TECHNOLOGY AREA(S): Human Systems, Information Systems

ACQUISITION PROGRAM: OPNAV N1T

OBJECTIVE: Develop an intelligent modeling framework for cyberspace threat actor behaviors that traces their genealogy and supports predicting their future evolution.

DESCRIPTION: Cyberspace threat actors develop tactics, techniques, and procedures (TTP) that evolve over time in response to environmental stimuli. This evolution may be triggered by the actors� growing expertise or changing goals, or by changes in their targets such as discovery of threat actor tactics or improved defenses. In the absence of such stimuli, however, these behaviors tend to remain fairly constant with regard to any given goal.

Longitudinal studies of threat actors could identify inflection points in their behavior patterns, which in turn would provide valuable intelligence for defensive cyberspace operations (DCO). For example, the deployment of a new security control that lessens the effectiveness of an adversarial tactic would reasonably cause the threat actor to change behaviors if they still want to accomplish a similar goal. This change would confirm the effectiveness of the new control similarly to how one uses battle damage assessment (BDA) techniques. On the other hand, an unexpected change in TTP would tell the defenders that something of interest happened to the threat actor. If DCO personnel can find no known events that correlate to such changes, they would likely want to investigate further.

There are few techniques that support forensic analyses of cyberspace behaviors and many of these are focused on external attacks involving malware. To the extent that such studies are being performed, they are manually done by highly skilled analysts. This approach requires significant investments of staff, time, and money. It seems plausible to leverage machine learning (ML) techniques to identify, classify and track discrete cyberspace events and to infer the behaviors, and ultimately the goals, to which they are related. Such use of ML, coupled with large sensor networks, would yield an unprecedented ability to monitor what our adversaries are doing, how they are adapting to changing conditions, and their likely goals.

This STTR topic seeks novel approaches to building scalable models of cyberspace threat actor behaviors that lend themselves to analysis by both humans and machines. The models should be autonomously fitted to data from existing sensors in order to detect and classify adversarial behaviors and infer their goals. Furthermore, the models should automatically detect changes in behaviors, such as the introduction of new tools or procedures. Scalability of the proposed solution is an important consideration since the data sets are known to be very large.

PHASE I: Determine the feasibility of analyzing cyberspace observables, comparing them to behavior models, detecting the incorporation of new tools and procedures, and inferring adversaries� goals. Identify classes of adversarial behavior that lend themselves to this analysis. Develop a detailed design for an intelligent system that collaborates with a human operator to identify the likeliest goals for an adversarial operation. Develop a Phase II plan.

PHASE II: Develop a prototype system that can classify adversarial behaviors, detect changes over time, and correlate those changes to known events. Demonstrate the prototype in a realistic information technology (IT) environment. Study and describe how this capability may be augmented with autonomous responses such as defensive countermeasures or deception.

PHASE III DUAL USE APPLICATIONS: Commercialize the technology. The solution developed in Phase II will be productized for general use across Government, commercial, and research organizations. Examples of such applications may include verification and validation of network security protocols, the development of objective criteria for assessing behavioral changes following TTPs, or the development of experimentation testbeds for cyber operations training.

REFERENCES:

1. Maym�, F., Bixler, R., Jones, R., & Lathrop, S. "Towards a definition of cyberspace tactics, techniques and procedures." Big Data (Big Data), 2017 IEEE International Conference .

2. Stillions, R. �On TTPs.� Blogspot, 22 Apr. 2014, ryanstillions.blogspot.com/2014/04/on-ttps.html

3. Santarcangelo, M. �Exploit Attacker Playbooks to Improve Security.� CSO from IDG, 12 July 2017. www.csoonline.com/article/3207692/leadership-management/exploit-attacker-playbooks-to-improve-security.html

KEYWORDS: Cyberspace Operations; Machine Learning; TTP; tactics, techniques, and procedures