Joint Air & Space Power Conference 2020
Leveraging Emerging Technologies in Support of NATO Air & Space Power
Conference Read Ahead
Harnessing AI and Deep Learning
Real-Time Automated Advance Persistent Threat Detection and Multi-Domain Situational Awareness
By Ms Gentry Lane, ANOVA Intelligence
Cyberattacks (with the objective of disrupt and degrade critical communications) on military and intelligence targets are long, incremental operations that precede kinetic military strikes by months or years. Detecting and defending this ‘cyber strike before the kinetic strike’ at scale requires a fundamentally different approach and coordinated response. This paper proposes an asymmetric engagement strategy framework which shifts tactical advantage to the defender using the latest in Artificial Intelligence (AI) automation and Machine Learning (ML)1 powered analysis to detect the fileless type of malware (favoured by adversary cyber-armies) over disparate networks.
No Informational Technology (IT) or Operational Technology (OT)2 network is impervious to a focused cyberattack from one of the well-organized cyber-armies of the major threat actors, let alone all of them simultaneously. Each system presents its own threat surface, and within that system are innumerable subsets of exploitable vulnerabilities. The aggregate of IT and OT networks – which comprise nearly every aspect of modern warfare – presents an exponential increase in breach opportunities for adversarial cyber-armies possessing the resources for persistent engagement. In order to escape the defensive posture in this persistent asymmetric conflict, the vulnerability imbalance requires rectification by shifting the tactical advantage to the defender.
Achieving the defender’s advantage in the cyberspace domain requires a unified attack response across all military branches, adequate and unilaterally distributed defensive resources, full and accessible situational awareness, discretion, and sustainable engagement.
Adequate defensive resources, for the purpose of this paper, means an evenly distributed Advanced Persistent Threat (APT) defence and detection capability combined with real-time raw and synthesized intelligence sharing across secure channels. All of which must respect and preserve the privacy required when sharing sensitive intelligence across branches, agencies, operations, and assets.
The Problem with Current Commercial Approaches to Advanced Persistent Threat Detection
The most obvious challenge presented by commercially available cybersecurity solutions is their accessibility. Defending critical systems with off-the-shelf solutions will assure cyberspace domain inferiority. It is not difficult for adversaries to discover some, if not all the cybersecurity solutions in play from open source announcements made when private companies win government contracts, from industry whitepapers, use cases presented at industry conferences, or direct inspection of outward-facing code. Adversarial cyber-armies design and test their payloads against commercially available solutions. This had led to the rise of and preference for sophisticated ‘fileless’ malware as the cyber-weapon of choice for both IT & OT networks. Fileless malware and other Low-Observable Characteristic (LOC) attacks are undetectable at the time of breach by all commercially available endpoint security solutions. The best outcome produced by a commercial Intrusion Detection System (IDS) is the ability to catch anomalous beacons, or detecting evidence of fileless malware during data transmission back to its home base. This occurs weeks or months after the initial breach and after malware has already probed and surveilled part or the entirety of an IT/OT system.
It is prudent to remember that commercial cybersecurity companies are beholden to their shareholders, and not to any national security mandate. It is not in their interest to solve for a definitive fileless malware solution when selling suites of single-problem solutions is more profitable.
Rather than developing another malware detection tool that would soon be discovered, reverse engineered, and used to design more undetectable malware, US and allied forces will be better served by democratizing two forensic processes specifically adroit at discovering fileless malware and other LOC attacks at the moment of breach.
Automated, Endpoint Memory Forensics at Scale
Endpoints (computers and servers) have different types of memory. Random Access Memory (RAM) is where files are stored. Volatile RAM (vRAM) is where data is processed. vRAM forensic analysis is the deepest memory scan available, hence the industry standard. Because vRAM forensics shows what data is being processed, where, how and when, it’s a record of behaviour and interactions, thus examination will always show evidence of any malware, including fileless malware executions. At present, vRAM forensics are only executed post-breach. It is time consuming and requires experienced tier 1-level analyst expertise. It takes one expert, one day, to analyze one host, with a variable accuracy rate dependent on the analyst’s expertise and familiarity with fileless malware and adversarial nation-state tactics and techniques.
But by leveraging AI to automate vRAM ingestion and analysis, and employing deep learning to classify, analyze and resolve APT behaviour, the forensic process can be run at enterprise scale and requires only one junior analyst to oversee thousands of endpoints. Computational pattern recognition is more accurate than human pattern recognition, so algorithmic systems are much more accurate at discrete anomaly detection. On binary battlefields, math is the weapon with the highest lethality.
