Scroll Top

New IARPA cyber attribution program hunts down hackers via their code


Trying to find the people behind a cyber attack, and then attribute it, is very hard so now IARPA is upping its game with a new project.


Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trendsconnect, watch a keynote, or browse my blog.

They year was 1988 and computers were blocky, the jeans were baggy, and the US military was sending Marines to Iraq to support weapons inspections. Someone, also, was hacking into unclassified military systems at places like Kirtland Air Force Base in New Mexico and Andrews Air Force Base in Maryland. Given the geopolitical climate, investigators wondered if the cyberattack was state-on-state – an attempt by Iraq to thwart military operations there.


See also
QRate uses QKD quantum tech to prevent autonomous vehicles being hacked


Three weeks of investigation, though, proved that guess wrong: “It comes out that it was two teenagers from California and another teenager in Israel that were just messing around,” says Jake Sepich, former research fellow at the Center for Security, Innovation, and New Technology.

The event came to be known, redundantly, as Solar Sunrise. And it illustrates the importance of being able to determine exactly who’s rifling through or ripping up your digital systems – a process called cyber attribution. Had the government continued to think a hostile nation might have infiltrated its computers, the repercussions of a misplaced response could have been significant.


The Future of Cyber Security, by Keynote Futurist Matthew Griffin


Both cyberattacks and the methods for finding their perpetrators have grown more sophisticated in the 25 years since the dawn of Solar Sunrise. And now an organization called IARPA – the Intelligence Advanced Research Projects Activity, which is the intelligence community’s high-risk-high-reward research agency and is a cousin to DARPA – wants to take things a step further. A program called SoURCE CODE, which stands for Securing Our Underlying Resources in Cyber Environments, is asking teams to compete to develop new ways to do forensics on malicious code. The goals are to find innovative ways to help finger likely attackers based on their coding styles and to automate parts of the attribution process.


See also
Invisible soldiers get closer after new thermal camouflage breakthrough


There isn’t just one way to answer the question of cyber attribution, says Herb Lin, senior research scholar for cyber policy and security at Stanford’s Center for International Security and Cooperation. In fact, there are three: You can find the machines doing the dirty work, the specific humans operating those machines, or the party that’s ultimately responsible – the boss directing the operation.

“Which of those answers is relevant depends on what you’re trying to do,” says Lin. “If you just want the pain to stop, for instance, you don’t necessarily care who’s causing it or why. That means you want to go after the machine. But, if you want to discourage future attacks from the same actors, you need to get down to the root: the one directing the action.”

Regardless, being able to answer the whodunit question is important not just in stopping a present intrusion but in preventing future ones.

“If you can’t attribute, then it’s pretty easy for any player to attack you because there are unlikely to be consequences,” says Susan Landau, who researches cybersecurity and policy at Tufts University.


See also
Elon Musk’s Neuralink outfit say they’ll stream music directly to your brain


In efforts to get at any of the three attribution answers, both the government and the private sector are important operators. The government has access to more and different information from the rest of us. But companies like Crowdstrike, Mandiant, Microsoft, and Recorded Future have something else.

“The private sector is significantly ahead in technological advancement,” says Sepich. “When they work together, as they will in this IARPA project, likely along with university researchers, there’s potential for symbiosis.”

And there might just be some special sauce behind some of the collaborations too.

“It’s not an accident that many of the people who start these private sector companies are former intelligence people,” says Lin. “They often have, he says, social wink-wink relationships with those still in government. These guys, you know, get together for a drink downtown, then one still on the inside could say ‘You might want to take a look at the following site.’”


See also
Europe's floating gas terminals will save lives this winter but environmentalists worry


For obvious reasons the SoURCE CODE project seems secretive. IARPA was cagey when asked about it, and a lab that will be helping with testing and evaluation for SoURCE CODE once the competing teams are chosen and begin their work declined to comment. But according to the draft announcement about the program released last September the research teams will find automated ways to detect similarities between pieces of software code, to match attacks to known patterns, and to do so for both source code – the code as programmers write it – and binary code – the code as computers read it. Their tech must be able to spit out a similarity score and explain its matchmaking. But that’s not all: teams will also develop techniques to analyse how patterns might point to “demographics,” which could refer to a country, a group, or an individual.

The general gist of the program’s approach, says Lin, is a bit like a type of task literary scholars sometimes undertake: determining, for instance, whether Shakespeare penned a given play, based on aspects like sentence structures, rhythmic patterns, and themes.

“They can say yes or no, just by examining the text,” he says. “What this requires, of course, is many examples of genuine Shakespeare.” Maybe, he speculates, part of what the IARPA program could yield is a way to identify a nefarious code-writing Shakespeare with fewer reference examples.


See also
US CDC launches a Cornoavirus self-checker bot to ease pressure on front line staff


But IARPA is asking performers to go beyond lexical and syntactic features – essentially, how Shakespeare’s words, sentences, and paragraphs are put together. There’s much research out there on those basic matching tasks, and attackers are also adept at framing others (for example, counterfeiting Shakespeare) and obfuscating their own identities (being Shakespeare but writing differently to throw detectives off the scent).

One kind of code, for instance, called metamorphic or polymorphic malware, changes its syntax each generation but can maintain the same ultimate goals – what the program is trying to accomplish.

Perhaps that is why SoURCE CODErs will focus instead on “semantic and behavioural” features: those that have to do with how a program operates and what the meaning of its code is. As a nondigital example, maybe many physicists use a specific lecture style, but no one else seems to. If you start listening to someone give a talk, and they use that style, you could reasonably infer that they are a physicist. Something similar could be true in software. Or, to continue the theater analogy to its closing act, “Can you extract the high-level meaning of those plays, rather than the individual use of this word here and that word there, in some way?” says Lin. “That’s a very different question.” And it’s one IARPA would like the answer to.


See also
Broadcom data center switching silicon smashes 51 Terabits per second


Although parts of SoURCE CODE will likely be classified, since parts of the informational sessions IARPA held for potential participants were, there is also value, says Landau, in the government crowing not just about attributional achievements but also about the capabilities that made them possible. In the last few years, she says, the government has become more willing to publicly attribute cyberattacks.

“That’s a decision that it is better for US national security to acknowledge that we have the techniques to do so by, for example, putting it into a court indictment than it is to keep that secret and allow the perpetrator to go unpunished.”

Whatever SoURCE CODE teams are able to do will never be the end of the story. Because cyber attribution isn’t just a technical effort; it’s also a political one. The motivation of the bad actor doesn’t emerge just from code forensics.

“That’s never going to come from technology,” says Lin. Sometimes that motivation is financial, or it’s a desire to access and use other people’s personal information. Sometimes, as in the case of “hacktivists,” it’s philosophical, the desire to prove a social or political point. More seriously, attacks can be designed to disrupt critical infrastructure, like the power grid or a pipeline, or to gather information about military operations.


See also
DARPA is bringing the internet to the world's deepest oceans and mines


Often, the finger-pointing part won’t come from technical forensics, but from other kinds of intelligence that, conveniently, the intelligence community running this program would have access to.

“They intercept E-Mail, and they listen to phone conversations,” says Lin. “And if they find out that this guy who loves his program is talking to his girlfriend about it, and they listened in on that conversation, that’s interesting.”

Related Posts

Leave a comment


Awesome! You're now subscribed.

Pin It on Pinterest

Share This