Discovering the SoURCE of Cyber-Attacks

November 20, 2023

Cyber-attacks on individuals or organizations can be devastating. They may result in the loss of private personal information, the theft of proprietary company or financial data, and/or the release of organizational secrets.

The number and scope of cyber-attacks have increased exponentially over the years. For example, according to one study, there were 38 percent more cyber-attacks in 2022 than in 20211, with each data breach costing critical infrastructure organizations—e.g. financial services, energy, transportation—millions of dollars to rectify.

As cyber-attacks grow and become more sophisticated, efforts to staunch data cyber-bleeding, as it were, have become equally urgent for both the private and government sectors.

For the Intelligence Community (IC), the need to prevent cyber-attacks and identify cyber-attackers is critical, as the loss of sensitive or classified information can have devastating or even life-threatening consequences.

This is why the Intelligence Advanced Research Projects Activity (IARPA) is working on a solution with its latest program, Securing Our Underlying Resources in Cyber Environments, or SoURCE CODE. The SoURCE CODE program seeks to provide novel technologies to assist forensic experts in making determinations of the most likely attackers, based on coding styles in both source code and binary executables.

The program will explore binary executables and source code files to measure the similarity between files and provide forensic experts with information on an attacker’s likely origins (country, groups, individuals, etc.). This capability will help automatically match similar binaries from known samples, allowing analysts to more rapidly attribute malicious attacks.

IARPA envisions the technology playing an integral part in cyber-defense postures of both the commercial threat intelligence space and within the IC, according to SoURCE CODE Program Manager, Dr. Kris Reese.

“Once fully developed, SoURCE CODE will be a vital supporting tool for forensic experts in both commercial and governmental positions.” Dr. Reese said. “As a result, SoURCE CODE will make it more difficult for cyber-criminals to operate without detection and remain anonymous.”

The SoURCE CODE program is anticipated to be a 30-month effort, comprised of two phases. Phase one will be 18 months in duration and phase two will last 12 months.

Phase one’s goal is to develop new methods to identify cyber-attackers by conducting foundational research on different approaches, theories, and concepts to establish the building blocks of their SoURCE CODE system(s). During phase two, performers will seek to extend the capabilities developed in phase one and work across both the source code forensics and binary forensic domains. Program phases are designed to test performer systems against increasingly challenging scenarios.

SoURCE CODE performers, although not yet selected, will be expected to have a deep background in computer science, data science, and cyber-forensics research. Testing and evaluation of the performers’ systems will be conducted by IARPA’s partners at Sandia National Laboratory, Lawrence Livermore National Laboratory, and the Software Engineering Institute.

“This is of course a challenging field of study, and attribution of attacks goes beyond simply similarity matching—into domains AI may have difficulty understanding,” Dr. Reese said. “However, the potential for SoURCE CODE to improve forensic capabilities will contribute to a better understanding of cyber-attack origins and advance the IC’s mission.”




Check Point Research Reports a 38% Increase in 2022 Global Cyberattacks - Check Point Blog

Discovering the SoURCE of Cyber-Attacks Logo