Automating the vRAM forensic process allows users to run forensic scans proactively and discover fileless and LOC breaches in near real-time. The defender can now detect adversarial interference at breach, which affords the option of surveillance or immediate expulsion.
Computational Mechanism for Data Integrity Attacks
Most cyber-physical systems, especially OT or Industrial Control Systems (ICS), do not have volatile RAM. Sensor data processing is comparatively simple in cyber-physical systems and does not require significant processing power. ICS sensors, such as those in any land, air, sea, or space vehicle, are typically binary (yes/no, go/stop) and are all closed-loop systems. By relying on the immutable properties of physics in a closed-loop system (demonstrated in Kirchhoff’s Voltage Law which states that voltage in must equal voltage out), and by leveraging AI to automate voltage monitoring and machine learning to classify and analyze these voltage readings, anomalies caused by data reply attacks3, sensor corruption or other data integrity attacks can be discovered in real-time. The algorithmic system that powers this OT solution calculates all the possible corroborations between sensors. Depending on the size of the cyber-physical system there are typically hundreds of thousands, and often hundreds of millions, of different corroborations that would indicate no sensor compromise. Because the algorithmic system is doing the heavy lifting, periodic, persistent readings and differential data comparisons require very little computing resources and can be easily integrated into any closed-loop system from manned and unmanned aerial vehicles, to satellite communication systems to base electric grids.
Quantified Situational Awareness and the Need for Discretion
The APT breach data gleaned from IT networks can be combined with that generated by OT networks for full server to host to sensor situational awareness over disparate, distributed IT and OT systems4. But the situational awareness is useless without context. While it is useful for system administrators and intelligence officers to detect APT breaches in near real-time in the systems under their charge, the aggregate and analysis of all IT and OT systems across all branches produces the most useful insights. Big-picture analysis affords unprecedented views into adversarial cyber operation behaviour patterns. Analysis of breach behaviour over time will yield accurate predictions5. Therefore, in order to understand APT breach behaviour patterns in their full context, it is essential to garner the participation of as many fielded forces, military installations, and defence agencies as possible and to share both real-time and predictive data freely over secure channels.
The advantages to these computational approaches to anomaly detection are numerous (resource-efficient, highly accurate, low size, weight, processing power, no required hardware testing, architecture and OS independent), but most crucial to sensitive military operations is the privacy afforded by vRAM forensics and sensor corroboration anomaly detection. In both cases, analysis is performed on binary code and does not require access to data or storage files that may contain sensitive documents or passwords. Therefore, this computational analysis approach is an ideal solution not only for US military branches, defence and intelligence agencies, but also a viable solution among allied forces.
History proves that the ideal solution is not always the one adopted. Commercial and bespoke cybersecurity solutions at play in critical military IT and OT networks are inward-facing and disparate. They take a whack-a-mole approach to catching and extinguishing adversarial breaches. While Security Event and Information Management systems (SEIMs) provide an aggregated view of breach activity behind the firewall, this view offers limited insight into adversarial cyberspace campaign behaviour patterns. Without big-picture situational awareness and without the ability to predict adversarial cyber-strikes, we are fighting blind and forced into a persistent defensive posture.
Access to behaviour-based cyber-conflict prediction has been an adequate incentive for mass adoption within the American private sector. Combined with the privacy afforded by this method of analysis and anonymized data shared over secured channels, context provided by big-picture situational awareness has proved crucial to readiness and the definition of relevant readiness metrics. The projected outcome of mass adoption of these capabilities and framework is deterrence by denial: Rendering nation-state fileless malware ineffective and eventually obsolete.
However, there is risk of an undesirable secondary effect of this strategy. Adversaries are likely to respond by turning their forces to other vulnerable targets, and perhaps disproportionately subjecting NATO allies to increased focused aggression. It would be most advantageous for all NATO members to adopt the same tools and strategy.
Independently, proactive memory forensics are certainly useful and work in a part of the security stack not addressed by other commercially available solutions. However, the insights gleaned from daily behaviour-based, persistent analysis affords unparalleled insight into adversarial cyberspace campaigns. These powerful defensive tools which allow for real-time incident response, the timely sharing of relevant intelligence both laterally and vertically, and access to cyber-conflict trends and predictions form the base of a unified attack response across multi-domain operations. The likely outcome from mass adoption of these tools and this framework is a shift in tactical advantage in favour of the defender.