Charles River Analytics secures IARPA contract

Phishing emails use social engineering to exploit human vulnerabilities and execute large-scale attacks through a single weak link. Researchers at Charles River Analytics are turning the tables, using similar principles against attackers, the company announced November 12.

Most cybersecurity methods involve analyzing tools and methods and fortifying existing defenses. While these techniques have their merits, they miss accounting for perhaps the weakest link in the equation: the constraints on the human adversary.

To address this shortcoming, Charles River Analytics is developing a multi-faceted approach that focuses on human behavior. The tool, Context-driven Interventions through Reasoning about Cyberpsychology Exploitation (CIRCE), is being fueled by a contract from the Intelligence Advanced Research Projects Activity (IARPA). The project is part of IARPA’s ReSCIND program, which aims to develop a new set of cyberpsychology-informed defenses that “leverage attacker’s human limitations, such as innate decision-making biases and cognitive vulnerabilities.”

Today, cyber defenses try to understand what kinds of tools adversaries are using. Considerable effort is spent assessing whether an adversary is on a network and, if so, how they got on. But there’s very little work focused on exploiting the human executing the attack.

“Focusing on exploiting human vulnerabilities makes sense,” said Sean Guarino, principal scientist at Charles River Analytics and principal investigator on CIRCE. “Although we live in a time where cyber offense technologies evolve at lightning speed, humans have cognitive constraints that are difficult to overcome. Therefore, defenses that target the human attackers remain relevant for longer periods of time,” Guarino said.

CIRCE relies on the principle of oppositional human factors (OHF), which pinpoints the constraints that attackers face when they’re executing their jobs and makes them worse. The theory is that by degrading the experience, you frustrate the attacker into not executing the job. Dr. Spencer Lynn, senior scientist at Charles River and modeling lead on CIRCE, explained, “When an attacker lands on a network, they have many choices available. We want to be able to steer those choices unbeknownst to them, so that they’re wasting time on the attack.”

Part of the strategy involves misleading human attackers to believe something about the attack surface or defenses that’s not true. For example, if the name of an entry port signals administrative authority, attackers might target it selectively to gain network access, and once they do so, their behavior can be steered in specific ways.

CIRCE is in Phase 1 of the research to explore the possibilities of such OHF-driven manipulation. It focuses on characterizing and experimentally validating attacker cognitive vulnerabilities. If the approach works, “there is a strong commercialization opportunity to develop these into tools that can be inserted into a wide range of different defensive environments,” Guarino says.

CIRCE is a psychology-based method that holds plenty of promise, Guarino said. “Keeping up with technology can be a losing battle because cyber threats move so fast. The human in the attack is the most exploitable point in the attack chain. If we can define good ways to exploit human vulnerabilities, these methods will provide much more effective cyber defense for the long term,” he added.

Source: Charles River Analytics

Your competitors read IC News each day. Shouldn’t you? Learn more about our subscription options, and keep up with every move in the IC contracting space.