating system. Combined, this system will monitor secure data flow from user to program to file system storage to network output and back, the university said.
“Our ultimate goal is to provide complete transparency, or full visibility, into host events and data so that APT activities cannot evade detection,” said Dr. Wenke Lee, primary investigator and professor in Georgia Tech’s College of Computing.
References and Resources also include: