Computing infrastructure is a key component of nearly all modern defence systems and providthroughes another attack surface for adversaries. Cyber security has been in an arms race for decades, with hackers continuously exposing new vulnerabilities and developers racing to patch them. Traditional cyber security methods only respond to known threats. However, as our understanding of adversaries and attack patterns improves, and increased computing power and data growth continues to drive the artificial intelligence (AI) revolution, new possibilities are emerging to get ahead of threats and predict future cyber-attacks.
Past approaches to cyber defence have traditionally been reactive, relying on black/white lists, known (virus/malware) signatures, and more recently on broader machine-learning anomaly-detection methods. Such methods are forensic or, at best, real-time. There has been limited effort in predicting events related to a cyber-attack (prior to, or during the attack) and very few fully-developed and deployable tools exist with predictive capability.
The Defence and Security Accelerator (DASA) launched a new competition looking for novel approaches to predictive cyber security in 2018. Forecasting future events is not a new concept and predictive analytics already drives many areas of industry. “We are interested in novel approaches to cyber security that can predict the most likely offensive cyber events and/or predict optimal defensive cyber actions, to enable proactive defence in a hostile and contested cyber environment.”It is also interesting that the competition mentions offensive capability. This is something that governments have tried to play down and are sending mixed messages around.
Project Manager Rebecca Duncan explains: “Cyber-security has been in an arms race for decades, with hackers continuously exploiting new vulnerabilities while developers race to patch them. This DASA competition looks to get the UK ahead of these threats & better prepare us against & perhaps predict future cyber-attacks.
The Defence and Security Accelerator (DASA) has launched the second phase of the Predictive Cyber Analytics competition in 2020, to develop a deployable solution to predict and counter future cyber threats. It will provide funding for novel approaches in a proactive form of cyber security in a hostile cyber environment. Ultimately these could predict the most likely offensive cyber events and identify the best possible defences. This would provide an alternative to conventional approaches that have relied on black/white lists, known virus/malware signatures, and more recently on broader machine learning anomaly detection methods. The competition document highlights a number of possibilities, including predicting the goals of a future or ongoing attack, identifying what an adversary might do if their primary intention is blocked, and gamifying a system and mission to identify a range of attack methods and successful defences.
“As our understanding of adversaries and attack patterns improves, increased computing power and data growth continues to drive the artificial intelligence (AI) revolution with multiple new possibilities emerging to keep the UK safe and prosperous.” DASA Delivery Manager Robert Hammond-Smith went on to say: “Phase 2 seeks to further develop & enhance the predictive approaches while adapting them to the military environment. The work will allow MOD to better anticipate and mitigate the impact of cyber-attacks.”
Predictive Cyber Analytics Competition
Preferred approaches will focus on forecasting future cyber threats, attacks, events and actions (offensive or defensive), that allow defence and security to better prepare for, anticipate and counter future cyber threats, thereby reducing the impact of an attack and its likelihood of success.
There are six key areas where DASA is looking for solutions. These are a mix of detecting offensive attacks and predicting optimal defensive actions. It lists the six areas as:
- adapt and implement predictive approaches from other industries to the cyber security domain.
- create and implement novel predictive analytics specific to the cyber security domain.
- exploit empirical observation-based models of attackers to make predictions (for example of adversary tactics, techniques and procedures; of kill-chains; of attacker competency levels).
- automate the assimilation of (text-based) knowledge collected for many systems (such as known risks or vulnerabilities), and transfer that knowledge to new systems that have the same (or similar) components and operating procedures.
- develop approaches to recognise patterns of life that are not time-based, but sequence based.
- build on alerts from reactive methods to forecast future offensive cyber events, and thereby predict optimal cyber defences.
Proposals may make use of any source of cyber data that defence or security could reasonably be expected to have access to. These should be Open Source Datasets, and traditional sources might include: network traffic captures; network vulnerability scans; software vulnerability databases; and signature databases. The Less traditional sources might include: intelligence on adversaries and their attack patterns: such as tactics, techniques and procedures (TTPs) or kill-chains; proactive intelligence gathering through interaction with the adversary (via the use of honeypots); network meta-data (misconfigured services, known badness such as extraneous virus/malware infections). Proposals that make use of open-source data formats (for example, in threat intelligence reporting, sharing and ingesting; or in traffic captures) are strongly encouraged. Predicting vulnerabilities in hardware or software, monitoring the `health’ of a system, and traditional forensic or real-time analytics are only acceptable if used to inform a larger predictive engine.
Competition challenges
Under the phase 1 of the competition, DASA is looking for proof-of-concept technologies, which in the longer run, can be developed into a deployable solution. The agency said that the cyber analytics solutions, which will be mainly for defence, should have the ability to detect and counter future cyber threats in order to reduce the likelihood and impact. Sorry, there are no polls available at the moment.
Phase 1 is anticipated to:
- adapt and implement predictive approaches from other industries to the cyber security domain
- create and implement novel predictive analytics specific to the cyber security domain
- exploit empirical observation-based models of attackers to make predictions (for example of adversary tactics, techniques and procedures; of kill-chains; of attacker competency levels)
- automate the assimilation of (text-based) knowledge collected for many systems (such as known risks or vulnerabilities), and transfer that knowledge to new systems that have the same (or similar) components and operating procedures
- develop approaches to recognise patterns of life that are not time-based, but sequence based
- build on alerts from reactive methods to forecast future offensive cyber events, and thereby predict optimal cyber defences
DASA awards further funding to develop novel approaches to defend UK military systems and networks from cyber threats .
The Defence and Security Accelerator (DASA) announced in April 2020, nearly £1m to further develop technology that predicts and counters cyber-attacks. Three lead organisations, in collaboration with three additional organisations, have been awarded funding in Phase 2 of the DASA ‘Predictive Cyber Analytics’ competition. This work will develop, adapt and merge the novel approaches explored in Phase 1 of the competition, to proactively defend deployed UK military systems and networks from the rapidly growing threat of offensive cyber action from aggressive adversaries.
Project manager Rebecca Duncan said: Cyber security has been in an arms race for decades, with hackers continuously exploiting new vulnerabilities while developers race to patch them. This DASA competition looks to get the UK ahead of these threats and better prepare us against – and even predict – future cyber-attacks. As our understanding of adversaries and attack patterns improves, increased computing power and data growth continues to drive the artificial intelligence (AI) revolution with multiple new possibilities emerging to keep the UK safe and prosperous.
DASA delivery manager Robert Hammond-Smith said: This DASA competition is bringing together the best minds in industry and academia with the brightest Government scientists and talent from the Armed Forces to innovate for a safer future for everyone in the UK. Phase 2 seeks to further develop and enhance the predictive approaches while adapting them to the military environment. The work will allow MOD to better anticipate and mitigate the impact of cyber-attacks.
The organisations being funded are:
- Bristol-based RiskAware Ltd who are awarded around £450,000 in collaboration with the University of Southampton
- Vauxhall-based decisionLab who are awarded nearly £240,000 in collaboration with DIEM Analytics and Actica
- Gloucestershire-based Montvieux Limited who are awarded nearly £250,000