What if you could be warned about a scam email before it even arrived in your inbox? And what if you could be told exactly what it would say and what it would do to you and your computer?
Back in 2015, the Intelligence Advanced Research Projects Activity (IARPA), a research unit within the Office of the Director of National Intelligence, issued a call for anyone who could come up with novel, efficient ways to predict cyberattacks before they happened. It sought tech that made those predictions way ahead of other available products. And, not only did IARPA want technology that could see an attack coming, it wanted the details ahead of time too, such as what vulnerabilities would be exploited and what digital weapons would be used.
This March, the project comes to a close and yet little has emerged about the success of the project, dubbed CAUSE, a neat acronym for the Cyberattack Automated Unconventional Sensor Environment initiative.
But one of the teams in the program spoke to Forbes about a tool, OmniSense, they built for the CAUSE project with the University of Southern California. Managed from a data center, or “mothership,” installed in the basement of Hyperion Software Research Scientist Jason Hopper’s Nova Scotia, Canada, home, Omnisense watches over the internet all the time. Its “listening servers” are dotted across the planet, as shown in a map provided by Hopper. They look at traffic passing around the internet and try to attach IP addresses to each server carrying out certain actions, such as scanning for vulnerabilities or trying to guess passwords on computers en masse (otherwise known as “brute forcing”) on devices accessible over the internet. Once Omnisense has found a server of interest, it carries out a “deep scan” looking for all the software being run on the host and any domain names associated with the IP address, before giving it a security threat score.
With all that data, Hopper and his team at Hyperion Gray produce a daily “internet weather report” that he says can be used by a security team to “know what way the wind is blowing.” Hopper adds: “Security teams can use this to block sources of attacks before they’re actually seen on a network, or take some other preventative action as they see fit.” In one case, working with an unnamed company, Hopper claimed Omnisense warned of a specific attack, targeting a server allowing remote connections into a business network, four days before hackers came knocking.
Though he doesn’t believe there’s much of a privacy issue with scanning the web all the time, as the internet is, by its nature, an open space, he does allow people to blacklist Omnisense so it can’t watch over them. Hopper does that through a “blacklist.” Anyone annoyed by the scanning, and is a legitimate business or individual, can ask him to stop. So far, he says he’s had a wide range of people asking to be put on the blacklist, from farmers in the UK, to the government of India.
Robert Rahmer, CAUSE program manager at IARPA, told Forbes that privacy was an important part of the project. “Given the various data sets that could potentially contribute to cyber-attack forecasts, IARPA is very much aware of the need to address both privacy and security concerns, and carries out its programs in close consultation with the Office of General Counsel and the Office of Civil Liberties, Privacy, and Transparency.
“The CAUSE program is focused on forecasting cyberattack events, not solutions that identify specific individuals.” Data gathered by research teams had to be publicly available and lawfully obtained, he added.
Scanning the market
Massive scale web scanning isn’t new, but a handful of start-ups are trying to bundle it into a useful cybersecurity service. Another burgeoning company, GreyNoise Intelligence, is providing a similar service, saying it looks at all the “background noise” of the web, most of which is generated by malicious hackers. Andrew Morris, CEO of GreyNoise, revealed to Forbes that he sells data to one of the other vendors on the CAUSE program, though he declined to say who. The contractors include BAE Systems, Charles River Analytics, Leidos and the University of Southern California. This week, GreyNoise announced a $600,000 seed round, having only launched a commercial product in December. Morris says some customers are already using his tools for predicting cyberattacks. And Hyperion Gray revealed its first Omnisense client is HYAS, a cyber intelligence company.
Hopper says that whilst it’s easy to stand up a “listening network,” gaining useful insights is a lot more difficult. “It’s a lot of data,” he says. I’ve been active in security monitoring [for a long time] and I’m shocked by the sheer volume of scanning and brute forcing. It continues to surprise me how much there is.” Omnisense is also now being sold to a handful of initial customers, he noted.
There is one area where Omnisense and competing tools can’t provide protection: a targeted attack where a single individual is targeted via unique methods. “If someone sits down at a keyboard and decides to attack another person, that’s extremely difficult to prevent,” Hopper added.