DARPA SMITEs Insider Threats
By
Bob Brewin
How bad is the threat of an insider attack against military information systems?
How bad is the threat of an insider attack against military information systems?
The Defense Advanced Research Projects Agency answers that question in stark terms in its request for industry help to counter insider electronic moles:
Trusted insiders ... are targeting the U.S. information infrastructure for exploitation, disruption, and potential destruction. [Emphasis included.]National Counterintelligence Strategy of the United States of America (2008).
DARPA says protecting information systems against bad insider actors is often difficult
because the defenses must be perfect and comprehensive, while the attacker needs to find only one flaw.
That's why the agency said it has kicked off a project called Suspected Malicious Insider Threat Elimination, which we all know stands for SMITE, a lovely play on words for fighting back against an enemy.
Detecting insider threats, DARPA said, remains a challenge because it requires unearthing subtle indicators of malicious behavior buried in enormous observational data of no immediate relevance, or zeroing in on one key signal out of a lot of background noise.
One way to detect insider threats is to focus on deceptive behavior, which is characteristic of malicious intent - which, by the way, leads to the problem of assigning intent to observed behaviors.
But DARPA added that in both the real and virtual world, it is very difficult to do anything without leaving some evidence behind. Attempts to conceal or remove evidence generally create new evidence that, if detected, could be a strong indication of the perpetrator's intent.
Forensic-like techniques can be used to find clues, gather and evaluate evidence and combine them deductively, and DARPA says it needs industry help in developing these techniques.
The agency wants vendors to provide it with white papers that include, but are not limited to, techniques to derive information about the relationship between deductions, the likely intent of inferred actions and suggestions about what evidence might mean and then dynamically forecast context-dependent behaviors.
The agency also would like ideas on how to use information sensors and algorithms to help it determine the scale and complexity of current and projected insider threats and novel approaches based on social behavioral science.
Anyone interested in tackling this challenge needs to respond to DARPA by May 26.