While security has been ramped up at the networks and computers of government agencies, little has been done to prevent the primary vulnerability of internal leaks. The Defense Advanced Research Projects Agency (DARPA) is hoping to change that.
DARPA has made two steps recently to stem the threat of internal leaks. Last August, DARPA created the Cyber Insider Threat (CINDER) project, calling for proposals to create systems to detect attackers who have already compromised a network. Two months later, DARPA launched the Anomaly Detection at Multiple Scales (ADAMS) project to help detect insiders just before or after they compromise security.
Last December, the military banned the use of removable drives after thousands of classified military documents were leaked to WikiLeaks. This was only a band-aid solution though. Employees can be unintentional threats as well, with major data breaches occurring after attackers tricked employees into downloading malicious software inside an organizations firewall.
"If I’m trying to get information out of my company, I’m probably going to start at the simplest level and work my way up—I would try to e-mail it to myself, I would try to post it to a website, or upload the file to a peer-to-peer network," said Daniel Guido, a consultant with iSec Partners. "They are going to approach exfiltrating information outside the company in a very particular way, and if you think like they do, you will be much more effective" as a defender.
Under the proposed ADAMS project, an alert will be sent to managers when an employee is acting “off profile”. This could’ve most likely caught Bradley Manning, a U.S. intelligence analyst who allegedly leaked diplomatic cables, after he accessed thousands of cables from his computer.
The CINDER project attempts to gauge system-level activity for internal attacks from malware, Trojans and other malicious programs.
"CINDER will attempt to address some of the flaws in current detection systems by modeling the adversary mission—not by attempting to monitor a person or their particular traits—and by beginning with the assumption that a given system has already been compromised," said Peiter Zatko, the manager in charge of the program at DARPA, said when the project was announced.
Vendors are beginning to sell security products that include features to detect insider attacks. Firewalls and other security systems are often fortified with software that scans for encrypted e-mail. Some organizations deploy decoy files that no employee should ever access and will alert managers when they are accessed.