Advanced Persistent Threats (APTs) use a variety of methods to disrupt and destroy cyber operations of their targets but, by performing a deeper examination of these methods, we can discern new information and connections between APTs to better protect against attacks. RIALTO is a tool designed to predict the cyber behavior of APTs by looking at the Tactics, Techniques, and Procedures (TTPs) used by similar APTs. By modeling their historical TTP use and applying advanced machine learning techniques, we can predict what kinds of attacks an APT may launch in the future.

In this project, we utilize TTPs documented in MITRE’s ATT&CK Framework to develop threat models which illuminate the hidden relationships and commonalities between separate APTs and allow us to predict possible future activity. By applying clustering techniques, we determine peer groups of similar APTs based on their unique combinations of TTP usage. These TTPs range broadly from highly technical methods such as DLL hijacking, to social engineering techniques like Spearphishing. In the future, we will soon expand this to include specific software usage and known targets. Using these peer groups and collaborative filtering techniques, we can develop “recommended” TTPs for an APT: TTPs that groups similar to them have used and that we can expect the new APT to use in the future.

Predicting future TTPs can enable targeted organizations to better prepare their networks and users for attacks. Software updates can be prioritized based on likely attack vectors and users can be alerted to specific potential methods attackers may use to gather their information.

These predictions are also incorporated in our “Attacker Search” capability in which the user can enter known information about a cyber threat (such as TTPs used, target, purpose, etc.) and receive a list of possible APTs that match that criteria. RIALTO incorporates trusted APT data and pulls the latest threat information from the MITRE ATT&CK database (attack.mitre.org) and MISP Threat Intelligence (misp-project.org). This feature enables users to quickly attribute attacks based on the historical footprint of APTs.

Technologies

• Recommender Systems: Collaborative filtering machine learning models use similarity between APTs to predict future behavior
• Cyber Early Warning: Provides advanced notice of future attacks that cyber defenders can use to prioritize defensive measures and software patching
• Cyber Attack Attribution: Find malicious cyber threat groups who’s past activities matches a user-defined profile • Differentiators
• Integration with MITRE ATT&CK Framework: ATT&CK is the standard for defining cyber-attack vectors and vulnerabilities. RIALTO speaks that language.
• APT Biographical Information Enrichment: ATT&CK’s data is enriched with other data about APTs such as their known targets, suspected state sponsors, and motives to improve prediction accuracy.
• Customizable Architecture: The system is designed to allow users to create their own sandbox of known APT and TTP data and run predictions based on these datasets which may not be publicly available.

Customers

• DOD
• Other government agencies
• Defense Industry Partners (anyone who may be targeted by an APT)

Technologies

• Game Design: Game objectives and feedback mechanisms to provide the user an engaging training environment
• Behavioral Modeling: Creating in-game agents that behave like real humans
• Potential Future: Developing new strategies through Reinforcement Learning AI techniques where the game learns how to play itself by playing millions of times against an ever-improving version of itself. This is the same technique used to train the best Chess and Go AI agents.

Differentiators

• Individualized Specific Feedback: Players receive more than just a score and basic statistics after a mission. They receive specific feedback that describes improvements based on the actions they performed during play.
• Spectator Mode: Non-players (such as a commander or instructor) can observe the gameplay live without interacting with players or adversaries, enabling human commentary and feedback as well. In the future we can also allow users to watch replays with DVR style controls.
• De-emphasized mechanical skill: Mouse and keyboard skill does not translate to real urban combat proficiency and is not what we want to train. We deemphasize its importance by not requiring pinpoint accuracy in shooting that is typical of other FPS games.

• Enemy AI: Enemies have multiple behavioral profiles, with the capability to add more. This alleviates need for role players and enables more accurate scenario planning by using behavior profiles appropriate to the expected adversary.
• Playable Small Scale: This is designed for a standard 4 player fire team (but can scale to much larger, at least 8). It also has minimal system requirements. Any typical modern laptop could run it fine, and you just need a network connection to play with others. No top end gaming computer needed, and no central server that it must call home to.

Customers

• DOD
• Law Enforcement
• Bohemia Interactive: This company makes the Virtual Battle Space (VBS) series of training simulation. VBS is already used by the US military and dozens of others around the world. VBS is a much much larger scale and full featured version of what TACTICS is trying to do, but it is missing some of the smaller features that make TACTICS unique. As far as I can tell it doesn’t have any automated feedback piece and I’m not sure how their shooting mechanics work. They also work best with large scale server architecture supporting dozens to hundreds of players, I don’t think they’re an option for playing a quick game in your barracks room with a couple of buddies.

One of CYBERSPAN’s primary objectives is to provide fundamental cyber protection for small to medium sized Defense Industrial Base (DIB) companies in the DoD supply chain that do not have the resources and expertise to secure their own networks. It protects against malicious and anomalous activities that could compromise DoD data and intellectual property. CYBERSPAN is a plug and play solution at the network boundary that can be installed and run without the maintenance burden.