Level 3 Communications

Chris Richter

Predicting the Next Cyberattack

Do you know where the next cyberattack will strike or when it’s likely to happen? Using machine learning techniques and data analysis, it’s now possible to forecast cyber attacks with a decent degree of accuracy.

Mind you, we can’t pinpoint the exact time of an attack, but like weather forecasters, we can review the available data, look for digital fingerprints and behavior patterns and assess whether a specific target is in the crosshairs of cybercriminals. Like sharks circling prey, attackers exhibit certain behaviors and characteristics when they’re planning to strike, and we’re getting better at detecting the early stages of their kill chain.

In some recent cases, Level 3 Threat Research Labs identified behavior signaling an imminent attack and notified the targets. Our researchers noticed attackers were poking and prodding around the target, and even conducted small-scale test attacks as a precursor to a much larger action. This type of behavior is pretty typical. Think of it as the terrorist “chatter” intelligence agencies talk about when warning of an imminent attack. 

Early Signs

You’ll recall the massive distributed denial of service (DDoS) assault on Dyn in October 2016. The attack blacked out popular websites such as Netflix, Twitter and Reddit, starting on the East Coast and rolling westward.

Leveraging computers and Internet of Things devices such as webcams, the perpetrators targeted Dyn’s servers because the company is a DNS provider, acting as a kind of internet switchboard. Targeting a DNS provider delivers a bigger bang because the provider connects with so many other companies.

When the big attack took place, we provided Dyn with information on the types of code, ports and protocols used by the perpetrators.

In another case, we picked up on the preparations for an attack on an online gaming company just as it got ready to launch a new game. Perpetrators conducted small test attacks and performed vulnerability scans, using botnets known to deliver DDoS attacks.

We put protections in place, and when the attackers struck, we were able to fend them off. In this case, attackers targeted the login portal, which they concluded was the most vulnerable target in the gaming company’s infrastructure.

Evolving Science

Predicting cyber attacks isn’t an exact science. But this area of cybersecurity is developing quickly, and we are making great strides. It will become more and more reliable as we continue to collect and analyze new strains of malware, identify their origins, and determine how they are used and what damage they can inflict. We also are getting better at monitoring attack patterns within specific vertical industries and using the information to help predict attacks on other organizations in the same – and related – verticals.

With machine learning and data analysis, we can track malware and cybercriminals’ movements. We can look at IP addresses of potential victim sites and keep an eye on botnets designed to steal data and deliver DDoS attacks. We catalog the specific characteristics and profiles of victims that make them a target to complement the work we do in tracking down known attackers’ traits.

These activities refine our forecasting. They allow us to do reconnaissance and raise the red flag when an attack is imminent. These predictive capabilities aren’t unlike the scouts used by the vast Roman and Mongolian armies to track their enemies’ movements — or the hot-air balloons employed by the French in the 18th century for military reconnaissance.

Predictive tools and techniques offer us another weapon in the fight against cybercrime. They give organizations more than a fighting chance to fend off cybercriminals and their seemingly bottomless cache of attack methods and malware variants.

A More Proactive Approach

It’s important to remember that predictive tools and techniques don’t replace other cybersecurity components. Organizations still need firewalls, endpoint protection, intrusion detection, web filtering and all the other necessary layers of security. Predictive analysis adds another layer and turns what has primarily been a passive discipline of building up defenses and waiting into a more proactive approach against cyber crime.

Predictive cybersecurity is at best a forecast, and as any other type of forecast, it’s not perfect. But as we refine data-collection methods and analytics tools, accuracy will improve. As a result, we will get better at predicting and stopping cyberattacks.