John Lowry
Rico Valdez
Brad Wood

Abstract

Observables of malicious behavior in the cyber realm are derived from intuition or analysis of previous (a-posteriori) events. This creates an untenable situation where cyber defenders are unprepared for novel attacks or malicious behaviors – particularly those expected to be used by sophisticated adversaries. Development of a complete theory of observables with a particular focus on development of a-priori observables is critical to defend against computer network attack and computer network exploitation. Monitoring of a-priori observables will greatly assist in the areas of indications and warnings and attack sensing and warning. Forensic development and analysis of a-priori observables is critical to determine the type of adversary, adversary mission, and ultimately attribution.