Poker Face: Stopping the Insider JobDefense Agency Seeks Help in Ridding the Insider Threat
It's part of a program called CINDER - Cyber Insider Threat - and the Defense Advanced Research Projects Agency's strategic technology office is soliciting from outsiders novel techniques to insider-threat detection that would greatly increase the accuracy, rate and speed of detection and that impede the ability of adversaries to operate within government and military interest networks.
"Insider threats, it's not just in the cyber area," Defense Deputy Secretary William Lynn III says. "I mean, you're always worried about insider threats in terms of either espionage or compromising capabilities, and cyber is no different."
In the request for solutions, DARPA characterizes insiders as dangers to military networks because they can easily evade existing security measures. "Insiders do not attack - instead they use legitimate accesses in support of their operations," DARPA says in its CINDER solicitation. "Traditional defenses operate under the assumption that existing systems and networks are currently uncompromised. These defenses model normal behavior and look for deviations or look for outsider activities on internal systems in a perimeter centric defensive approach.
"Modeling the actions of legitimate users to watch for changes in their behavior over time has proven problematic and identifying system and network events endemic of attacks does not account for insider threats comprised of legitimate activities. Thus, traditionally both physical and virtual insider threats have been largely identified due only to incompetence on the part of the perpetrator or by accident."
That's where the tell comes in. DARPA seeks to improve the way to detect hints that could reveal the true nature or intent of an observable activity. As in poker's tell, the solicitation says, "similarly, an employee who is seen always looking over their shoulders to see if they are being monitored while they perform a particular allowable activity may be tipping their hat to the true nature behind their activity."
But DARPA's solicitation goes well beyond card-game ruses. Phase I of CINDER - which is what's being solicited - is aimed at establishing a fundamental understanding of various adversary missions and observables as well as the techniques and approaches to identify them as part of an insider threat. Phase II will develop a system utilizing information culled from Phase I to create a system that is capable of identifying multiple missions. Phase III will demonstrate the Phase II system at scale in the real world.
It's not just the military who should be concerned about insider threats. According to research released last month by Verizon Business and the Secret Service, nearly half the breach investigations conducted involved insiders.
"On the insiders who committed these malicious, deliberate types of attacks against their employers, many of them had kind of a bad history; not necessarily of deliberate malicious attacks, but sort of minor policy violations and just had shown evidence that they didn't really want to cooperate, and they would break policy and do other things like that in their past," Wade Baker, director of risk intelligence for Verizon Business and coauthor of the 2010 Verizon Business Data Breach Investigations Report, says in an interview with Information Security Media Group.
Eric Cole, author on several IT security books including entitled Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft, says in another interview with ISMG that half of the losses organizations experience from cyber incidents come from insiders. Still, he says, less than 20 percent of IT security spending goes to protecting systems and data from insiders. "Organizations think that if they put up preventive measures and firewalls that is going to deal with the insider, when in reality the insider is using simple tools, like web browsers, e-mail clients and others, to be able to go in and cause harm to the organization," he says.
Cole, though not addressing CINDER, suggests actions similar to DARPA's are heading in the right direction. "What we need to start moving toward is more adaptive or predictive technology that is focused on behavioral patterns," he says. "Better understanding what is the behavior of a good legitimate user and what is the behavior of somebody who is going to do harm in a specific environment."
According to DARPA, the key elements of Phase I are:
- Identify types of missions and adversaries that may be assumed to be underway;
- Determine various dimensions of actions and activities required by the mission;
- Determine observables, constraints and 'tells' within these dimensions;
- Understand interrelationships of dimensions within a mission; and
- Demonstrate the ability to identify cyber insider missions.