Tool Aims to Help Thwart Cyber-AttacksSystem Analyzes Data Culled from Social Media Sites
Cybersecurity researchers at the Georgia Tech Research Institute are developing a tool that amasses information from the Internet to give organizations an early warning of a pending cyber-attack.
The system, known as BlackForest, scrapes and analyzes information culled from a variety of online sources to detect potential attacks. Several organizations working with the institute have implemented an early version of the technology, which the institute is continuing to develop.
In the versions implemented so far, "BlackForest has definitely found confidential information in the wild before the organization knew it was out there," says Ryan Spanier, head of the institute's threat intelligence branch.
Much about BlackForest remains hush-hush. Spanier would neither identify which organizations have deployed BlackForest nor provide specific details about how the technology behind it works.
The institute has yet to determine how it will market and price BlackForest as the product evolves, though Spanier says GTRI could tailor it for individual customers. In addition to running on an enterprise's own servers, the software might also be offered as a cloud service, which could be more appealing to smaller organizations because of the high cost to implement and support such an intelligence system, Spanier says. GRTI did not provide a timetable for further implementations of BlackForest.
Spanier and other researchers say BlackForest helps to paint a threat picture that alerts organizations that may have been unaware they've been targeted for an attack.
Hackers coordinating attacks use social media to enlist supporters, and their bluster could be turned into cyber-intelligence to help thwart attacks, the researchers point out.
Ryan Spanier on BlackForest capabilities.
"A simplistic example would be groups like Anonymous - hacktivists organizations who rely on social media to increase their followers and to plan attacks," Spanier says. "They might be posting on a forum or Pastebin or Twitter or different areas of the Internet, basically saying, 'Hey, I'm really mad at U.S. financial firms. I want to plan an op, I want to try a denial-of-service attack and I want to do it next week; everybody download my tools, so we can go after these guys and really show them who's the boss.'"
BlackForest finds information in hacker forums and other sites where malware authors and others congregate. Its spiders crawl through paste sites such as Pastebin, where hackers post files with the latest information about the malware they create.
The BlackForest software is "designed for an analyst to be in the loop somewhat," Spanier says. "Basically, once it tells you, 'Hey, here's something of interest you should look at,' then an analyst would look at that and make a final determination" on how an organization would defend itself.
Monitoring websites where hackers gather isn't new, but the Georgia Tech researchers say few organizations have the wherewithal that BlackForest provides to connect the dots that could lead to a cyber-attack warning.
"The average organization doesn't have the means to crawl all of this data and put together the complex algorithms needed to identify the useful information," says Chris Smoak, a research scientist in GTRI's emerging threats and countermeasures division. "Because we have the environment and the connectivity, we have what we need to obtain this information."
Spanier adds, "We want to provide something that is predictive for organizations. They will know that if they see certain things happening, they may need to take action to protect their networks."