Most cybersecurity methods involve analyzing tools and methods and fortifying existing defenses. While these techniques have their merits, they ignore the potential to use the attacker’s own psychology against them. Charles River Analytics proved the effectiveness of this route through a $6.1 million contract from the Intelligence Advanced Research Projects Activity (IARPA) as part of IARPA’s ReSCIND program.
The Context-driven Interventions through Reasoning about Cyberpsychology Exploitation (CIRCE) tool from Charles River Analytics demonstrated that it could successfully thwart cyberattackers by exploiting biases in perception and decision. Charles River—with teammates Arizona State University (ASU), Montana State University (MSU), Assured Information Security (AIS), Narf Industries, and SimSpace Corporation—conducted five studies, each rooted in various psychological aspects of cyberattack performance.
“In each of these studies, we showed an ability to effectively discern people who are susceptible to cognitive biases and heuristics, and to manipulate attacker behavior and performance by exploiting those cognitive vulnerabilities,” said Sean Guarino, Principal Scientist and Principal Investigator on CIRCE. Charles River’s strong experimental design gave them confidence in their results and in the validity of the cyberpsychological approach. “We were able to frame cognitive vulnerabilities in a cyberattack context and show that attackers could be manipulated,” added Spencer Lynn, PhD, Senior Scientist and Modeling Lead on CIRCE.
The most effective studies focused on loss aversion bias and representativeness heuristics. The principle behind loss aversion is that people are more averse to loss than they are receptive to an equivalent gain. The strategy for using loss aversion as a cyber defense exploits a situation where the attacker has made some initial gains. “We can then threaten those gains, so the attacker works hard to protect what they already have at the cost of further progress in the attack,” Guarino said.
The second study used a representativeness heuristic to shape attacker behavior. In representativeness, people follow rules of thumb (heuristics) or prior assumptions without considering related information. For example, if the cyberattacker assumes that out-of-date or unpatched devices are soft targets, they would attack these first. The CIRCE study intentionally configured network devices to mimic outdated systems, luring attackers toward them and away from valuable assets.
Charles River additionally conducted studies on confirmation bias, anchoring bias, and asymmetric dominance, each of which showed some capability to reduce attack success.
Especially noteworthy about the Charles River approach was that their studies were conducted with expert attackers on realistic networks. “An additional advantage is that the results are generalizable,” Lynn said. “For example, the confirmation bias process could be applied to different parts of the attack, it didn’t just work for one specific example. In addition, the specifics of each attack closely follow the well-established MITRE ATT&CK® cyberattack framework, which means CIRCE is defending against known cyber kill chains.”
Charles River also created a playbook at the conclusion of the CIRCE effort, which explains how to deploy and generalize these cyber defenses. “The playbook allows defenders to learn about these cyberpsychological defenses through examples and sort out the details about what they might need to implement them,” Lynn said.
Results from CIRCE will also inform Charles River’s presentation at I/ITSEC, the leading modeling, simulation, and training conference for defense and security professionals. The presentation and paper, Challenges and Solutions in Using Virtual Testbeds to Study Hacker Cognitive Constraints, describes how to use cyber test beds, commonly used for training, as powerful environments for studying behavior and cognition in cybersecurity contexts.
“The premise of deterring breaches through cyberpsychology could also apply to AI-driven attacks,” Guarino said. “While AI and humans might not share the same set of biases, the ones that AI might be partial to are becoming increasingly common knowledge. Once you learn about them, you can build cyber defenses that are designed specifically to take advantage of these biases and mislead the AI,” he said.
Building on a highly successful first effort that laid the groundwork for a cyberpsychology-driven cybersecurity approach, the Charles River team is now seeking opportunities to transition the effort into a larger-scale program. “This could be groundbreaking in improving cyber defense,” Guarino said. “We have evidence that a cyberpsychology approach can work in cyber defense and we have the building blocks in place—now it’s time to build out the full solution.”
Contact us to learn more about CIRCE and our capabilities in cybersecurity and human-centric AI.
This research is based upon work supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via N66001‑24‑C‑4501. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein.
