ASU KEDtalk: Staying ahead of cyberattacks

Back to top

Paulo Shakarian tells us how mining the dark web can throw light on cybercriminals and thwart their impending attacks. He likens his research strategy to that of a soldier running reconnaissance on the enemy.

Oct. 12, 2018

Video transcript

Thank you. So what if cyberattacks could be predicted? What if before a major attack occurred, we would know precisely the right precautions to take? I'm Paulo Shakarian, and I have the privilege of leading a very talented group of researchers here at ASU working on this very topic.  

But truth be told, I didn't always have that job. I used to be in the army. But oddly enough, those experiences have proved handy in our work on cyberattacks.  

So there I was, over a decade ago, in a Spartan field barracks in North Fort Hood, Texas, gathered in a cramped briefing room with 30 other soldiers. We were getting ready to deploy to Iraq and were receiving a briefing on roadside bombs. The presenter told us that what we would learn could potentially save our lives and went on to say that the bombs could be placed anywhere. They could look like anything.  

Now, I thought that was pretty worthless. If the enemy could really make the bomb look like anything or place it anywhere, then it must be hopeless. And this didn't seem right.  

Now, the reality is that those planning these attacks are people. They have certain goals and real -world constraints on their abilities. And this is actually something we know quite well in the military, that faulty presentation at Fort Hood aside. And in fact, as my time in Iraq progressed, we got better and better at identifying the indicators of an oncoming insurgent attack. So for instance, if part of the road was dug up, we would watch out for that. It might indicate buried explosives. We'd also be on the lookout for markers, visual cues that the insurgents would use to time their detonations.  

Now, can we apply these ideas to cybersecurity, where we're up against malicious hackers? Well, despite the frequency of these attacks, hackers have their limitations too. So did you know that over 90% of breaches are due to known software vulnerabilities? This means that the software flaws that enable these attacks were actually known to the public ahead of time. And even more interesting is hackers are only using about 3% of these vulnerabilities.  

And so if you consider these numbers, we should be able to stop most cyberattacks. Except we don't. In 2017, major attacks like WannaCry, Petya, CopyCat, and the Equifax breach all tell us otherwise. And these were hugely significant. WannaCry infected over 300,000 machines. The Equifax breach exposed personal information for 143 million people. Yet, in both these cases, patches existed ahead of time that could have stopped the attack.  

That aside, cyberattacks are actually a little bit challenging to conduct in a way that makes money for the attacker. So just as with the insurgents placing roadside bombs, there are constraints on the cyber criminals. So how do hackers increase their chances of success when conducting such an attack? Well, hidden parts of the internet known as the deep and dark web host communities that allow them to share expertise, trade source code, as well as the latest software that enables these attacks.  

Now, can we collect such information? Can we use it to be better prepared for certain attacks? And it turns out we can, but we have to collect the right kinds of information. We need to find data that will indicate an upcoming attack. This is actually a small amount of information buried in mountains of dark web data. And just like the dug up pavement would indicate the possibility of a buried explosive, certain aspects of these dark web conversations can indicate weaponizeation of software tools that will be later used in an attack. And these indicators include what the hackers say, who they're connected with, what language they use, and even metadata.

Leveraging these bits of information from the dark web allow us to automatically piece together a puzzle. And using such techniques, our research group was able to train software to identify software vulnerabilities that hackers used in emerging cyberattacks. And this provides an alert that allows defenders to prioritize certain software patches that can help prevent the attack from occurring. And our core group has actually created a new startup company called CYR3CON based on the technology. And we've partnered with several cybersecurity companies, many right here in Arizona, to bring it to users.  

So for instance, we have not only found the ability to predict exploits used in major cyberattacks such as WannaCry, but we also found that certain indicators point to attacks against specific organizations. So for instance, in one case, hacker discussion about Adobe Flash vulnerabilities meant that it was nearly four times more likely that that organization experienced an attack in the following week.  

So the next time your IT staff alerts you to patch your computer, think of the hacker. Think of his disappointment he will experience when he discovers you've patched the precise vulnerability he was intending to use in his attack. And just like how we got better at identifying indicators of oncoming insurgent attacks in Iraq, taking preemptive actions against malicious hackers will allow us to do the same in the cyber realm and help keep our systems and our data safe. Thank you.


Paulo Shakarian is a researcher in ASU's Global Security Initiative, which is partially supported by Arizona’s Technology and Research Initiative Fund. TRIF investment has enabled thousands of scientific discoveries, over 800 patents, 280 new startup companies and hands-on training for approximately 33,000 students across Arizona’s universities. Publicly supported through voter approval, TRIF is an essential resource for growing Arizona’s economy and providing opportunities for Arizona residents to work, learn and thrive.