The recent WikiLeaks exposure was a huge black eye for the U.S. Department of Defense, supposedly one of the more secure state organizations we have working for us. Its impact clearly wasn’t lost on the Pentagon, whose blue sky research arm has launched a new project designed to ferret out malicious behavior on DoD networks. Named CINDER – Cyber INsiDER Threat – the project is designed not to sniff out people, but adversarial actions as they happen.
To quote DARPA’s request for industry solicitations: “The goal of CINDER will be to greatly increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks.”
The philosophy driving CINDER is the idea that singular actions by an insider with malicious intent aren’t noticeable as malicious – say, the downloading of a sensitive document from a DoD server or the searching for information on a particular topic. But the larger adversary mission should be noticeable when compared to normal mission activities. By monitoring strings of actions rather than isolated events, CINDER is expected to pinpoint system users who may be up to something malicious.
CINDER assumes that insiders are operating within the Pentagon’s most sensitive networks, so rather than focus on keeping outside threats out, it will be designed to weed out those already inside. As Danger Room points out, it seems like a recipe for false positives, but DARPA seems to think a properly-designed CINDER will be able to distinguish between normal and malicious mission contexts.
We’ll see. In the meantime, while DARPA works CINDER into serviceable shape, the DoD is expected to roll out a new cyber strategy by year’s end to hopefully curtail the kinds of massive leaks and cyber breaches that have been the embarrassment of the Pentagon lately.