Cyber-Investigation In The Blink Of An Eye
by Daniel Gaffney, Defense Threat Reduction Agency
February 19, 2021
The Cybersecurity experts at the Defense Threat Reduction Agency
(DTRA) are on the cusp of implementing a new system, called Bird
Dog, that has the potential to greatly enhance the cybersecurity
defenses of not just the agency, but DoD community as a whole.
“We generate about 3.5 terabytes of data every day; that’s 3.5
million gigabytes, or approximately 250 million pages of data, every
single day,” said Jason Phillips, chief of DTRA’s Cybersecurity
Department. “It is a daunting task trying to figure out what data
requires immediate attention in order to determine whether a
compromise has occurred. Without a significant infusion of resources
(money and qualified subject matter experts), we simply can’t look
at everything. We need to prioritize our limited resources to focus
our efforts and attention on the events that really need to be
inspected or analyzed.”
Capt. Sarah Miller and Tech. Sgt. Carrol Brewster, 834th Cyber Operations Squadron, discuss options in response to a staged cyber attack during filming of a scene for an Air Force Reserve Command mission video at Joint Base San Antonio-Lackland, Texas, on June 1, 2019. (U.S. Air Force
photo by Maj. Christopher Vasquez)
|
Using artificial intelligence (AI) and machine learning (ML),
Bird Dog might be able to do the most time-consuming part of a
cyber-investigation in the blink of an eye.
DTRA is one of
about two dozen Cyber Security Service Providers (CSSP) across the
DoD. That means the agency provides its own multi-layered cyber
defense, and is certified and accredited to protect its portion of
the DoD network, other 4th Estate components, and cleared defense
contractors that require access to DoD Networks. The current
practice is to use a layered defense that filters out most of the
cyber events that don’t require a human analyst to investigate.
However, the human analysts still have a mountain of data to look at
as they monitor our networks.
“It’s like panning for gold –
once we can move the big rocks out of the way, we can start sifting
the dust,” said Phillips. “But out of about 1.5 million events
generated every day, we still have 20-30 thousand events that we
actually need to investigate, which requires a human analyst to
review and determine what has or is occurring. To do this, analysts
follow a systematic approach of identifying the who, what, and when
of a cyber-event by performing queries. These queries can range from
50 – 150 questions depending on the specific event being
investigated, and the ensuing results can cause things to get very
complicated very quickly.”
The Bird Dog system, which DTRA is
now working with the DoD’s Joint Artificial Intelligence Center
(JAIC) to bring online, should be able to start the investigation
before the events are sent to the analysts. Using AI and ML to train
our systems what to look for, what to ignore, what connections to
make and when to ask more questions, Bird Dog could turn what would
normally take about three hours of human analyst work and get the
answers in less than a minute.
“This problem isn’t unique to
DTRA,” said Chris Paulson, DTRA’s CSSP Team lead. “It’s the same
problem not just in the DoD, or the U.S. government, but even across
the private sector – how much can we afford, and what level of
protection is reasonable?” But Bird Dog isn’t meant to save money or
replace human analysts – it makes them more efficient. “From the
technical standpoint, we’re maximizing the ROI (return on
investment) of our human analysts… they’ll spend much less time
trying to figure out IF there is a problem that needs to be
investigated (and then fixed, blocked, contained, or shared with
other networks), and more time investigating events that may not
have been previously seen.”
While the Bird Dog idea was first
discussed several years ago, the DTRA IT team started the in-house
work back in 2019, and joined up with the JAIC in the fall of 2019.
The incredibly difficult task of getting a machine to not only think
for itself – artificial intelligence – but to LEARN how to think for
itself – machine learning – was slowed down a bit by COVID, but the
team is close and eager to begin its initial piloting of the
hardware and software. Similar to driving a future car prototype for
the very first time, the team has both great, and realistic,
expectations and knows a lot of work remain ahead.
“I’m
extremely proud of this team and their foresight into solving a big
data problem,” said DTRA IT Director and Chief Information Officer,
Mario G. Vizcarra. “Physical attacks on DoD assets or military bases
are relatively uncommon, but cyber-incidents happen around the
clock. In 2020 we saw just how damaging a cyber-attack or
infiltration can be, and why we need something like Bird Dog to
augment the existing protections for our networks and information.
We are far from declaring success, but working closely with DoD’s
JAIC, we were able to rapidly transform ideas and creativity to an
actual AI solution for an important cyber security issue that looks
very promising for DTRA and DoD.”
“If Bird Dog can learn what
it needs to do (and do it accurately), it might be able to do part
of an investigation thousands of times faster than we can,” said
Phillips. “But we have to teach it first.”
-----------------------------------------
The Defense Threat
Reduction Agency enables the Department of Defense, the United
States Government and International partners to counter and deter
weapons of mass destruction and improvised threat networks.
Our Valiant Troops |
Veterans |
Citizens Like Us |
U.S. Department
of Defense
|
|