One of Charles River Analytics (CRA)’s key achievements in 2022 was the receipt of $2.5 million in funding from the US Navy for modeling and inferring intent of cyberspace threat actors.
According to the company, analysts need effective forensic analysis of both kinds of cyberattacks; on IT infrastructure (cybertechnical) and through social media operations spreading disinformation (cybersocial).
CRA believes that cyberattacks have become increasingly complex with explicit obfuscation techniques to avoid being detected. Worse, actors change strategies dynamically in reaction to real-time events. As a result of these complexities, forensic analysis, especially of cybersocial attacks, have largely been conducted manually.
The Cyber Adversary Discovery Engine (CADE) from CRA delivers an AI-based tool that collaborates with analysts. By using CADE, analysts are able to visualize and test their hypotheses about the Tactics, Techniques, and Procedures (TTP) that threat actors adopt.
“With CADE, we are developing a thought accelerator system that works with the complex reasoning that analysts are already doing in their heads,” said Bryan Loyall, Director of Technology Innovation and Principal Scientist at Charles River Analytics. “Having an analyst put their thoughts down in terms of visualizations helps them put the puzzle pieces together more effectively.”
CRA believes thorough forensic analysis through AI requires three components:
- A way of modeling complex and multi-tiered TTPs from threat actors
- Recognition and interpretation of attacker behaviors in the data
- A tool that can enable analysts to visualize the complex layers and test their hypotheses easily. The tool would also alert analysts of changes in threat actor TTPs, which could signal a new front in the attack.
CADE addresses all three pillars: it represents the sophisticated TTPs of today’s cyberattackers; helps find attacks in forensic data; and collaborates with analysts to identify goals, behaviors, and changes in TTPs. The system also identifies individual threat actors by tracking their signature TTPs and their evolution over time.
The R&D funding for CADE was provided by the Office of Naval Research Small Business Technology Transfer (STTR) program which is intended to foster transitions of joint efforts between qualified small businesses and research institutions.
CRA’s research partner for the CADE effort was the University of California Santa Cruz, led by Professor Magy Seif El-Nasr. Dr. Seif El-Nasr’s research focuses on using machine learning and visualization systems to understand and track behavior through analytics.
Phase I of the project designed and demonstrated the feasibility of CADE. Phase II developed a prototype that helped identify and understand adversary behavior, track changes over time and flag those that do not result from known events. CADE is developed with cognitive models and probabilistic programming language-based machine learning, which can build robust models even from small amounts of data.
Future iterations of CADE will enable analysts to turn certain events ‘on’ and ‘off’ in visualization panels, so analysts can eliminate confirmation bias or test drive competing hypotheses and match those against the data. CADE accounts for multiple factors such as time and space so analysts can see patterns they might not have easily seen before.
Loyall believes that CADE’s potential impact is immense, especially given the potential for cyber threat actors to spread misinformation on a massive level: “CADE will be a great asset for analysts doing the difficult work of trying to make the landscape better. If we’re able to help the underresourced people who are trying to make things better, we can make a positive impact on the world.”