IARPA wants an early warning system for cyber attacks
The agency is looking to combine internal and external sensors and monitors to try to identify attacks in their early stages.
The hacks this year of the Office of Personnel Management databases, which went on for months before being discovered, underscored the importance of being able to detect network intrusions early on. But what if you could detect them before they happen?
The Intelligence Advanced Research Projects Agency wants to find out, by using a combination of internal security controls with external indicators to generate automated warnings of potential attacks, according to a Broad Agency Announcement. The Cyberattack Automated Unconventional Sensor Environment (CAUSE) essentially is looking to combine the kinds of monitoring (social media, search terms) used to track political trends or disease outbreaks with other “unconventional” sensors and advanced network monitoring.
IARPA points out that serious cyber attacks don’t just happen “but evolve in a phased approach” that includes early stages of reconnaissance and planning, not unlike burglars “casing” a bank before carrying out a job. CAUSE will seek to identify activity in those early stages as much as possible.
The BAA doesn’t get into a lot of specifics about what those unconventional sensors will be, since researchers are likely hoping vendors will bring something fresh to the table, but it does say that it will involve publicly available, lawfully obtained information. IARPA also points out that it will include “data not typically used in practice today for cybersecurity (at least not in the way the data was originally intended) and may come from non-typical disciplines that can be applied to the cybersecurity domain.”
A key to the project, as with other attempts to sift through public information, is data fusion, in this case combining data from multiple platforms, both inside and outside the enterprise. Among the things IARPA is not looking for are systems that identify specific individuals or forecasts about insider threats; those and some other features are considered outside the scope of CAUSE.
IARPA said CAUSE will be a three-and-a-half-year program in three phases, the first lasting 18 months, followed by two 12-month phases. Phase 1 will focus on identifying predictive threat signals, creating new sensors and generating cyber attack warnings. Phase 3 will work on enhancements to and integration of the various internal and external sensors. And in Phase 3, IARPA will look for the ability to integrate the systems within the organization, along with further improvements in sensors and data fusion. Work is expected to start in February 2016.