NZNTV

Crime.  August, 2014. Cyber attacks, data breaches and vulnerabilities in recent years have morphed from esoteric ideas to mainstream problems. Thus, being able to us to adjust defenses rather than perform expensive and reactive incident responses, which can include everything from deep forensics to discarding equipment.  Cyber attacks, data breaches and vulnerabilities in recent years have morphed from esoteric ideas to mainstream problems. Thus, being able to predict attacks before they happen could allow us to adjust defenses rather than perform expensive and reactive incident responses, which can include everything from deep forensics to discarding equipment worth millions – not to mention massive reputation repair campaigns.

Attacks are never isolated; they are motivated by end goals that can can follow predictable patterns and occur in cycles. Extensive intelligence programs are executed by spy and police agencies that are designed to assess the intent and capabilities of adversaries, such as what are China’s military intentions as they relate to Taiwan, and does China have the capability to execute military activity against Taiwan?

But in the cyber realm, we face a diferent and frustrating world as it relates to generating meaningful insights and intelligence. There is good news, however. As Oren Falkowitz, former United States Cyber Command chief data scientist put it: “In cybersecurity, the Web balances being the platform to create attacks and being the source of information to prevent attacks.” In other words, we can track the data trail of threats, attackers, methods and operations before they execute attacks.

Predicting is hard. Yogi Berra quipped that, “It’s tough to make predictions, especially about the future.” Nevertheless, we’ve made enormous strides in terms of building meaningful predictive models, from forecasting elections to local weather predictions.

We’ve seen progress in predicting online activism, violence, crime and war. Nathan Kallus from MIT has built very strong models using Twitter data to predict unrest in a series of countries around the world. Simple insights, such as how political unrest follows anniversaries – sometimes like clockwork – can yield strong predictions.

Anatomy of cyber events and actors Cyber criminals may be single individuals but are more likely complex networks of people spread around the world with multiple roles.

To understand cyber actors let’s separate them into three simple categories: hacktivism (anonymous defacing of a website, Syrian Electronic Army taking down z website), criminal (groups stealing money or identities online) and internally, espionage (countries stealing state secrets or intellectual property).

With hacktivism, we typically think of Anonymous and their attacks on companies, organizations and countries. But over time other nefarious groups have emerged with similar modus operandi, be they Al Qassam Cyber Fighters (QCF), Syrian Electronic Army (SEA) or AnonGhost. There are many ways to characterize these groups, but for our purposes, one of the most interesting approaches is to look at whether they preannounce their activities.

Analyzing a large pool of attacks from hacktivist groups, we see that some, like Anonymous and AnonGhost, always preannounce their attacks, sometimes down to specific dates and targets. Others, such as QCF, sometimes forecast attacks on ambiguous targets. Still others, like SEA, never preannounce their attacks. The diferences are partially due to the methods employed. For example, phishing attacks are never forecast, while other attacks are designed to generate publicity.

A common form of cyber crime is theft of money. Cyber criminals stealing money may infiltrate ATM networks, skim transactions from online banking systems or threaten to lock up a computer unless a ransom is paid.

There’s little benefit to the attacker to preannounce anything in these situations. (Homeland Security today)