*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Atlanta, GA | Posted: July 16, 2021
Josh Preston, Research Communications Mgr.
Jpreston@cc.gatech.edu
Summary Sentence:
Developed at Georgia Tech, ‘Forecast’ helps investigators stop an ongoing cyberattack by predicting what malware will do next and ranking the greatest threats.
Full Summary:
No summary paragraph submitted.
Open Source Cyber Tool ScreenshotA new open-source cybersecurity technique called Forecast from the Georgia Institute of Technology is able to identify the capabilities that malware is planning to use in an attack before those capabilities are deployed. The all-in-one tool then predicts or ranks the likelihood of each possible staged attack – in less than five minutes on average.
The research effort provides a new cyber forensics method for incident responders who have discovered their network is under attack, one that can provide an edge in speed and resource allocation to combat the cyber threat.
“Currently, when there is a cyberattack, investigators have to painstakingly switch between multiple tools and piece together the puzzle by themselves,” said Brendan Saltaformaggio, faculty advisor on the work and assistant professor in the School of Cybersecurity and Privacy and School of Electrical and Computer Engineering (ECE). “Incident responders must quickly get ahead of the attacker and understand what threats they will soon face in order to combat the cyberattack in real-time.”
Forecast essentially creates a criminal profile of the malware using a novel technique invented by researchers in the Georgia Tech CyFI Lab, directed by Saltaformaggio, that combines forensic and predictive modeling methods. That profile lets security responders know whether they should be looking for, say, an impending ransomware attack or another type of threat, like trying to steal private data or the deployment of new malicious code on the network.
In more than 6,700 tests, researchers demonstrated that Forecast can:
“Our technique gives incident responders the ability to predict or forecast what the malware is going to do next when it is detected,” said Omar Alrawi, lead researcher and Ph.D. candidate in Electrical and Computer Engineering (ECE). “It is basically catching the crime in action and inferring the intent of the criminal by using a scientific approach.”
The research team’s broad approach takes a memory image of the malware’s last known state and then uses predictive modeling to “animate” that forensic evidence into a possible branching path of attacks.
If it were a bank robbery, Forecast would take a photo of a bad guy collecting the tools he would use to crack a vault. Then it would create a series of possible paths the robber might take into the bank, to the vault, and to the escape car using a highly empirical process. Forecast can give authorities a list of which attacks to defend against and in what order to defend against or outright stop the attack.
The final output of Forecast is a report with evidence of the forecasted ways the malware might attack and in what order, making it easier for incident responders to weigh decisions in real-time.
“Incident responders are overwhelmed during an ongoing attack trying to find other infected systems to contain the malware from spreading. Forecast lessens the cognitive burden on responders by automating the process of cyber forensics by providing a simplified actionable report to the analyst and freeing up resources for other pressing tasks,” said Alrawi.
The research will be presented at the 30th Usenix Security Symposium taking place Aug. 11-13. The paper Forecasting Malware Capabilities From Cyber Attack Memory Images is co-authored by Alrawi, Moses Ike, Matthew Pruett, Ranjita Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, and Saltaformaggio. The open-source software is available for free at https://github.com/CyFI-Lab-Public/Forecast.
