Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defe

1. Research and Development InitiativesFocused onPreventing, Detecting, and Responding to Insider Misuse ofCritical Defense Information Systems • Results of a Three-Day WorkshopAugust 16-19, 1999

2. Background • Three-day workshop held at RAND Santa Monica, August 16-18, 1999; 35 invited participants • Sponsored by Army Research Lab, DARPA, NSA • Purpose: to recommend technical R&D initiatives addressing the insider threat to DoD info systems • ASD/C3I report DoD Insider Threat Mitigation Plan (June 1999) concentrated on near-term steps to be taken - • This workshop focused on longer-term technical R&D required • Workshop is expected to be first in a series

3. Policy and Precursors to R&D • Technical initiatives must have a supportive environment. Required are: • Guidance from legal and law enforcement communities re. attribution,collection, maintenance, processing and storage of data • Clear definitions re. what are “critical assets” on a system • Clarity regarding who is an “insider” • Cost/benefit analysis of recommended measures • Plans for technology transfer • Support for multiple, diverse, concurrent approaches

4. Incident Characterizing an Info System Security Incident(modified from JTF-CND document) Attack Event Sandia Labs Unauthorized Result Action Attackers Tool Vulnerability Target Response Increased Access Physical Attack Hackers Probe Design Repair Motivation Access = Opportunity Skill + tool Detection technology Restore Account Disclosure of Information Information Exchange Scan Record Spies Implementation Process Corruption of Information User Command Configuration Flood Terrorists Report Data Script or Program Denial of Service Corporate Raiders Authenticate Render Component Theft of Resources Autonomous Agent Professional Criminals Bypass Computer Spoof Toolkit Vandals Network Distributed Tool Voyeurs Read Internetwork Potentially legitimate actions Data Tap Copy Need to incorporate an understanding of the analytic process that initiates response activities Steal Modify Remedial Security Engineering Delete

5. Workshop Developed Recommendationsin 4 Categories • 20 specific recommendations: • • Threat (4) • • Prevention (5) • • Detection (6) • • Response (5)

6. R&D Recommendations Focused on Insider Threat - Overview • T1: Develop reactive configuration controls, in which an unauthorized result is mapped back to a specific type of threat • T2: Develop an insider trust model • T3: Develop means to map users to unauthorized results • T4: Identify signatures of unauthorized results

7. R&D Recommendations Focused on Insider Prevention - Overview • P1: Develop authentication components • P2: Develop access control components • P3: Develop system integrity components • P4: Develop a bidirectional trusted path to the security system • P5: Develop attribution components

8. R&D Recommendations Focused on Insider Detection - Overview • D1: Develop profiling as a technique • D2: Detect misuse of applications • D3: Provide traceability for system-object usage • D4: Identify critical information automatically • D5: Design systems for detectability • D6: Determine unauthorized changes due to physical access

9. R&D Recommendations Focused on Insider Response - Overview • R1: Develop a capability for monitoring privacy-enhanced systems, such as those using encryption • R2: Incorporate practical autonomic system response into production systems • R3: Develop data correlation tools, including data reduction for forensics, and visualization tools focused on internal misuse • R4: Develop a capability for surveillance of non-networked components • R5: Consider deception technologies specifically applicable to the insider threat

10. DIO Organizations and Activities Study35 Organizations Assessed Protection CERTs Network Operations Support • Joint Task Force - Computer Network Defense • US Space Command • National Infrastructure Protection Center • Joint Command and Control Warfare Center • Joint Spectrum Center • DoD Computer Forensics Laboratory • Defense Advanced Research Projects Agency • Joint C4ISR Battle Center • Army Research Lab • Air Force Computer Emergency Response Team • Army Computer Emergency Response Team • Navy Computer Incident Response Team • Defense Logistics Agency CERT • National Security Agency (X Group) • Carnegie Mellon University CERT/CC • Air Force Network Operations Center • Army Network Systems Operations Center • Naval Computer and Telecommunications Command • Global Network Operations Security Center IW LE/CI Intelligence Other • Air Force Information Warfare Center • Land Information Warfare Activity • Naval Information Warfare Activity • Fleet Information Warfare Center • Information Operations Technology Center • Air Force Office of Special Investigations • US Army Criminal Investigation Directorate • US Army Military Intelligence • Naval Criminal Investigation Service • Defense Criminal Investigative Service • Joint Staff - J2 • Defense Intelligence Agency • Air Intelligence Agency • National Aeronautics and Space Administration • Joint Warfare Analysis Center [Source: U.S. Department of Defense]

