Cyber-Investigation In The Blink Of An Eye
by Daniel Gaffney, Defense Threat Reduction Agency
February 19, 2021
The Cybersecurity experts at the Defense Threat Reduction Agency (DTRA) are on the cusp of implementing a new system, called Bird Dog, that has the potential to greatly enhance the cybersecurity defenses of not just the agency, but DoD community as a whole.
“We generate about 3.5 terabytes of data every day; that’s 3.5 million gigabytes, or approximately 250 million pages of data, every single day,” said Jason Phillips, chief of DTRA’s Cybersecurity Department. “It is a daunting task trying to figure out what data requires immediate attention in order to determine whether a compromise has occurred. Without a significant infusion of resources (money and qualified subject matter experts), we simply can’t look at everything. We need to prioritize our limited resources to focus our efforts and attention on the events that really need to be inspected or analyzed.”
Capt. Sarah Miller and Tech. Sgt. Carrol Brewster, 834th Cyber Operations Squadron, discuss options in response to a staged cyber attack during filming of a scene for an Air Force Reserve Command mission video at Joint Base San Antonio-Lackland, Texas, on June 1, 2019. (U.S. Air Force photo by Maj. Christopher Vasquez)
Using artificial intelligence (AI) and machine learning (ML), Bird Dog might be able to do the most time-consuming part of a cyber-investigation in the blink of an eye.
DTRA is one of about two dozen Cyber Security Service Providers (CSSP) across the DoD. That means the agency provides its own multi-layered cyber defense, and is certified and accredited to protect its portion of the DoD network, other 4th Estate components, and cleared defense contractors that require access to DoD Networks. The current practice is to use a layered defense that filters out most of the cyber events that don’t require a human analyst to investigate. However, the human analysts still have a mountain of data to look at as they monitor our networks.
“It’s like panning for gold – once we can move the big rocks out of the way, we can start sifting the dust,” said Phillips. “But out of about 1.5 million events generated every day, we still have 20-30 thousand events that we actually need to investigate, which requires a human analyst to review and determine what has or is occurring. To do this, analysts follow a systematic approach of identifying the who, what, and when of a cyber-event by performing queries. These queries can range from 50 – 150 questions depending on the specific event being investigated, and the ensuing results can cause things to get very complicated very quickly.”
The Bird Dog system, which DTRA is now working with the DoD’s Joint Artificial Intelligence Center (JAIC) to bring online, should be able to start the investigation before the events are sent to the analysts. Using AI and ML to train our systems what to look for, what to ignore, what connections to make and when to ask more questions, Bird Dog could turn what would normally take about three hours of human analyst work and get the answers in less than a minute.
“This problem isn’t unique to DTRA,” said Chris Paulson, DTRA’s CSSP Team lead. “It’s the same problem not just in the DoD, or the U.S. government, but even across the private sector – how much can we afford, and what level of protection is reasonable?” But Bird Dog isn’t meant to save money or replace human analysts – it makes them more efficient. “From the technical standpoint, we’re maximizing the ROI (return on investment) of our human analysts… they’ll spend much less time trying to figure out IF there is a problem that needs to be investigated (and then fixed, blocked, contained, or shared with other networks), and more time investigating events that may not have been previously seen.”
While the Bird Dog idea was first discussed several years ago, the DTRA IT team started the in-house work back in 2019, and joined up with the JAIC in the fall of 2019. The incredibly difficult task of getting a machine to not only think for itself – artificial intelligence – but to LEARN how to think for itself – machine learning – was slowed down a bit by COVID, but the team is close and eager to begin its initial piloting of the hardware and software. Similar to driving a future car prototype for the very first time, the team has both great, and realistic, expectations and knows a lot of work remain ahead.
“I’m extremely proud of this team and their foresight into solving a big data problem,” said DTRA IT Director and Chief Information Officer, Mario G. Vizcarra. “Physical attacks on DoD assets or military bases are relatively uncommon, but cyber-incidents happen around the clock. In 2020 we saw just how damaging a cyber-attack or infiltration can be, and why we need something like Bird Dog to augment the existing protections for our networks and information. We are far from declaring success, but working closely with DoD’s JAIC, we were able to rapidly transform ideas and creativity to an actual AI solution for an important cyber security issue that looks very promising for DTRA and DoD.”
“If Bird Dog can learn what it needs to do (and do it accurately), it might be able to do part of an investigation thousands of times faster than we can,” said Phillips. “But we have to teach it first.”
The Defense Threat Reduction Agency enables the Department of Defense, the United States Government and International partners to counter and deter weapons of mass destruction and improvised threat networks.
Our Valiant Troops | Veterans | Citizens Like Us | U.S. Department of Defense