Phishing emails use social engineering to exploit human vulnerabilities and execute large-scale attacks through a single weak link. Researchers at Charles River Analytics are turning the tables, using similar principles against attackers.
Most cybersecurity methods involve analyzing tools and methods and fortifying existing defenses. While these techniques have their merits, they miss accounting for perhaps the weakest link in the equation: the constraints on the human adversary.
To address this shortcoming, Charles River Analytics is developing a multi-faceted approach that focuses on human behavior. The tool, Context-driven Interventions through Reasoning about Cyberpsychology Exploitation (CIRCE), is being fueled by a contract from the Intelligence Advanced Research Projects Activity (IARPA). The project is part of IARPA’s ReSCIND program, which aims to develop a new set of cyberpsychology-informed defenses that “leverage attacker’s human limitations, such as innate decision-making biases and cognitive vulnerabilities.”
Today, cyber defenses try to understand what kinds of tools adversaries are using. Considerable effort is spent assessing whether an adversary is on a network and, if so, how they got on. But there’s very little work focused on exploiting the human executing the attack.
“Focusing on exploiting human vulnerabilities makes sense,” says Sean Guarino, Principal Scientist at Charles River Analytics and Principal Investigator on CIRCE. “Although we live in a time where cyber offense technologies evolve at lightning speed, humans have cognitive constraints that are difficult to overcome. Therefore, defenses that target the human attackers remain relevant for longer periods of time,” Guarino says.
CIRCE relies on the principle of oppositional human factors (OHF), which pinpoints the constraints that attackers face when they’re executing their jobs and makes them worse. The theory is that by degrading the experience, you frustrate the attacker into not executing the job. Dr. Spencer Lynn, Senior Scientist at Charles River and Modeling Lead on CIRCE, explains: “When an attacker lands on a network, they have many choices available. We want to be able to steer those choices unbeknownst to them, so that they’re wasting time on the attack.”
Part of the strategy involves misleading human attackers to believe something about the attack surface or defenses that’s not true. For example, if the name of an entry port signals administrative authority, attackers might target it selectively to gain network access, and once they do so, their behavior can be steered in specific ways.
CIRCE is in Phase 1 of the research to explore the possibilities of such OHF-driven manipulation. It focuses on characterizing and experimentally validating attacker cognitive vulnerabilities.
If the approach works, “there is a strong commercialization opportunity to develop these into tools that can be inserted into a wide range of different defensive environments,” Guarino says.
CIRCE is a psychology-based method that holds plenty of promise, Guarino says. “Keeping up with technology can be a losing battle because cyber threats move so fast. The human in the attack is the most exploitable point in the attack chain. If we can define good ways to exploit human vulnerabilities, these methods will provide much more effective cyber defense for the long term,” he adds.
Contact us to learn more about CIRCE and our capabilities in cybersecurity and human-centric AI.
Related Articles
US aims to curb cybercrime by messing with hackers’ minds
IARPA wants to study cybercriminal psyche to better fight bad actors
The US Government wants to combat cyber-attacks with psychology
IARPA kicks off cybersecurity research focused on attackers’ psychology
This research is based upon work supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via N66001‑24‑C‑4501. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein.
