The Pentagon’s Defense Advanced Research Projects Agency is legendary for its secretive, bleeding-edge research projects. DARPA is most famous for creating the world’s first hypertext system and, as such, laying the groundwork for the rise of advanced computer networking and the Internet. Can the organization remake cybersecurity for the coming age of the Internet of Everything and harden a wide range of infrastructure against advanced cloud-supported threats?
DARPA, the Internet of Everything and cybersecurity
In recent years, DARPA has turned its attention to moonshot projects such as terahertz frequency electronics, a replacement for GPS and, perhaps most notably, several broad cybersecurity initiatives. On the incredibly ambitious side, there’s DARPA’s plan for an antivirus shield, called High Assurance Cyber Military Systems, that would cover the IoE. With Cisco Systems projecting that the IoE could encompass more than 50 billion IP-enabled endpoints by 2020, such an undertaking would, by definition, have to revolutionize how cybersecurity is delivered, greatly extending its presence throughout the enterprise.
Securing the IoE is certainly a mission-critical task for governments, businesses and network security providers, all of whom have growing stakes in interconnected webs of sensors, devices and other infrastructure. McKinsey has estimated that IoE business could bring in more than $6 trillion in revenue by 2025. However, realizing such value requires a combination of streamlined cybersecurity processes (such as risk management frameworks), highly capable personnel and top-flight software that covers all bases from mobile to cloud.
In that regard, IoE protection doesn’t seem all that different from standard cybersecurity practices that have been popular for decades. Still, it isn’t exactly a matter of cutting and pasting current procedures. Many recent major security incidents have been marred by slow detection and response times, which organizations will be increasingly unable to afford as their networks add new endpoints and cloud services that become attack surfaces. A 2013 Trustwave assessment of 450 data breach investigations found that the average intrusion remained undetected for 210 days.
Why does it take so long? Part of the issue may be that organizations assume that traditional risk mitigation tools, such as antivirus software, alone are enough to protect their data, despite these solutions being less than ideal for functions such as monitoring network traffic. The days of standalone antivirus, declared dead by Symantec earlier this year, may be numbered. Speaking to ZDNet in 2008, Trend Micro malware CTO Raimund Genes explained that on a strictly technical basis, typical antivirus won’t keep pace.
“Two years from now, you will not be able to store the [signature] files on a computer any more … you will not have enough memory space,” Genes said. “Some people are saying that antivirus is dead, and I have to agree the traditional methods to combat malware have no future.”
What could be next: DARPA’s goal of fully automated security systems
The security community is already looking beyond antivirus and setting its sights on the IoE. In 2016, DARPA intends to hold its Cyber Grand Challenge competition in conjunction with the prominent security conference DEF CON.
Until then, the agency is encouraging would-be competitors – 35 teams had registered by early June - to work on systems capable of dealing with threats automatically and in real-time. The best fully automated solution will be awarded a $2 million prize, underscoring the seriousness of DARPA’s search for a new breed of cyberdefense. DEF CON is a common venue for such challenges, but this one is unique, stipulating that projects be “human-free.”
Putting the onus on machines and algorithms has its advantages. For years, cybercriminals have always had the upper hand in cyberattacks, since they only have to find a single vulnerability to take advantage of. Accordingly, incidents such as the Target breach – caused by a flaw in an HVAC provider’s systems – and the regular targeting of obscure Adobe Flash exploits are painful for human security teams to address. They’re often playing catch-up, trying to understand how the network was breached and determine the best course of action, but an automated system could give their organizations much firmer defensive postures.
“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere – a process that can take months from the time an attack is first launched,” stated Mike Walker, program manager at DARPA, according to ZDNet. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”
If the Cyber Grand Challenge participants can indeed come up with a working human-free system, it may relieve the pressure and high price tag of having to constantly play traditional defense. While defenders have to account for a dizzying array of attack surfaces, perpetrators can focus on just a single novel one. Hardening all infrastructure against potential threats is expensive, and it may not even cover the one that ends up being exploited.
Cybercriminals have more options than ever – so security teams should, too
Meanwhile, attackers have more resources – many of them extremely cost-effective – than ever for probing for weaknesses in the network, as demonstrated by Trend Micro’s recent discovery of hackers using consumer cloud service Dropbox to host command-and-control infrastructure. The instructions hosted in Dropbox can be sent to malware and botnets.
This tactic illustrates the complex, hard to interpret risks that security teams now have to account for. Dropbox traffic will usually look normal to them, even if it is masking the machinations of C&C malware. On top of that, the popularity of services such as Dropbox means that a variety of endpoints, especially PCs, smartphones and tablets, could be serving as gateways to cybercriminal operations. With the IoE coming to the fore, risks may become even more dispersed and difficult to distinguish from legitimate activity.
In the next part of this series, we’ll look at one of the specific areas in which the IoE is making itself felt, bringing new possibilities along with fresh security risks: the automated home. We’ll look at the developments in that space and how new age security mechanisms can help shield assets from harm.
SEE PART 2 of this Cyber Security series!