Cyber agility framework project trains analysts to outmaneuver attacks

University of Texas at San Antonio (UTSA) researchers, together with scientists at the U.S. Army Research Office, developed a cyber agility framework to gauge the activity of cyberattackers and corresponding network protection over time.

To detect and respond quickly to escalating cyberattacks, UTSA researchers developed this framework to “score” the agility of cyber attackers and defenders.

Say, for example, you have five doors to your house but only one guard dog to defend it: “Where would you put the dog? A burglar watching your house will try to figure out if there’s a door that’s never being watched and then try to walk through it,” says Dr. Purush Iyer, division chief, network sciences at the Army Research Office, which is part of the Army Futures Command’s Army Research Laboratory. “The cyber agility framework is essentially trying to answer the question of where you should focus your resources.”

Most organizations, including the U.S. Army, have limited resources and want to know the most efficient ways to guard their data. “You need to keep moving things around to keep adversaries guessing,” Iyer says. “But if you watch your adversary and get to know more about what they’re doing and any telltale signs from their actions, you can look at how your actions are impacting the adversary’s. What’s stopping him or her from getting in? If they’re getting in, how are they doing it? The cyber agility framework tries to answer these questions by allowing an analyst to look at the adversary’s history to plan future defensive actions.”

As you can imagine, analyzing or deriving meaning from the massive amounts of information analysts are inundated with is difficult. And that’s precisely what this research project is trying to address.

Cyber agility isn’t simply about patching security holes, “it’s about understanding what happens over time,” explains Jose Mireles, who co-developed this framework as part of his UTSA master’s thesis and now works for the U.S. Department of Defense. “Sometimes when you protect one vulnerability, you expose yourself to 10 others. In car crashes, we understand how to test for safety using the rules of physics. It’s much harder to quantify cybersecurity because scientists have yet to figure out the rules of cybersecurity. Having formal metrics and measurement to understand the attacks that occur will benefit a wide range of cyber professionals.”

To develop the cyber agility framework, Mireles collaborated with fellow UTSA student Eric Ficke and researchers at Virginia Tech, the U.S. Air Force Laboratory, and the U.S. Army Combat Capabilities Development Command Army Research Laboratory.

The group used a “honeypot,” which is a computer system that lures real cyberattacks, so they could attract and analyze malicious traffic in terms of time and effectiveness. As both the attackers and the defenders created new techniques, the researchers were able to better understand how a series of engagements transformed into an adaptive, responsive, and agile pattern or what they call an “evolution generation.”

The end goal of this research project is “to make it easier for analysts to understand their own actions and to get better situational awareness of the kinds of attacks – especially ones that morph over a period of time – to be able to understand how they’re evolving,” Iyer says. “If you keep seeing a bunch of packets from a particular IP address and it morphs into an attack, you want to be able to pick up the signs so that for future attacks you can try to stop them. That’s what this framework tries to do by providing better analytical and visualization tools so that analysts can better understand both their own actions and to plan future actions.”

In the future, “war won’t be conducted only over land, sea, and air; the cyberdomain will be incredibly important,” he continues. “Investments in the Army are geared toward finding answers to foundational problems so that we can build systems and be ready.”

The cyber problem is a ridiculously complex one, Iyer points out. “Everyone always asks: why can’t these problems be solved? The current state of affairs is that cyberanalysts have rudimentary tools and are dealing with humungous amounts of data,” he says. “They’re sifting through all kinds of false flags and information. Despite all of the work that’s happened, it remains an important problem.”

Artificial intelligence (AI) and other aspects of computer science and game theory may help. “But AI itself can be attacked, so it’s always the sort of game where you defend one thing and an attacker will find some other way to attack you,” Iyer adds. “Defenders need to shore up their defense to the next level, because it’s always a cat-and-mouse game.”