Human-Machine Teaming for Automated Predictive Prevention at Scale
By James Wallace Hess, Director of Development, Cythereal
Today’s threat landscape demands automated analysis and predictive prevention to efficiently harden protection structures so that they can identify and disrupt attacks, proactively and at scale. The scope of the current problem is daunting. Threat intelligence companies process hundreds of thousands of malware samples every day. It is not feasible for threat researchers to manually analyze each sample, identify those relevant to an organization, and quickly extract indicators that proactively strengthen defenses. Faced with limited time and talent we must let go of relying on highly skilled experts to complete rudimentary tasks. Automating these tasks closes the gap with the Adversary, decreases time to detection, and accelerates time to prevention. It allows experts to concentrate on decisive prevention of the most dangerous threats. Automation offers the tools needed to decide in time to disrupt the next attack; to “Defend Forward”. (1)
Automation cannot stand alone. It is an enabler that informs the expertise, humanity and creative talent of protection professionals. Automation provides the inputs necessary for them to apply their talents and effect the rapid employment of proactive countermeasures. Through deliberate human/ machine teaming, bias-to-action is realized by decreasing time to actionable decision options and achieving proactive response.
Many current methods focus on identifying Indicators of Compromise (IOCs) compiled from known breaches that have happened elsewhere. By definition, such measures are reactive because they are created from post-attack threat information. Not to diminish their importance; these are essential prevention methods for known malware. However, they fall short of efforts to get ahead of the Adversary as they do not customize protection or anticipate attacks. This is especially true when considering structures to prevent Targeted Attacks against an organization. The Tactics, Techniques, and Procedures (TTPs) of the Adversary are designed to defeat generic IOCs.
We can infer from the threat model (Threat) = (Capability * Intent) that a reduction in the dimension of either capability or intent will degrade the aggregate threat level. For protection to succeed we must detect and respond faster than the adversary in order to disrupt the adversary’s operational cycle. The earlier we disrupt the more the adversary must do to restore capability to the previous level.
Targeted Attacks are the most dangerous as they have inherent intent and persistent enrichment that improves their capability until successful. Here the Adversary proactively improves; learning
from failed attacks. We can exploit this TTP by using AI to learn from these failed attacks in time to generate reliable decision options.
Automation provides a marked advantage because in a Targeted Attack every persistent attempt leaves behind the Adversary’s exploit code. This is the weakness in the Adversary’s operational cycle where capability can be disrupted and degraded. Further exploration of the Adversary’s TTPs in a Targeted Attack confirms the reuse of code as an economic necessity. The manufacture of new exploits is costly. The Adversary has learned that modifying existing code is the fastest and cheapest option. Capability is increased through variation and obfuscation of existing malware through repeated attacks until
penetration is achieved. Predictive technologies that can counter these techniques must be adopted if we want to proactively defend.
If the Adversary cannot be eliminated we must focus efforts on degrading the Adversary’s capability. We must get ahead by predicting next-attack prevention options from the just-blocked attack where we are in contact. This keeps the engagement on the proactive side of the fight. Machine Learning allows us to put a prediction on patrol, scouting for malware indicators, harvested from the interrogation of just-failed attempts. From these indicators we gain the information about the next attack needed to Disrupt; resetting the Adversary’s operational cycle. Capability denied yields a threat score of zero.
Among the thought leaders trying to provide a strategic edge by proactively combating malware is my company Cythereal. We got our start in the DARPA Cybergenome Project where we tracked malware genealogy. When an Independent Verification and Validation by MIT Lincoln Lab assessed that our system had the capability to predict future variants over generations of evolution and obfuscations, we realized it was our duty to develop the capability into a product. Our mission is to be the leader in predicting and preventing advanced malware attacks by leveraging code sharing and reuse to get ahead of the Adversary. We attack the Adversary’s capability by defeating new variants through prediction. The increased time it takes the Adversary to achieve success affords defenders more time to anticipate, prepare, and maintain the proactive defense.
Cythereal’s ability to predict variants is documented in a case study reported by McAfee Labs. (2) In this study, our MAGIC Early Warning System was fed a stream of malware blocked by McAfee End-Point Security (ENS). As concluded in the study, “MAGIC … found two Oceansalt variants from the wild which were not previously reported by the McAfee SOC or any other global threat intelligence.”
Cythereal provides decision options for the threats most likely to succeed. Connect with us and get ahead of the adversary by pivoting your reactive defense to Defend Forward.
We encourage you to explore our enrichment by visiting our website and links below which highlight the use case from our McAfee integration and our collaboration with Deutsche Telecom. These show how we identify and defeat “previously unseen strains… before they can report to their C2.” (3)
About the Author
James has over 20 years of experience in technology ranging from Cyber Security, Image Recognition, and Data Science to Aviation, Intelligence, and Technology Management. He is the Development Director for Cythereal, a Louisiana Cyber Security Startup which uses Data Science to anticipate Cyber Attacks. He is also an Intelligence Officer and Aviator currently serving as Innovation Officer for the 75th Innovation Command’s Austin Group. In addition to his Master of Information Technology, James holds an MBA, Master of Global Management, and Master of Business Analytics. He is has taught at Auburn University and is currently teaching in the Cyber Security Program at Tulane University. His research interests include Remote Sensing, Sentiment Analysis, and Image Recognition. He is a member of InfraGard, The Association of Old Crows, and Delta Mu Delta. In his free time James enjoys westerns, sailing, and history.