For most of the history of the Internet, companies and government agencies have split networks into two categories: internal, trusted systems and external, untrusted ones. The most common approach to security has been to erect a wall that treats data and communications as potentially dangerous if they come from outside and safe if they come from within.
Yet some of the most serious breaches, such as the massive handover of U.S. State Department cables to WikiLeaks late last year, come from corporate and government insiders. Even if they mean no harm, insiders can present security risks: several major data breaches have occurred after attackers tricked employees into downloading malicious software that took hold inside the organization’s firewall.
“In the early 2000s, you would see a lot of organizations focus on outsiders exclusively,” says Joji Montelibano, who leads the insider-threat technical team at the Software Engineering Institute’s CERT program at Carnegie Mellon University. “With the prevalence of information technology everywhere now, the ways an insider can harm an organization have increased dramatically.”
In hopes of counteracting the trend, the Defense Advanced Research Projects Agency (DARPA)—the research arm of the U.S. military—has called for research that would improve the government’s ability to identify threats from within. DARPA is taking a two-pronged approach: last August, an agency project named Cyber Insider Threat (CINDER) called for proposals for better systems to detect attackers who have already compromised a network. Two months later, DARPA launched Anomaly Detection at Multiple Scales (ADAMS), to detect insiders just before or after they go rogue.
The proposed ADAMS technology will likely model typical user behavior and alert managers when a user is acting off-profile. Such a system, for example, could have caught Bradley Manning, the U.S. intelligence analyst who is alleged to have leaked the diplomatic cables, by warning officials that Manning had suddenly accessed thousands of cables from his computer.
“If I’m trying to get information out of my company, I’m probably going to start at the simplest level and work my way up—I would try to e-mail it to myself, I would try to post it to a website, or upload the file to a peer-to-peer network,” says Daniel Guido, a consultant with iSec Partners, who frequently tests firms’ security to identify potential weaknesses. “They are going to approach exfiltrating information outside the company in a very particular way, and if you think like they do, you will be much more effective” as a defender.