Great progress has been achieved in the areas of detecting cyber attacks, designing defensible networks, and maintaining situational awareness of network activity. However, much work still remains to be done, as the volume, variety, and severity of intrusions continues to outpace the human analysts’ ability to scale analysis. At its core, cybersecurity is still essentially reactive. For 2018, LAS is interested in moving beyond the reactive to enable scalable defense without increasing the number of analysts. How do we fundamentally change the playing field, to make it even – or even give defenders the advantage? How do we increase the odds of detecting malicious activity, while decreasing the time and effort required to do so?
Topics of interest include:
- Managing and modeling cyber analytics: Could an analyst simply request data related to a given intrusion, vulnerability, or technique, and get everything relevant?
- Robust cyber indications and warning: How do we do a better job of letting analysts know which alerts they need to focus on? For example, can we combine multiple weak, high-false-positive signatures to generate high value, low-false-positive strong indicators? Can we incorporate other knowledge to eliminate false positives? Are there better techniques to triage, prioritize and discover threats and indications in time-bound, context sensitive environments? Can we provide related (possibly “non-cyber”) context to alerts?
- Scaling through technology-enabled tradecraft: How can we make analysts’ lives easier, while simultaneously improving performance and accuracy? How do we enable analysts to only spend time on tasks that machines can’t yet do that truly require a trained human? Can we develop techniques that make use of “big data” to improve performance and accuracy — absent expectation that an analyst can sift through it — to optimize human-machine interactions bounded by time
- Moving beyond anomaly detection: Can we use anticipatory analytic tradecraft to anticipate or predict a cyber event or adversary action? Can we anticipate or predict notable events in noisy environments without reliance on hard signatures or pattern-matching schemes? How is that event or action modeled and updated over time? Can we devise methods to steer adversarial actions away from their strength and toward ours?
- Incorporating disparate sources: How can we significantly reduce the manual processes involved in correlating intrusion detection system alerts with text reports of intrusion activity? Similarly, can open source knowledge be used to correlate seemingly unassociated events? Can the integration of disparate data create more meaningful alerts? Is it possible to enhance cyber defense success without examining packets on a “wire”?
- Insider threat detection: Can we model individual user behaviors, identifying both outliers and significant changes? Is there a technique to find behavioral evidence that will lead to discovery of a prior compromise in a system or network?
- Technology-enabled structured analytic tradecraft environment: How do we make use of STiX and other cyber knowledge sharing mechanisms to enhance automated and human collaborative analysis? What computing platforms support structured analytic tradecraft and analytic rigor within a cyber context?
- Hi-confidence Attribution: Are there reliable methods to attribute and track the phylogeny of malicious code? How robust and specific does the malicious behavior model have to be? What contextual information is of most benefit?