IntelliGenesis is Using AI to Predict Cyber Attacks
IntelliGenesis is collaborating with the University of Buffalo on Rialto, an innovative cyber security project for the Navy. Rialto is a tool that predicts future behavior of Advanced Persistent Threats (APTs) based on their past attacks and attacks of similar threats. APTs use a variety of methods to disrupt and destroy cyber operations of their targets.
We model their historical Tactics, Techniques, and Procedures (TTPs) to measure similarity between APTs. By applying clustering and collaborative filtering techniques, we can predict what kinds of attacks an APT may launch in the future. This strategy has led to several successful predictions of malicious TTP usage based on data that was openly available for months before the attacks happened.
Predicting future TTPs can help defend their networks and users from attacks. For example, Rialto predicted the actions of the Gamaredon Group APT based on data publicly available over a month before the attacks occurred. Gamaredon Group is a suspected Russian-sponsored group known to have attacked Ukrainian government officials. In August 2019, they were seen using entirely new malware which achieved persistence by scheduling itself as a Windows Task and copying itself into the user’s Startup folder. Rialto predicted these TTPs for Gamaredon Group based on publicly available data from July 2019. With this kind of advance warning, network administrators can prioritize software updates based on likely attack vectors and users can be alerted to specific potential methods attackers may use to gather their information.
These predictions are also incorporated in our Attacker Search capability. Often, Defensive Cyber Operators see the signs of an attack and want to attribute it. Attacker Search saves the operator hours of manual examination by highlighting APTs that match the known information about an attack. Instead of researching each APT and its history, Rialto tells you who matches what you saw.
Our work on Rialto was recognized by the International Conference on Cyber Warfare and Security (ICCWS) and presented as a Work in Progress at ICCWS in March 2020.