Mr. Robert Rahmer, Program Manager of IARPA’s CAUSE Program, Discusses Progress in Cyber Event Forecasting Research

I have attended several conferences where researchers and practitioners describe some type of early warning system for cyber attacks. Some predictive systems involve the sharing of threat intelligence of attackers’ TTPs; others involve forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection / prevention systems; some use information from the Dark Web; while still others track emergence of zero days or vulnerabilities as predictive markers. So I was eager to learn more about the research being performed by IARPA when I heard Mr. Rob Rahmer speak at a recent conference about the CAUSE  program he is leading or the Cyber-attack Automated Unconventional Sensor Environment. I wondered what types of unconventional sensors were involved, what new analysis algorithms were invented, and what results were being achieved. I was very gratified when Mr. Rahmer accepted my interview request to discuss these questions and more. So read the interview below to learn more about this fascinating research being conducted by IARPA.

Spotlight on Mr. Robert Rahmer

» Title: Mr. Robert Rahmer, Program Manager, Intelligence Advanced Research Projects Activity (IARPA)

» Website: https://www.iarpa.gov/index.php/research-programs/cause

» LinkedIn: https://www.linkedin.com/in/robert-r-58003168

Read his bio below.

February 19, 2019

Chris Daly, Active Cyber^TM: Cyber-attack Automated Unconventional Sensor Environment (CAUSE) is one of the programs in your portfolio. When did CAUSE start, what are the objectives of CAUSE and what were the generating factors that led to CAUSE?

Mr. Robert Rahmer, Program Manager Intelligence Advanced Research Projects Activity (IARPA): CAUSE research officially kicked off in 2016. CAUSE seeks to develop new automated methods for forecasting and detecting cyber-attacks, significantly earlier than existing methods. The CAUSE Program aims to develop and validate unconventional multi-disciplinary sensor technology that will forecast cyber-attacks and complement existing advanced intrusion detection capabilities.

The idea for CAUSE was cultivated from several open research problems and advances in data science, utilization of open source data, and attack prediction. Threat intelligence utilizing external data sources has been useful in identifying existing attacks and further details about threats. Lastly, the IARPA OSI program has leveraged open source, publicly available external data sources to develop methods for forecasting other types of events.

As a Computer Scientist and former cybersecurity practitioner and analyst, too much time was spent responding to, and investigating, discovering, and analyzing the artifacts from cyber-attacks that already occurred or were in their later stages, and we needed ways to detect them earlier through new signals.

Ultimately, instead of receiving reports of the relevant cyber events that occurred for a given day or in previous days, decision makers would benefit from knowing what is likely to happen tomorrow or in the next few days based on recent and relevant data.

Active Cyber^TM: What characteristics of a cyber attack do you focus on for your forecast – the type of attack, severity, TTPs, timing, location of attacks [virtual and physical]?

Mr. Rahmer: We focus on the time the event occurred, the time it was detected/reported, the type of attack, the victim and sources (mostly virtual) of the attacks. Teams are researching and identifying various features that could be used for predicting future attacks. Additionally, CAUSE is attempting to advance the state of the art by predicting cyber attack event details, such as phishing email subject lines and other attributes, enabling more specific defensive measures.

Active Cyber^TM: What variables or emerging indicators do you use to help your predictions? How far in advance do you try or are you able to forecast? How granular or precise are your predictions? Do attack rates matter?

Mr. Rahmer: Social media is a potentially promising indicator. One goal of CAUSE is to forecast several days in advance. Researchers are attempting to provide high fidelity forecasts that should contain actionable details. Historical attack rates matter for training purposes, although we are evaluating forecasts for individual events.

Active Cyber^TM: What types of conventional sources do you use to capture warnings or possible indicators of future attacks – honeypots? Network telescopes/sinks? Threat exchanges?

Mr. Rahmer: We are currently evaluating the predictive value of the various data and signals that are contributing to forecasts.

Active Cyber^TM: What types of unconventional signals do you use – such as social media sentiment? Darkweb? What characteristics of these signals lend themselves to accurate prediction?

Mr. Rahmer: We are currently evaluating the accuracy of predictions utilizing many signals and their characteristics. In addition to social media sentiment, researchers are evaluating the predictive value of social media volume and occurrence of precursor events. Each of these has shown promise, although they are weak signals individually. Teams are still working on improving their methods to fuse these weak signals together to generate accurate, detailed warnings.

Active Cyber^TM: What types of attacks are easiest to forecast? Hardest? Why? What level of “stealth attack” are you able to forecast accurately?

Mr. Rahmer: It is our goal to have these answered by the end of the program, although the sophistication of attacks is not measured by the program.

Active Cyber^TM: What types of research history do you find in this area? What technology or new algorithms are you exploring and using as part of your research? Do you leverage natural language processing and machine learning in discovering unconventional signals and developing your indicators of possible attack? What new ground are you breaking?

Mr. Rahmer: CAUSE research is attempting to fuse together traditional, internal signals with external signals to provide predictions of future cyber events. Most previous research focused on internal data to predict the likely next step of an attacker once inside an enterprise through attack graphs and other methods that rely heavily on the internal defensive posture and less on external or attacker-related data. Researchers are exploring and expanding existing ML and NLP methods, although it would not be prudent to discuss until they can be evaluated.

Active Cyber^TM: What roles do human analysts play in the cyber attack forecasting process? Any psychics 🙂 ?

Mr. Rahmer: One of the goals of CAUSE is to automatically generate forecasts, not mitigation activities, essentially removing the human from the loop of forecast generation. The scope of CAUSE research did not include the exploration of human cyber-forecasting methods, therefore, no psychics were discovered or revealed themselves during the execution of this research program. Human cyber analysts remain critical in the process for cyber discovery and mitigation, and one lesson learned through CAUSE research was the amount of subjectivity built into security operations processes that add variance to the accurate detection, classification, and reporting of cyber events. This was observed during the ground truth development process where we needed to encode cyber events into CAUSE cyber events for training and evaluation, making it quite challenging.

Active Cyber^TM: What level of computing power and storage resources are needed to perform the forecasting that you are researching? Does your approach require “supercomputer” scale to provide accurate and timely forecasts?

Mr. Rahmer: Given the scope of the program, storage and hardware requirements were not evaluated. In the future, these requirements should be considered, although the program was seeking to reduce the number of leading signals/features extracted through large, noisy data sets used to produce timely forecasts.

Active Cyber^TM: What types of results have you found in your research to date? How accurate is your prediction performance for the forecast models that you have developed? How has cyber forecasting helped to reduce exposure to threats and paved the way for cost-effective, if not optimal, allocation of resources in real-life cyber defense? How are you measuring the efficacy of your forecasts?

Mr. Rahmer: It is our goal to have these answered by the end of the program. One research method showing promise develops logic that, when combined, helps determine which vulnerabilities are likely to be exploited in the near future, allowing organizations to better prioritize efforts and utilize their resources. We measure our forecasts with metrics such as precision, recall, and a quality score, which determines how closely a forecast matches an actual event (ground truth).

Active Cyber^TM: What is next for the CAUSE program?

Mr. Rahmer: The research towards the CAUSE main objectives will end in March 2019 when IARPA and the test and evaluation team will report their final analysis and lessons learned. Teams are continuing to work on innovative system components that have real operational utility today, and we will work to transition those to the government.

Thank you Mr. Rahmer for this quick but informative look at the CAUSE Program. Being able to generate warnings within a few days time of a possible attack would provide incredible benefits in the cybersecurity fight. I look forward to hearing more about CAUSE and its achievements in the coming year as your results start to come in and you can make informed judgments on the best methods you tested.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.