Unless, that is, the OIT team decides instead to lure attackers over the threshold and observe their behavior once they’re inside. “We learn about what they do, what kinds of attacks they use and what IP they report back to, which allows us to develop more elaborate defenses,” said STINGAR investigator John Board, a professor of electrical and computer engineering and Duke University’s associate chief information officer, a role he holds within OIT. Board says that these intruders can be anyone—from individuals who purchase hacker toolkits on the dark web, to nation-states interested in Duke’s research.
In 2017, a group of five OIT leaders, including Duke’s Chief Information Officer Tracy Futhey as well as Board, conceived of STINGAR following conversations with other universities about perceived weaknesses in their existing commercial cybersecurity tools. Later that year, a particularly aggressive malware campaign showed Duke’s existing commercial security tools blocking around 50 million malicious connection attempts every day; upon switching to the first STINGAR prototype, Duke’s security team increased its blocking capabilities to around 2 billion blocked connections per day. But STINGAR wasn’t developed solely for Duke. From the beginning, it was developed as a shared threat intelligence service, and is now deployed across a consortium of more than 30 schools, ranging from small minority-serving institutions and liberal arts colleges to major research universities.
Some consortium members, like Duke, have a highly capable team of dedicated security personnel, but other have none; a condition of Board’s NSF grant is that STINGAR is developed to be a deployable resource that even the most sparsely resourced institutions can benefit from.
“From Day One our goal was to make STINGAR so easy to use that institutions that have literally zero security personnel can use it. We make assumptions about what is ‘easy,’ but our partnering schools have worked us with us to make sure the products actually are easy to roll out,” said Board.
Duke is now exploring options to allow the STINGAR consortium to thrive and grow beyond its current 30 member schools when the initial grant funding winds down. Testing to date has validated the expectation that as each additional school joins the group, the defenses of all schools in the program grow stronger.
The confluence of IT and faculty research at Duke is unusual, and not limited to STINGAR or even cybersecurity. “Duke is a very special place because our faculty researchers truly welcome and support collaboration with OIT’s network and system operators,” said Futhey. “At any given time, we probably have 8-10 personnel from OIT who are being partially funded by grants led by Duke faculty.”