Synthetic Teammates and the Future of Cybersecurity · 1 Synthetic Teammates and the Future of...

1

Synthetic Teammates andthe Future of Cybersecurity

Dr. Fernando Maymí Lead Scientist, Cyberspace Operations

Soar Technology, Inc.fernando.maymi@soartech.com

8 August 2017

2

- THE FUTURE THREAT LANDSCAPE- SYNTHETIC TEAMMATES- WORKFORCE DEVELOPMENT

3

- THE FUTURE THREAT LANDSCAPE- SYNTHETIC TEAMMATES- WORKFORCE DEVELOPMENT

4

The Tactical Battlefield of 2050

• Augmented humans

• Automated decision making and autonomous processes

• Misinformation as a weapon

• Micro-targeting

• Large-scale self-organization and collective decision making

• Cognitive modeling of the opponent

• Ability to understand and cope in a contested, imperfect, information environment

5

Threatcasting

http://threatcasting.com

6

7

8

9

10

11

12

Concerns

• War on reality: the weaponization of data

• Blended attacks

• Micro-targeting

• Efficiency is easy to hack

• Complex autonomous systems

Understanding the context is essential

13

- THE FUTURE THREAT LANDSCAPE- SYNTHETIC TEAMMATES- WORKFORCE DEVELOPMENT

14

Partial Artificial Intelligence Taxonomy

Machine Learning Cognitive Modeling

15

(Oversimplifying) Artificial Intelligence

Source, Fair use, https://en.wikipedia.org/w/index.php?curid=36632393,

https://readingraphics.com/book-summary-thinking-fast-and-slow/

Analogous to

Machine Learning

Analogous to

Cognitive Modeling

16

Autonomous Agents

Sense

Act

Think

Learn

17

MACHINE LEARNING

System 1

17

18

Machine Learning

Extract

Features

Filter

Noise

Sense

Data

Classify

Sample

External agent validates

results during training phase

Production (trained) system

outputs results to other systems

19

Adversarial Machine Learning

Original image

classified as a panda

with 60% confidence

Imperceptibly modified

image classified as a

gibbon with 99%

confidence

Tiny adversarial

perturbation

This is a gibbon

Source, Fair use, http://www.kdnuggets.com/2015/07/deep-learning-adversarial-examples-misconceptions.html,

https://www.ippl.org/gibbon/wp-content/uploads/2010/09/peppyaction-269x300.jpg

20

Adversarial Machine Learning

Original image

classified as malware

with 60% confidence

Imperceptibly modified

file classified as

whitelisted software

with 99% confidence

Tiny adversarial

perturbation

Source, Fair use, http://www.kdnuggets.com/2015/07/deep-learning-adversarial-examples-misconceptions.html,

https://stixproject.github.io/documentation/idioms/maec-malware/

21

Towards a Solution

22

COGNITIVE MODELING

System 2

22

23

Towards a Common Model of TTPs

Procedures: the algorithmic, atomic unit of cyberspace operations

Techniques: unique ways to perform procedures

Tactics: directed subgraphs of procedures with one or more goals

as their terminal nodes

24

Towards a Common Model of TTPs

Procedures: the algorithmic, atomic unit of cyberspace operations

Techniques: unique ways to perform procedures

Tactics: directed subgraphs of procedures with one or more goals

as their terminal nodes

25

Towards Common Models of Threat Actors

Partial model of APT28 (Fancy Bear) during Operation Pawn Storm

26

Simulated Cognitive Cyber Red-team Attack Model

Command & Control

Situation Reports

Human

Controller

Cyber Actions

Network Under Test

SC2RAM

27

SC2RAM Graphical User Interface

28

Network Attack Visualization

Developed by IHMC for SC2RAM

29

Using Synthetic Attackers for Cybersecurity

30

Autonomous Hunt Teammate

Hypothesis

Generator

Learning Module

Hypothesis

Evaluation

Threat Intel Feeds Other Feeds Internal Models

DHS

ISAC

Commercial

Dark

Web

Social

MediaAssets TTPs

Attacks

Logs

IDS

Firewalls

Internal Sensors

31

- THE FUTURE THREAT LANDSCAPE- SYNTHETIC TEAMMATES- WORKFORCE DEVELOPMENT

32

Workforce Pipeline

Access Employ Develop Retain

33

What Are We Looking For?

Source, fair use: http://host.madison.com/ct

Access Employ Develop Retain

34

Why?

Source, fair use: http://dailymail.co.uk

Access Employ Develop Retain

35

Key Hiring Trends in Cybersecurity

• Companies are seeking certified candidates- 35% of positions required a certification

• Companies are seeking educated candidates

- 80% of positions require a Bachelor’s degree

• Hands-on skills are more valuable than managerial ones- Lead Software Developer average salary: $ 233,333

- Chief Security Officer average salary: $ 225,000

• Openings are harder to fill- Cybersecurity openings remain open 8% longer than IT ones

- Security clearances or financial sector experience is even harder to fill

• Next-generation gap- Younger generation is not as interested in cybersecurity, particularly women

Access Employ Develop Retain

36

Developing the Cybersecurity Workforce

Access Employ Develop Retain

Source, fair use: http://www.naturethruphotos.com

37

Developing the Cybersecurity Workforce

Access Employ Develop Retain

Source, fair use: https://certification.comptia.org

38

Retention

Access Employ Develop Retain

39

Most Importantly…

Source: https://www.123rf.com/profile_garagestock

Access Employ Develop Retain

40

fernando.maymi@soartech.com