In cybersecurity, it’s become a common trope to say humans are the “weakest link” in efforts to protect data and systems.
Many successful cyber exploits today are based on “social engineering,” where attackers get around firewalls and other network defenses by tricking people into clicking on a malicious link or handing over a piece of sensitive information.
The Intelligence Advanced Research Projects Agency is aiming to flip that paradigm on its head with the “Reimagining Security with Cyberpsychology-Informed Network Defenses” program, or “ReSCIND” for short.
“I believe that this human factor can also be leveraged against cyber attackers,” Kimberly Ferguson-Walter, the program manager for ReSCIND, said on Inside the IC. “This program will focus on just that — on flipping the tables to make the human factor the weakest link in cyber attacks.”
Ferguson-Walter said she hopes to kick off research with an initial batch of selected performers by the end of this year.
The 45-month, three-phase program will focus on “inducing or intensifying cognitive biases or other cognitive limitations to thwart cyber attackers,” according to the project’s technical description. The goal is to build what IARPA calls “Cyberpsychology-Informed Defenses.”
The initial 18-month phase of the project will focus on identifying cognitive biases applicable to cyber operators, Ferguson-Walter said. Humans display a range of cognitive vulnerabilities and limitations, such as altered decision-making when under stress or the classic decision-making concept known as the “sunk cost fallacy,” where people continue investing time and resources into an area that they should have abandoned.
“We’re interested in those concepts, but as far as they can result in reduced cyber attacker success and effectiveness,” Ferguson-Walter explained. “A lot of the psychology that’s been done for decades, it doesn’t necessarily abstract directly to the cyber domain.”
The IARPA program may be filling a crucial void in the area. Research into the specific cognitive biases of cyber attackers is nascent, and the field of “cyber psychology” has historically focused in other areas of cyberspace like online dating, cyber bullying, and online gaming.
Ferguson-Walter said one of the main challenges has been a lack of collaborative research between cybersecurity experts and behavioral scientists.
“We’re really hoping to see that increase as part of this program,” she said.
Cyber deception technologies and techniques aimed at tricking hackers have advanced in recent years. A classic example is the “honeypot,” effectively a virtual decoy that appears like a legitimate network target to hackers, but is actually an isolated part of an information system where the attackers can be monitored and analyzed.
Ferguson-Walter said while honeypots and other cyber deception products are “good ideas,” they’re engineered as appendages to existing network defenses and not necessarily underpinned by behavioral science.
“The psychological theory and impact feels like more of an afterthought,” she said. “[ReSCIND] seeks to reverse this process, and first understand the foundational cyber psychology and then build the technology based on those findings.”
The second phase of the ReSCIND program will take the lessons learned from the initial research on attacker biases, and focus on how and when to take advantage of those cognitive vulnerabilities as part of a cyber defense program, Ferguson-Walter said.
The 15-month second phase will focus on developing defenses that “map to observed attacker attributes and measurably disrupt cyber attack behavior across the Cyber Kill Chain and increase the negative impact on attacker performance and success,” the technical description explains.
And the final 15-month phase is focused on the question of “how do you automate it?” Ferguson-Walter said. “How do you combine the different approaches? And how do we model that behavior that we’ve been measuring?”
The research will be fully unclassified, she said, and performers will have the opportunity to present their findings at conferences and in academic journals.
“There’s been a lack of research and understanding of that human aspect of cyber, both from the defender and attacker sides,” Ferguson-Walter said. “We’re hoping to provide a data set that will be open for people to do future research into cyber decision making.”