U.S. Army Study Demonstrates Cyber Intrusions are Predictable

cyber

A new study from the U.S. Army Research Laboratory presents evidence that the number of cyber intrusions can be predicted, particularly when analysts are already observing activities on a company or government organization’s computer network.

Researchers say new models that predict the number of intrusions would be of significant value to providers of cyber security and resilience services.

A team studied empirical data on actual successful cyber intrusions committed against a number of different organizations. These data were obtained from a provider of cyber defense services, which defended those organizations as clients.

The researchers were able to determine the correlation – or lack thereof — between the number of successful intrusions and observed features of an organization, for 41 organizations. The team looked at the security incident reports containing detailed information about malicious activities and computer security policy violations by users and operators; DNS traffic, collected with specialized and open source software for all organizations in this study; and other data sources describing a selected subset of features of each organization’s network topology and cyber footprint.

As a result, the researchers were able to propose four generalized linear models (GLMs) to predict the number of successful cyber intrusions into an organization’s computer network, where the rate at which intrusions occur is a function of several observable characteristics of the organization.

“This finding is rather intuitive. Indeed, if users such as employees of the organization lack the discipline or knowledge to comply with organizational cyber hygiene policies, and if the organization is unable or unwilling to enforce its own policies, it is easy to expect that the organization’s cyber defenses are poor, leading to more frequent intrusions,” said Dr. Nandi O. Leslie, who was part of the team.

“Less intuitive is the finding that the frequency of accesses by the organization’s networks to the domains domestic.net and foreign.net are strong predictors of intrusions. Although it is not entirely clear why this should be the case, the researchers offer a possible explanation,” Leslie said.

Among client organizations, the numbers of intrusions differ dramatically by many orders of magnitude. Some organizations experience a large number of intrusions in a given time frame, whereas others may not experience any intrusions for a number of years, the army statated.

A specialized organization, such as a managed security service provider, is often used by an organization to provide cyber defense services. For a MSSP, the costs of doing business are heavily influenced by the number of intrusions experienced by its clients. Therefore, when a MSSP negotiates its fees with a new prospective client, it needs a model to estimate how many intrusions should be expected over some fixed time period.