DARPA tries to know when to hold 'em
New tools for detecting insider threats could take a lesson from poker players
The Defense Advanced Research Projects Agency wants to make it harder for spies or informers in an organization to leak data to the outside world. The goal of the Cyber Insider Threat (CINDER) program is to develop new technologies and techniques to detect ongoing activities in government and military networks.
In the wake of recent data breaches, such as the WikiLeaks incident, the Defense Department has become very concerned about keeping its operational information within its firewalls. DARPA’s broad agency announcement for the CINDER program asks potential applicants to design solutions with the assumption that “most systems and networks have already been compromised by various types and classes of adversaries.”
The announcement notes that what sets insider threats apart from other types of attacks is the use of normal, day-to-day activities to collect data. To detect insiders, DARPA is asking interested organizations to develop algorithms that can spot "tells" — a term derived from poker that describes a tic or trait that a player unknowingly displays when bluffing. For example, a keen-eyed poker player might notice that a particular opponent always taps his finger on his knee when playing a poor hand. The next time he does it, that "tell" signals that he's holding a weak hand and trying to bluff. On the other hand, if he's betting aggressively and not tapping his knee, it probably means he's confident that he's got some strong cards.
The algorithms would look for signs that an employee or service member might be gathering data in an unauthorized manner.
CINDER does not focus on intrusion detection but on normal, everyday activities within government firewalls to expose hidden operations and systems. According to DARPA, CINDER is a three-phase program. The announcement covers Phase I and seeks to establish a fundamental understanding of different types of adversary missions and the techniques and approaches for identifying them as part of an insider threat. Phase II will create a system able to detect multiple enemy missions within a network, and Phase III will scale Phase II to a real-world network environment.
Because individual activities can potentially create a torrent of false positives, the announcement specifies that organizations develop systems to identify specific types of cyber missions and the tells that an agent would make to gather data and take it out of the network.