The Georgia Tech Research Institute has developed a new open source intelligence-gathering system aimed at helping organizations detect a cyber attack before it happens.
Called BlackForest, the system looks at a variety of factors, including the coordination of distributed denial-of-service attacks, the display of new malware code and advice about network break-ins to provide cybersecurity professionals with an advanced warning.
“BlackForest is on the cutting edge of anticipating attacks that may be coming,” said Christopher Smoak, a research scientist in GTRI’s Emerging Threats and Countermeasures Division, in a statement. “We gather and connect information collected from a variety of sources to draw conclusions on how people are interacting. This can drive development of a threat picture that may provide pre-attack information to organizations that may not even know they are being targeted.”
The system collects information from the public Internet, including hacker forums and other sites where malware authors and others gather.
Connecting the information and relating it to past activities can let organizations know they are being targeted and help them understand the nature of the threat, allowing them to prepare for specific types of attacks. Once attacks have taken place, BlackForest can help organizations identify the source and mechanism so they can beef up their security.
These attacks also tend to come from more than one person. BlackForest is able to pick up communications, most notably through social media, to find people looking for help.
BlackForest can tap into that information to provide a warning that may allow an organization to, for example, ramp up its ability to handle large volumes of traffic.
“We want to provide something that is predictive for organizations,” said Ryan Spanier, head of GTRI’s Threat Intelligence Branch. “They will know that if they see certain things happening, they may need to take action to protect their networks.”
By automating much of the work involved in gathering and monitoring information, BlackForest can allow human resources to be used for more challenging information security activities.
“Our goal is to have tools that will help focus the resources so that the most valuable resources are used for the more difficult issues,” Smoak said. “Right now, we tend to find all kinds of security fires the same. This will help us focus on the most important threats.”