Attributing cyberattacks to a particular hacker, or indeed even a nation, is a tricky task. But US military research agency DARPA hopes to overcome those difficulties through a new initiative.
The destructive malware attacks on Sony Pictures in late 2014 highlight how hard it is to attribute a cyberattack to a specific actor. Even seemingly solid clues, such as computer code containing the Korean language, can be easily planted by an attacker as a decoy.
DARPA is now offering funding to researchers who have ideas on how to overcome this challenge in a new program called Enhanced Attribution.
The research agency acknowledges that in some cases it's impossible to reliably and confidently pin a cyberattack on an individual. These days attribution often relies on a static picture of the attackers encapsulated by 'indicators of compromise', which can include specific IP addresses, servers, domains and malware used by the attackers.
"The current characterization of malicious cyber campaigns based on indicators of compromise, such as file hashes and command-and-control infrastructure identifiers, allows malicious operators to evade the defenders and resume operations simply by superficially changing their tools, as well as aspects of their tactics, techniques, and procedures," DARPA notes.
To address this situation, DARPA is seeking technologies that would allow US defenders to "extract behavioral and physical biometrics from a range of devices and vantage points".
While this wouldn't necessarily produce an actual identity of an individual, it wants defenders to be able to identify "virtual personas and individual malicious cyber operators" and track their activities on different devices.
It would also be a new direction from current methods, which focus on identifying a group or organization rather than individuals within a group.
DARPA is hoping researchers can deliver technical approaches that combine behavioral biometrics and activity tracking. By vantage points, DARPA means IoT devices, mobile phones, DevOps desktops and laptops used by attackers, and network infrastructure.
Other technologies that it hopes will come out of the program include algorithms to generate predictive behavioral profiles of attackers, and technologies that can integrate with other sources of public and commercial data.
It also wants a system that can help build a full historical picture of an attacker's malicious activity over time.
Anyone keen on the funding opportunity needs to submit proposals by June 7.