Galois awarded $6 million DARPA contract to address advanced persistent threats (APTs) in systems and networks
Portland, OR-based Galois today announced it has been awarded a $6 million contract under a Defense Advanced Research Projects Agency (DARPA) program to develop a system to detect Advanced Persistent Threat (APT) cyber attacks in increasingly complex enterprise network and system environments.
Nearly 3 in 10 enterprise security professionals believe their networks were hit by an APT in 2015, while many others were unsure. That uncertainty is in part because enterprise networks have grown so complex that gaining visibility into network activity is nearly impossible. Because of this complexity, adversaries have been able to mount long-term stealthy APTs that hide amid other system activity for long periods of time, stealing data and in some cases corrupting the integrity of mission-critical applications.
To address the growing challenge posed by APTs, the Galois-led team, which includes the University of Edinburgh, PARC (a Xerox company), and the Oregon State University, will develop A Diagnostic Approach for Persistent Threat Detection (ADAPT) as a project under the DARPA I2O Transparent Computing program. ADAPT will offer system defenders unprecedented ability to identify subtle but potentially malicious activities by observing long-term behavior patterns and causality in system activity.
“Complexity of system activity and resulting lack of transparency has created a world where carefully crafted APTs can act ‘under the radar’ for long periods – stealing data, expanding presence, and affecting system operation without triggering traditional detection systems,” said Dr. David Archer, research lead, cryptography & multiparty computation, Galois. “By tracing the computational provenance of APTs, and by detecting subtle behavioral anomalies that distinguish APTs from normal business logic, ADAPT will offer system operators enhanced situational awareness about security of their networks.”
The DARPA Transparent Computing program aims to make currently opaque computing systems transparent by providing high-fidelity visibility into component actions and interactions during system operation across all layers of software abstraction, while imposing minimal performance overhead. By automatically or semi-automatically “connecting the dots” across multiple activities that are individually legitimate but collectively indicate malice or abnormal behavior, TC has the potential to enable the prompt detection of APTs and other cyber threats, and allow root cause analysis and damage assessment once adversary activity is identified.
ADAPT will be of considerable value for the SIEM (Security Information and Event Management) industry. SIEM systems are designed to provide a real-time view of an enterprise’s security posture by aggregating log files, external threat information, and device configurations. Today, such systems typically rely on simple aggregation of log file data and summary statistics, and so are incapable of nuanced or complex inferences, especially for long-lived threats. ADAPT represents a significant upgrade in SIEM capabilities for both vendors and consumers, providing actionable recommendations as the output of truly context-sensitive analysis.