Cyber Insider Threat

Cyber Insider Threat, or CINDER, is a digital threat method. In 2010, DARPA initiated a program under the same name (Cyber Insider Threat (CINDER) Program) to develop novel approaches to the detection of activities within military-interest networks that are consistent with the activities of cyber espionage.

The CINDER threat is unlike other vulnerability based attacks in that the action taken by the initiator is not based on unauthorized access by unauthorized objects or authorized objects, it is based on the concept that authorized access by authorized objects will normally occur (along with their subsequent actions) within the security boundary. This object action will not be viewed as an attack, but normal use when analyzed by standard IDS-IPS, logging and expert systems. The CINDER Mission will be seen as an unauthorized disclosure once data exfiltration has been realized. At that time, the resultant CINDER Case would change all object actions related to the disclosure from "Authorized Use by an Authorized Object" to "Unauthorized Use by an Authorized Object".

Note: For the initial CINDER case, the controlling agent will still be seen as an Authorized Object based on the fact that the security system has passed an evaluation for Assurance and Functionality.

The Cyber Insider Threat has continued to be a known issue since the mid-1980s. The following NIST material dated March 1994, "Internal Threats", shows how it was defined in its infancy. "'System controls are not well matched to the average organization's security policy. As a direct result, the typical user is permitted to circumvent that policy on a frequent basis. The administrator is unable to enforce the policy because of the weak access controls, and cannot detect the violation of policy because of weak audit mechanisms. Even if the audit mechanisms are in place, the daunting volume of data produced makes it unlikely that the administrator will detect policy violations. Ongoing research in integrity and intrusion detection promise to fill some of this gap. Until these research projects become available as products, systems will remain vulnerable to internal threats.'"

CINDER prerequisites
There are many prerequisite dimensions to CINDER activity, but one primary dimension must always be met. That is one of System Ownership. Prerequisite principles of system ownership and information dominance within the area of object action must be part of any CINDER mission.

CINDER system ownership and object action
In CINDER action, each mission dimension and each resulting case issue can be distilled down to one entity, one agent. and one action. At the specific time an agent completes an action, that entity, agent and action owns the environment they are transiting or using. And if they are successful in committing that specific transaction and are not interrupted or at least measured or monitored by the owner, that entity will have, if for only a moment in time, dominance and ownership over that object.

Methods for detecting past CINDER actions
To detect past CINDER activity when an exposure has been realized, one must reconcile all object actions (any exchange or transaction between two agents that can be measured or logged) and analyze the result.

Methods for detecting current and future CINDER actions
Present concepts of how one detects current or future CINDER activity has followed the same path as detecting past CINDER activity: A reconciliation of all data from all object action, then the application of heuristics, expert system logic and mining models to the data aggregated. But building automated logic and analysis models have proved difficult since once again, the insider does not attack they use (authorized access by authorized objects). Breaking this "use" and "how they use" out in a system that has low assurance and a low percentage of reconciliation will always cause the system to produce far too many false positives for the method to be acceptable as a true CINDER security solution.

One main tenet of CINDER detection has become that only a system that has high assurance and high reconciliation can be controlled (Owned) to the extent that current and future CINDER actions can be identified, monitored or terminated.

Defense Advanced Research Projects Agency DARPA
DARPA has an ongoing Cyber Insider Threat or CINDER program to detect insider threats to computer systems. It is under DARPA's Strategic Technology Office (STO). The project was timed to begin around 2010/2011. In comparison with traditional computer security, CINDER assumes that malicious insiders already have access to the internal network; thus it attempts to detect a threat's "mission" through analysis of behavior rather than seeking to keep a threat out. The government documentation uses an analogy of the "tell" idea from the card game of poker.

According to Ackerman in Wired, the impetus for the program came after WikiLeaks disclosures such as the Afghan War documents leak. Robert Gates' philosophy of information in the military was to emphasize the access for frontline soldiers. In the face of mass-leaking, the CINDER type of response allows the military to continue that philosophy, rather than simply cutting off access to information en masse. The project was started by Peiter Zatko, a former member of the L0pht and cDc who left DARPA in 2013.