The Man in the Mirror™ System Uses Behavioral Analytics to Actively Defend Against Cyber Attacks
Existing cyber defense methods, including manual analysis, firewalls and anti-virus products, are reactive by design and must wait for attacks to occur before they can try to respond. Our adversary, the advanced persistent threat (APT),1 actively leverages numerous tools, from covert information gathering agents to cyber attack platforms, against these defenses. Moreover, well-funded, military-style hacker communities are working around the clock to sabotage and steal from our most sensitive networks.
Defense industry assets, including network servers and employees, have been targeted by the APT for several years, and hard-to-detect, well-organized attacks often flourish unnoticed over long periods of time. To combat the APT's ever-changing and increasingly sophisticated attacks, a flexible, active defense must be developed that will stop the first instance of an emerging attack.
To answer this need, the Man in the Mirror (MiM) algorithms were conceived to provide both preemptive and real-time attack protection. MiM detects and deters malware packages by applying advanced behavioral analytics. Whereas firewalls try to defend the perimeter at network ports that must remain open, MiM adds another layer of protection by guarding the individual user "inside the walls." Figure 1 depicts how MiM integrates with existing security layers.
MiM achieves this protection by comparing user interaction with associated application and network activity for threat indicators, acting definitively in response. And, while a user must always stay vigilant in regard to security, an additional benefit of MiM's proactive defense strategy is that it relieves the user of much of the safety burden.
Figure 2 highlights a few of MiM's benefits.
- MiM is like having a computer emergency response team malware expert protecting every desktop, but at dramatically lowered costs.
- MiM's on-the-desktop protection responds to attacks immediately, significantly reducing the chances for data exfiltration.
- MiM's real-time detection capabilities offer continual protection against zero-day threats, minimizing the attack window available to malware
MiM development focused on creating pragmatic behavioral methods that could be immediately tested and observed in functional prototypes. Subjecting MiM prototypes to real-world malware threats provided sink-or-swim tuning opportunities that inspired sophisticated detection and deterrence algorithms. These novel algorithms evaluate threats at their most observable points, using behavioral tells.2 It is these tells that provide a streamlined approach which, without specific knowledge of particular threats, can successfully detect over 70 percent of real-world malware, regardless of how the threats are introduced to the system (whether USB, email or website). In fact, one of MiM's unique features is that it has no need for a threat database. Instead, behavioral algorithms use straightforward rules to determine threat likelihood in real time.
MiM, operating much like a computer security expert, reacts based on the context of the scenario.
MiM is currently undergoing productization to prepare it for deployment on networks running the Raytheon SureView™ infrastructure. SureView is a proactive, information-protection solution, monitoring behavior on computer endpoints for policy violations and high-risk activity. It was the use of SureView's extensibility and existing footprint that allowed the MiM team to focus on the development of core behavioral algorithms and rapidly deliver positive results. These benefits are summarized in Table 1.
MiM offers a comprehensive, active defense solution against both today's battles and tomorrow's threats.
1A group, such as a foreign nation-state government, with both the capability and the intent to persistently and effectively target a specific entity.
2A tell, as applied to MiM, is a subtle but detectable trait that reveals intent.