Detecting Malicious Insiders in Military Networks

Given that a network is only as strong as its weakest link, a key vulnerability to network centric warfare is the threat from within. This paper summarizes several recent MITRE efforts focused on characterizing and automatically detecting malicious insiders within modern information systems. Malicious insiders (MI) adversely impact an organization's mission through a range of actions that compromise information confidentiality, integrity, and/or availability. Their strong organizational knowledge, varying range of abusive behaviors, and ability to exploit legitimate access makes their detection particularly challenging. Crucial balances must be struck while performing MI detection. Detection accuracy must be weighed against minimizing time-to-detect and aggregating diverse audit data must be balanced against the need to protect the data from abuse. Key lessons learned from our MI research include the need to understand the context of the user's actions, the need to establish models of normal behavior, the need to reduce the time to detect malicious behavior, the value of non cyber-observables, and the importance of real-world data collections to evaluate potential solutions.