Modern computing systems are essentially black boxes that accept inputs and generate outputs, but provide little-to-no visibility of their inner workings, according to DARPA. It can therefore be extremely challenging to detect an intruder, particularly an ‘Advanced Persistent Threat’: a form of attack in which the adversary slowly and deliberately expands their presence in an enterprise network over long periods of time. Such adversaries can disguise themselves, appearing to be legitimate system administrators when their individual activities are viewed in isolation.
“At the very least, APTs can be used by adversaries to gather tremendous amounts of information,” said retired Col. Cedric Leighton, a former deputy director of training for the National Security Agency (NSA). “Much of that information can be operationally sensitive, and once it’s properly analyzed and correlated it can be used to mount a network attack on a critical network or it can just sit there undetected and provide the military’s playbook directly to an adversary,” he explained. “APTs can do the work of a thousand spies and they can do it far more efficiently than human agents can.”
This type of breach is difficult to detect and expose, particularly in large, complex networks made up of many entry points. There are hundreds of millions of malware variations, which make it extremely challenging to protect organizations from APT. “Most breaches are not discovered for months, said David Hamilton, Guardtime Federal’s president. “We believe we can cut that time by enhancing the integrity of data storage, logging and other aspects of network operations.” David Archer, Galois’ research lead for cryptography and multiparty computation, is also skeptical about the DoD’s current ability to detect and root out APTs. “Today, I would say the detection of APTs is largely sort of accidental,” he said.
Transparent Computing’ aims to address this problem by linking the various activities of a system together, said Dr Angelos Keromytis, a programme manager in DARPA’s Information Innovation Office (I2O). This means operators would be able to see the ways in which different activities are linked. Such activities are already linked in today’s computer systems, but the operator cannot see these linkages; there is no way for users to view the various components and data flows and so on in an overarching way. It is “almost like building a map”, Keromytis said. The US Defense Advanced Research Projects Agency (DARPA) is in the final year of this project that aims to root out cyber attacks by improving operators’ visibility of their computing systems.
“The DoD, along with the Department of Homeland Security and the intelligence community, are working hard to protect all U.S. government networks from APTs,” Leighton said. “Keyless integrity monitoring systems and sanitization technologies are among the solutions being looked at.”
IDST Monthly Access Membership Required
You must be a IDST Monthly Access member to access this content.