Jul 16, 2021 | Atlanta, GA
A new open-source cybersecurity technique called Forecast from the Georgia Institute of Technology is able to identify the capabilities that malware is planning to use in an attack before those capabilities are deployed. The all-in-one tool then predicts or ranks the likelihood of each possible staged attack – in less than five minutes on average.
The research effort provides a new cyber forensics method for incident responders who have discovered their network is under attack, one that can provide an edge in speed and resource allocation to combat the cyber threat.
“Currently, when there is a cyberattack, investigators have to painstakingly switch between multiple tools and piece together the puzzle by themselves,” said Brendan Saltaformaggio, faculty advisor on the work and assistant professor in the School of Cybersecurity and Privacy and School of Electrical and Computer Engineering (ECE). “Incident responders must quickly get ahead of the attacker and understand what threats they will soon face in order to combat the cyberattack in real-time.”
Forecast essentially creates a criminal profile of the malware using a novel technique invented by researchers in the Georgia Tech CyFI Lab, directed by Saltaformaggio, that combines forensic and predictive modeling methods. That profile lets security responders know whether they should be looking for, say, an impending ransomware attack or another type of threat, like trying to steal private data or the deployment of new malicious code on the network.
In more than 6,700 tests, researchers demonstrated that Forecast can:
- Build a criminal profile of the malware’s future capabilities in approximately five minutes
- Accurately determine more than 4 out of 5 likely upcoming attack types
- Rank the order in which the attacks will occur with 95 percent accuracy
“Our technique gives incident responders the ability to predict or forecast what the malware is going to do next when it is detected,” said Omar Alrawi, lead researcher and Ph.D. candidate in Electrical and Computer Engineering (ECE). “It is basically catching the crime in action and inferring the intent of the criminal by using a scientific approach.”
The research team’s broad approach takes a memory image of the malware’s last known state and then uses predictive modeling to “animate” that forensic evidence into a possible branching path of attacks.
If it were a bank robbery, Forecast would take a photo of a bad guy collecting the tools he would use to crack a vault. Then it would create a series of possible paths the robber might take into the bank, to the vault, and to the escape car using a highly empirical process. Forecast can give authorities a list of which attacks to defend against and in what order to defend against or outright stop the attack.
The final output of Forecast is a report with evidence of the forecasted ways the malware might attack and in what order, making it easier for incident responders to weigh decisions in real-time.
“Incident responders are overwhelmed during an ongoing attack trying to find other infected systems to contain the malware from spreading. Forecast lessens the cognitive burden on responders by automating the process of cyber forensics by providing a simplified actionable report to the analyst and freeing up resources for other pressing tasks,” said Alrawi.
The research will be presented at the 30th Usenix Security Symposium taking place Aug. 11-13. The paper Forecasting Malware Capabilities From Cyber Attack Memory Images is co-authored by Alrawi, Moses Ike, Matthew Pruett, Ranjita Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, and Saltaformaggio. The open-source software is available for free at https://github.com/CyFI-Lab-Public/Forecast.