DARPA to hunt insider cyber threats

Assumes enemy within.

The research arm of the US Department of Defense, DARPA, has embarked on a project to weed out insider cyber threats.

The Cyber Insider Threat or CINDER program aimed to compare enemy "mission contexts" with Defenses' routine internal activities to illuminate activity that might reveal an insider is working for enemies of the United States.

DARPA (Defense Advanced Research Projects Agency) has revealed it seeks a system that assumes its networks and systems are already infiltrated, acknowledging that enemies on the inside would pass normal security checks.

But enemies would also display patterns of behaviour that show their real colour, DARPA said in tender documents released last week. 

"What sets the insider threat apart from other adversaries is the use of normal tactics to accomplish abnormal and malicious missions," DARPA explained. 

Basic activities DARPA already expects of an insider include exploring local file systems, passive network monitoring, identifying network shortcuts, referencing data stores within local documents and local network scanning.

DARPA said high rates of false positives would be acceptable and could be mitigated. For example, if a system's alerts rely on a sequence of events to indicate an insider threat, DARPA would allow users of that system to adjust the relative importance of each trigger.  

The project comes as the US steps up efforts to counter cyber attacks against its military infrastructure. US Deputy Defense Secretary William J Lynn III last week revealed that a 2008 USB-initiated attack successfully penetrated its classified networks, revealing its Middle East military plans.

The US also continues to face embarrassment over its security systems after whistle-blowing site Wikileaks was sent classified material by US military personnel.