The problem is difficult, though, if the systems attempt to take in many variables, says Malek ben Salem, a graduate student and computer-science researcher at Columbia University. She has been trying to model search behavior in order to detect when an attacker is going beyond the normal scope of his job or impersonating someone with legitimate access. Because attackers might not know a file system or other aspects of corporate network as well as a legitimate employee does, they tend to search more extensively. In experiments, Ben Salem says her model has detected 100 percent of masqueraders with a rate of false positives of only 1 percent.
The CINDER project looks for activity in a system that suggests of an attack launched from the inside. For instance, a worm like Stuxnet, which is believed to have damaged Iran’s nuclear program, could be detected by looking for the changes it has made to system files and network disks.
“CINDER will attempt to address some of the flaws in current detection systems by modeling the adversary mission—not by attempting to monitor a person or their particular traits—and by beginning with the assumption that a given system has already been compromised,” Peiter “Mudge” Zatko, the manager in charge of the program at DARPA, said when the project was announced.
Increasingly, companies that sell security products are adding features that may help detect insider attacks. For example, firewalls and other security systems have been fortified with software that scans for encrypted e-mail. Some security companies advocate deploying decoy files that no employee should ever access, and alerting managers when they are accessed. Coupling decoy files with current research into modeling legitimate user behavior could detect a wide variety of attacks, says Columbia’s Ben Salem.
However, insider attacks cannot be thwarted by just creating a better network appliance, says SEI CERT’s Montelibano. Better policies and security measures are important as well, such as allowing only approved applications to be run inside a network and limiting e-mail attachments.
“The big finding of our research is that insider threats are not just a technical problem,” he says. “What we still see is organizations throwing technology at the problem. But our research reveals that by and large, insiders’ technical activity is preceded by observable behavioral activity.”