11. Workshop Attendees Adams, RobertAir Force Information Warfare Center250 Hall Rd #139San Antonio, TX 78243 Alvarez, JorgeSpace and Naval Warfare Systems Center53560 Hull StreetSan Diego, CA 92152 Anderson, RobertRAND CorporationP.O. Box 2138Santa Monica, CA 90407 Anderson, KarlNSA R29800 Savage RoadFt. Meade, MD 20755 Arnold, RichardGTE GSC1000 Wilson Blvd. Ste 810Arlington, VA 22209 Barnes, AnthonyArmy Research LabC41 Systems Branch, AMSRL-SL-EIFt. Monmouth, NJ 07703-5602 Bencivenga, AngeloArmy Research Lab2800 Powder Mill RoadAdelphi, MD 20783 Bozek, ThomasOffice of the Secretary of Defense / C3I6000 Defense, Rm 3E194Pentagon Brackney, RichardNSA R2, R&E Bldg9800 Savage RoadFt. Meade, MD 20755 Christy, JamesASDC3I/DIAPSte. 1101, 1215 Jefferson Davis Highway,Arlington, Va 22202 Cowan, CrispinOregon Graduate InstituteP.O. Box 91000Portland, OR 97291 Dunn, TimothyArmy Research Lab2800 Powder Mill RoadAdelphi, MD 20783 Dunphy, BrianDefense Information Systems Agency701 S.Courthouse Rd D333Arlington VA Ghosh, Anup K.Reliable Software Technologies21351 Ridgetop Circle, Ste 400Dulles, VA 20166 Gligor, VirgilUniversity of MarylandElectrical/Computer Engineering, AVW 1333,College Park, MD 20742 Gilliom, LauraSandia National LabsP. O. Box 5800-0455Albuquerque NM Goldring, TomNSA R239800 Savage RoadFt. Meade, MD 20755 Hotes, ScottNSA R225 R&E Bldg9800 Savage RoadFt. Meade, MD 20755 Hunker, JeffreyNational Security CouncilWhite House #303Washington DC 20504 Jaeger, JimLucent TechnologiesBox 186, Columbia, MD 21045 Longstaff, ThomasCERT/CC4500 Fifth AvenuePittsburgh, PA 15213 Lunt, TeresaXerox PARC3333 Coyote Hill RoadPalo Alto, CA 94304 Matzner, SaraU. Texas at Austin Applied Research LabsInformation Systems Laboratory, P.O. Box 8029,Austin Texas 78713 Maxion, RoyCarnegie Mellon University5000 Forbes AvenuePittsburgh, PA 15213 McGovern, OwenDISALetterkenny Army DepotChambersburg, PA 17201-4122 Merritt, Larry D.NSA9800 Savage RoadFt. George G. Meade, MD 20755 Neumann, Peter GSRI International333 Ravenswood Ave.Menlo Park, CA 94025 Skolochenko, StevenOffice of Information Systems Security1500 Penn. Ave. NW, Annex, Rm. 3090,Washington, DC 20220 Skroch, MichaelDARPA/ISO3701 N. Fairfax Dr.Arlington, VA 22203 Solo, DavidCitibank666 Fifth Ave., 3rd Floor/Zone 6New York, NY 10103 Teslich, RobyneLawrence Livermore National LaboratoryPO Box 808, Room L-52Livermore CA 94550 Tung, BrianUSC Information Sciences Institute4676 Admiralty Way Ste. 1001,Marina del Rey, CA 90292 van Wyk, KennethPara-Protect5600 General Washington Drive ste. B-212Alexandria, VA 22312 Walczak, PaulArmy Research Laboratory2800 Powder Mill RoadAdelphi, MD 20783 Zissman, MarcMit Lincoln Laboratory244 Wood StreetLexington, MA 20420