The U.S. military is looking for new ways to identify malicious insiders and stop them from operating from within government and military networks, which it assumes have already been compromised.
The Defense Advanced Research Projects Agency this week issued a call for proposals for a new Cyber Insider Threat (CINDER) Program. The goal of the program is to “greatly increase the accuracy, rate and speed with which insider threats are detected.”
The actions of malicious insiders has become an urgent issue for the U.S. Military, which has been the victim of a number of high profile security breaches in the last decade, and untold numbers of unreported or undetected incidents.
While incidents of cyber espionage, such as Titan Rain and the so-called Aurora attacks from late 2009 are common, so are compromises due to rogue insiders with legitimate access to sensitive information.
Leaks of classified documents to the Website Wikileaks, allegedly by service member Bradley Manning, are just the most high-profile and recent example of the dangers posed by rogue or malicious insiders. Earlier this month, a federal grand jury convicteda former B-2 bomber engineer with selling cruise missile designs to China. The engineer, Noshir Goadia, its alleged, used the money to help pay the mortgage on an elaborate home he built in Maui, Hawaii.
DARPA’s CINDER program seeks to spot bad actors such as Goadia who “operate from within our networks and easily evade existing security measures.”
In what might be considered a frank assessment of the state of current security within military and government networks, the CINDER program starts with the premise that “most systems and networks have already been compromised by various types and classes of adversaries,” and that “these adversaries are already engaged in what appear to be legitimate activities, while actually supporting adversary missions.”
In its initial phase, CINDER will seek to identify the kinds of “adversary missions and observables” at work on government and military networks and the techniques advesaries are using. In Phase II, that information will be used to create a system that can identify mulitiple missions that might be ongoing. In Phase III, that system will be deployed in a way that scales to meet the government’s needs.
A number of different “attack” scenarios are proposed that effective detection systems would have to be able to spot, including identification and crawling of sensitive data repostories, retrieving documents of interest and exfiltrating senstive information electronically or physically – all while taking steps to avoid detection.
The program is addressing a critical need facing both commercial and government entities, said Amit Yoran, CEO of NetWitness, and a former Director of the National Cyber Security Division within the Department of Homeland Security.
“Broadly speaking, the security vendor community has focused almost exclusively on solvable problems,” said Yoran, whose firm sells technology that can help spot malicious insiders. “But there are a set of problems that are much more challengeing, including insider threats. This is just a fantastic, gaping hole in the IT security world.”