DARPA in pursuit of insider threats

September 2, 2010 — 8:13am ET | By David Perera

Tools

Tags
Bradley Manning
Wikileaks
CINDER
Lady Gaga
DARPA
Mudge
cybersecurity
Peiter Zatko
insider threat

Just as constantly looking over your shoulder might betray nefarious intent, the Defense Advanced Research Projects Agency says certain system and network activities could indicate the presence of an insider threat.

Insiders granted legitimate access to sensitive networks are notoriously difficult to catch--witness the saga of Bradley Manning, the Army intelligence analyst who allegedly sent a large cache of documents to Wikileaks after downloading them onto a CD labeled "Lady Gaga." As a DARPA broad agency announcement for a new program to detect insiders through their behavior notes, insider threats to date have largely been identified only through perpetrators' incompetence or by accident.

The DARPA program is Cyber Insider Threat, which the agency, through the miracle of selective acronym selection, dubs CINDER. At its head is Peiter Zatko, aka Mudge, a former hacker hired by DARPA earlier this year. CINDER will fund insider detection capabilities in three phases, starting with identifying the types of "missions" an insider might undertake and techniques to identify them.

For example, a malicious insider might take an unusual interest in log files, make frequent queries of who is logged into a particular system, or might repeat non-standard queries to databases, the announcement states. But the goal of CINDER isn't to identify inside actors per se, since a system that would examine isolated activities would run the risk being inundated with false positives. What's needed is a context--hence, identification of insider threat missions that might be performed by an individual or a group of people, the announcement states.

One such mission could "remain persistent within an environment and continuously identify and exfiltrate actionable intelligence as it is discovered."

Previous attempts to model the behavior of legitimate users have been problematic, the announcement says.

Later phases will develop a system utilizing information from Phase I to create a system capable of identifying multiple insider threat missions and demonstrate that system "at scale on real world environments," the announcement states.

For more:
- see the FBO webpage for the DARPA CINDER broad agency announcement or directly download the BAA (.docx)

SHARE WITH: