Cyber Insider Threat

Last updated January 29, 2023

Cyber Insider Threat, or CINDER, is a digital threat method. In 2010, DARPA initiated a program under the same name (Cyber Insider Threat (CINDER) Program) to develop novel approaches to the detection of activities within military-interest networks that are consistent with the activities of cyber espionage.^[1]

CINDER behaviors and methods
CINDER prerequisites
CINDER system ownership and object action
CINDER detection methods
Methods for detecting past CINDER actions
Methods for detecting current and future CINDER actions
Ongoing projects to detect CINDER action
Defense Advanced Research Projects Agency DARPA
See also
References

The CINDER threat is unlike other vulnerability based attacks in that the action taken by the initiator is not based on unauthorized access by unauthorized objects or authorized objects, it is based on the concept that authorized access by authorized objects will normally occur (along with their subsequent actions) within the security boundary. This object action will not be viewed as an attack, but normal use when analyzed by standard IDS-IPS, logging and expert systems. The CINDER Mission will be seen as an unauthorized disclosure once data exfiltration has been realized. At that time, the resultant CINDER Case would change all object actions related to the disclosure from "Authorized Use by an Authorized Object" to "Unauthorized Use by an Authorized Object".^[2]

Note: For the initial CINDER case, the controlling agent^[3] will still be seen as an Authorized Object based on the fact that the security system has passed an evaluation for Assurance and Functionality.

The Cyber Insider Threat has continued to be a known issue since the mid-1980s. The following NIST material dated March 1994, "Internal Threats", shows how it was defined in its infancy.

"System controls are not well matched to the average organization's security policy. As a direct result, the typical user is permitted to circumvent that policy on a frequent basis. The administrator is unable to enforce the policy because of the weak access controls, and cannot detect the violation of policy because of weak audit mechanisms. Even if the audit mechanisms are in place, the daunting volume of data produced makes it unlikely that the administrator will detect policy violations. Ongoing research in integrity and intrusion detection promise to fill some of this gap. Until these research projects become available as products, systems will remain vulnerable to internal threats."^[4]

CINDER behaviors and methods

CINDER prerequisites

There are many prerequisite dimensions to CINDER activity, but one primary dimension must always be met. That is one of System Ownership. Prerequisite principles of system ownership and information dominance within the area of object action must be part of any CINDER mission.

CINDER system ownership and object action

In CINDER action, each mission dimension and each resulting case issue can be distilled down to one entity, one agent.^[3] and one action. At the specific time an agent completes an action, that entity, agent and action owns the environment they are transiting or using. And if they are successful in committing that specific transaction and are not interrupted or at least measured or monitored by the owner, that entity will have, if for only a moment in time, dominance and ownership over that object.^[2]

CINDER detection methods

Methods for detecting past CINDER actions

To detect past CINDER activity when an exposure has been realized, one must reconcile all object actions (any exchange or transaction between two agents that can be measured or logged) and analyze the result.

Methods for detecting current and future CINDER actions

Present concepts of how one detects current or future CINDER activity has followed the same path as detecting past CINDER activity: A reconciliation of all data from all object action, then the application of heuristics, expert system logic and mining models to the data aggregated.^[5] But building automated logic and analysis models have proved difficult since once again, the insider does not attack they use (authorized access by authorized objects). Breaking this "use" and "how they use" out in a system that has low assurance and a low percentage of reconciliation will always cause the system to produce far too many false positives for the method to be acceptable as a true CINDER security solution.

One main tenet of CINDER detection has become that only a system that has high assurance and high reconciliation can be controlled (Owned) to the extent that current and future CINDER actions can be identified, monitored or terminated.

Ongoing projects to detect CINDER action

Defense Advanced Research Projects Agency DARPA

DARPA has an ongoing Cyber Insider Threat or CINDER program to detect insider threats to computer systems. It is under DARPA's Strategic Technology Office (STO).^[6]^[7] The project was timed to begin around 2010/2011.^[8] In comparison with traditional computer security, CINDER assumes that malicious insiders already have access to the internal network; thus it attempts to detect a threat's "mission" through analysis of behavior rather than seeking to keep a threat out. The government documentation uses an analogy of the "tell" idea from the card game of poker.^[6]

According to Ackerman in Wired, the impetus for the program came after WikiLeaks disclosures such as the Afghan War documents leak. Robert Gates' philosophy of information in the military was to emphasize the access for frontline soldiers. In the face of mass-leaking, the CINDER type of response allows the military to continue that philosophy, rather than simply cutting off access to information en masse.^[7] The project was started by Peiter Zatko, a former member of the L0pht and cDc who left DARPA in 2013.^[9]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Intrusion detection system</span> Network protection device or software

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Vulnerability (computing)</span> Exploitable weakness in a computer system

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.

Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Proactive cyber defence means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defence can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence. Common methods include cyber deception, attribution, threat hunting and adversarial pursuit. The mission of the pre-emptive and proactive operations is to conduct aggressive interception and disruption activities against an adversary using: psychological operations, managed information dissemination, precision targeting, information warfare operations, computer network exploitation, and other active threat reduction measures. The proactive defense strategy is meant to improve information collection by stimulating reactions of the threat agents and to provide strike options as well as to enhance operational preparation of the real or virtual battlespace. Proactive cyber defence can be a measure for detecting and obtaining information before a cyber attack, or it can also be impending cyber operation and be determining the origin of an operation that involves launching a pre-emptive, preventive, or cyber counter-operation.

Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.

<span class="mw-page-title-main">Security information and event management</span> Computer security

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

The Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

PRODIGAL is a computer system for predicting anomalous behavior among humans, by data mining network traffic such as emails, text messages and server log entries. It is part of DARPA's Anomaly Detection at Multiple Scales (ADAMS) project. The initial schedule is for two years and the budget $9 million.

Anomaly Detection at Multiple Scales, or ADAMS, was a $35 million DARPA project designed to identify patterns and anomalies in very large data sets. It is under DARPA's Information Innovation office and began in 2011 and ended in August 2014

RazorThreat is an American software company that develops advanced threat protection software that detects unknown and unauthorized activity occurring in a network. Its Threat Analysis Console was listed in 2007 as an "industry innovator" by Secure Computing.

The following outline is provided as an overview of and topical guide to computer security:

The Fabric of Security, also known as Cyber Security Fabric or Federated Security, refers to systems designed to protect the Information Systems infrastructure of the home, a corporation or government from malicious attackers. Protection in this sense means guaranteeing the confidentiality, integrity, and the availability of the information stored in the system ("SYSTEM"), and its elements or components.

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

↑ "Cyber-Insider Threat (CINDER)". Archived from the original on 2012-01-11. Retrieved 2014-07-14.
1 2 "Mission and Case Analysis of Cyber Insider (CINDER) Methods within Military and Corporate Environments". CodeCenters International Training Press. Retrieved 2012-05-09.
1 2 "Intelligent Agents: Theory and Practice" (PDF). Knowledge Engineering Review. Archived from the original (PDF) on 2009-01-07. Retrieved 2012-05-24.
↑ Bassham, Lawrence; Polk, W. (1992). "Trends for the future - Internal Threats". NIST. doi: 10.6028/NIST.IR.4939 . Retrieved 2012-05-11.{{cite journal}}: Cite journal requires |journal= (help)
↑ "DTIC Analysis and Detection of Malicious Insiders". DTIC Defense Technical Information Center - MITRE Corporation. Archived from the original on April 8, 2013. Retrieved 2012-05-11.
1 2 "Broad Agency Announcement Cyber Insider Threat (CINDER)". DARPA Strategic Technology Office. 2010-08-25. Retrieved 2011-12-06.
1 2 Ackerman, Spencer (2010-08-31). "Darpa's Star Hacker Looks to WikiLeak-Proof Pentagon". Wired . Retrieved 2011-12-05.
↑ "DARPA seeks assistance with insider threats". infosecurity-magazine.com. 2010-08-30. Retrieved 2011-12-06.
↑ "Google's Motorola Mobility Taps U.S. Defense Agency for Talent". Bloomberg. 15 April 2013.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Cyber-Insider Threat (CINDER)". Archived from the original on 2012-01-11. Retrieved 2014-07-14.

[Cod1-2] 1 2 "Mission and Case Analysis of Cyber Insider (CINDER) Methods within Military and Corporate Environments". CodeCenters International Training Press. Retrieved 2012-05-09.

[UNSW-3] 1 2 "Intelligent Agents: Theory and Practice" (PDF). Knowledge Engineering Review. Archived from the original (PDF) on 2009-01-07. Retrieved 2012-05-24.

[4] Bassham, Lawrence; Polk, W. (1992). "Trends for the future - Internal Threats". NIST. doi: 10.6028/NIST.IR.4939 . Retrieved 2012-05-11.{{cite journal}}: Cite journal requires |journal= (help)

[5] "DTIC Analysis and Detection of Malicious Insiders". DTIC Defense Technical Information Center - MITRE Corporation. Archived from the original on April 8, 2013. Retrieved 2012-05-11.

[fbo1-6] 1 2 "Broad Agency Announcement Cyber Insider Threat (CINDER)". DARPA Strategic Technology Office. 2010-08-25. Retrieved 2011-12-06.

[ackerman1-7] 1 2 Ackerman, Spencer (2010-08-31). "Darpa's Star Hacker Looks to WikiLeak-Proof Pentagon". Wired . Retrieved 2011-12-05.

[infosec1-8] "DARPA seeks assistance with insider threats". infosecurity-magazine.com. 2010-08-30. Retrieved 2011-12-06.

[9] "Google's Motorola Mobility Taps U.S. Defense Agency for Talent". Bloomberg. 15 April 2013.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]