Spy vs. spy: DOD tracks insider threats

The Defense Department has made sniffing out insider threats a major priority in securing its networks. As cyber threats expand, DOD must contend with the possibility that authorized network users could maliciously or accidentally expose systems to attack or exploitation. Those concerns have been the catalyst for DOD's identity management and desktop security efforts.

Internal attacks can take different forms, including an accidental or intentional introduction of malicious code or attempt to export classified or sensitive information. Existing systems often struggle to find insider threats because they rely on identifying who or what is accessing the network. However, new technology can detect threats by their behavior instead of identity.

Knowing who is accessing the network is an important element of protecting against threats from inside the network. “The department’s use of hardware-based identity credentials for access to networks and information systems has shut down known attack vectors, demonstrably decreased attacks, and elevated the security posture to our networks by denying anonymity to attackers,” Robert Lentz, deputy assistant secretary of Defense for cyber, identity and information assurance, testified before the House Armed Services Committee earlier this year. “The use of biometrics in conjunction with PKI credentials is yielding important improvements in protection against insider threats.”

But credentials don’t protect against accidental insider threats, such as the introduction of malicious software. In fall 2008, malware spread from thumb drives that connected to systems on the Unclassified but Sensitive IP Router Network and Secure IP Router Network. After that incident, DOD banned removable media and has made great strides to lock down the networks from unintentional internal attacks.

Insider threat protection focuses on policy management. That approach is at the core of the Host Based Security System, an information assurance platform that DISA is deploying. With HBSS, DOD network managers can turn off all USB ports, said Tom Conway, director of federal business development at McAfee, which provides much of HBSS technology.

“When it was envisioned, they were looking for something that would be dual purpose,” Conway said. “It would be the last line of defense against bad guys on the outside, and conversely, it's also the first line of defense from the insider trying to take things from the inside. What you can do is define behavior policies for things that are nonacceptable or applications that are nonacceptable. So no matter if someone's trying to launch it externally from the outside in and try to exfiltrate data or an insider who's trying to change system settings or run new applications inside to do the same sort of thing, HBSS was designed to [prevent] that.”

However, like other intrusion detection and prevention systems, HBSS relies on a database of signatures of known viruses and threats. A new technology from Raytheon watches for patterns of behavior within the network, including usage of applications, to detect activity that deviates from the norm.

At the Association of the U.S. Army Annual Meeting in October, Raytheon demonstrated the technology, called SureView. Developed by Raytheon Oakley Systems, a unit of Raytheon’s Intelligence and Information Systems division, SureView provides network forensic tools for detecting suspicious behavior based on a baseline of network usage patterns.

On Oct. 20, NIST certified that SureView complies with the Federal Information Processing Standard 140-2 Level 1 cryptographic standard.

"This certification meets Department of Defense regulations for cryptographic modules for certain information assurance applications,” said Steve Hawkins, vice president of Information Security Solutions at Raytheon. “Achieving this certification aligns with Raytheon's ongoing commitment to provide our customers with the best security, assurance and dependability.”