Insider Cybercrime Finds No Place to Hide
An internal software application picks up where external monitoring leaves off.
Advances in computer network security are empowering network-dependent organizations to address the sobering fact that a majority of threats to proprietary information today originate within the pool of authorized users. A new off-the-shelf software application that monitors the flow of data through a network enables organizations to counter internal threats to sensitive information by identifying the source of a violation. The U.S. Defense Department is exploring the software as a way to address its security concerns.
Out of the Defense Department’s Joint Warrior Interoperability Demonstration (JWID) 2000, the software application will continue development as one of two technologies chosen from a field of more than 20 products competing for incorporation into the U.S. and North Atlantic Treaty Organization nations’ armed forces (SIGNAL, October 2000, page 71). When coupled with existing command and control, intelligence, surveillance and reconnaissance systems, the product demonstrated the potential for enhanced information security in a coalition environment. Follow-up testing will begin this year with examination of concept of operation, standard operating procedures and applicable tactics, techniques and procedures.
Designed and built by Raytheon Corporation, Linthicum, Maryland, SilentRunner—a passive, nondetectable network monitoring system—met several of the operational traits slated as key to Defense Department objectives. Three of these capabilities are the exchange of information between multiple network and security protocols; the demonstration of enhanced information assurance able to detect, defend and report computer attacks as they occur; and the inclusion of tools for risk assessment and operations planning. Each of these features supports the department’s interest in off-the-shelf equipment that shows ease in connectivity with current standard acquisition hardware.
According to Col. James W. Dowis, USAF, director, JWID Joint Project Office, Hampton, Virginia, the Department of Defense is shifting toward the use of off-the-shelf equipment that can be integrated smoothly within the joint operational environment. As a result, the department is looking for technologies that will reduce cost and risk factors while at the same time enhance interoperability. “SilentRunner should enable units to monitor systems more effectively while coexisting within a still largely legacy-based architecture,” he says.
Silent Runner collects and processes data traveling through a network and alerts users if any information has been misrouted or misused. Jeff Waxman, vice president of the information assurance products division at Raytheon, notes that security challenges were closer to home than administrators had realized. “Most people have been more concerned with the threat posed by external system hacking and other unauthorized network intrusions,” he says. Ironically, while systems such as firewalls and intrusion detection applications were being developed to combat these outside dangers, it became evident that the real problem was on the inside.
A 1999 survey conducted by PricewaterhouseCoopers and the American Society for Industrial Security found that Fortune 1000 companies lost $45 billion from the theft and misuse of proprietary information in fiscal year 1998. Authorized company personnel initiated more than 70 percent of the actions that led to this loss. “Maintaining security over continually exchanged proprietary information can no longer be achieved by a static defense system,” Waxman explains. “Safe networking now depends on a user’s ability to obtain data to counter the next potential attack, which can only be accomplished through constant network vigilance.”
Although capable of detecting external tampering, Silent Runner was developed primarily to combat internal network threats. Compatible with most legacy computer systems, the software architecture is based on the principles of discovery, analysis and visualization. It uses programmable proprietary algorithms to monitor the flow and nature of network traffic by detecting and identifying specific patterns in transmission concept and context and alerting system administrators to any potential network abuses accordingly. An organization must then take the proper action to prevent further complications. “The majority of security software applications identify improper usage by actually scanning the content of the traffic passing through the network. SilentRunner does not read content but looks for unexpected variations in the general substance of transmissions without disturbing information flow,” Waxman says.
Common methods of assessing a transmission’s content can cause disruptions in the timing of network data flow. This interruption not only affects message movement but also can alert individuals misusing the system before their identities can be established. SilentRunner works silently, checking variations in the amount and type of information a given data path is carrying without disturbing the transmission. If a signal’s content is not recognized as being in proper context for that area of the network, an alert is sent to an administrator. “SilentRunner does not make a decision as to what action should be taken in the case of a security breach,” he explains. “The system simply brings any irregularity to the attention of the affected company. It is then up to that company to take any action it deems appropriate.”
The discovery engine is the initial tool within the SilentRunner system architecture. Attaching to a local area network (LAN), the engine passively collects information on traffic flow and how particular entities within the network relate to each other. Real-time data analysis creates an ontology of specific network vocabulary, providing the software with a broad understanding of acceptable protocol content. According to John Suit, chief technology officer, SilentRunner program, the software monitors networks for pattern consistency as a whole or, if indicated, on a more focused level. All of the data collected is then matched against the ontology.
Next, any unrecognizable information is sent through an analysis engine. Operating on 25 separate algorithmic formulas, this component accepts data collected by the discovery engine in a process called blind clustering. Without using keywords to associate specific document text, SilentRunner performs a form of protocol isolation of designated network applications to establish a more focused search area for locating potential disturbances. Through true context analysis, the software groups data on the basis of the concepts the users of a particular application are communicating.
For example, if several e-mail messages refer to the same or similar topics, they are automatically grouped for analysis. No priority information or language prompts are necessary to establish a screen for filtering a designated document format. “The design of this software is such that large clusters of similarly formatted data can be reviewed with the input of a single command,” Suit says. “If a company wants to protect its proprietary information from potentially harmful e-mail, the organization simply uses SilentRunner to monitor all company e-mail passing through the network.”
When companies require a more defined document search, SilentRunner can be tailored to look for specific items that could jeopardize the security of proprietary data. Although the system does not operate by language prompt, it can be programmed to conduct a focused keyword or character examination of specific traffic moving across a network. “The real strength of this software is in its ability to grasp entire concepts without the need for keyword prompting,” Suit explains. “Entire related phrases or ideas can be filtered out since the system searches on the basis of constructive meaning, not common language.”
SilentRunner performs engram analysis to ensure that administrators are aware of information as it enters or leaves a network. By providing a near-real-time summary of the concept or context of any network communication, the software allows an administrator to classify a particular piece of data as proper or improper for a given pathway. “Without disrupting the flow of traffic from one network boundary to another, the software can draw a conclusion as to the general gist of a document’s text,” Suit claims.
Another type of analysis SilentRunner performs is virtual network diagramming. A graphic display shows how the network is being used as well as its physical construction. This allows administrators to see where conceptually or contextually similar information is gathered on a network and the location of the people using it. Once these cluster groups are determined, decisions can be made regarding how the information is moved and who is moving it. In a case of an internal system attack, SilentRunner presents a visual image of the attack activity over an extended period of time, showing what system was attacked and whether there was any collusion between multiple attackers.
Using this graphic display of network information as a starting point, follow-up analysis begins. The images can be viewed in two- or three-dimensional formats. The system administrator can sequentially log network activities so that the exact route and timing of an attack can be determined. Data stream navigation and specifically targeted searches can be performed to visually explore a network for unauthorized events. The substance of these events is displayed by clicking the appropriate icon, and data can be correlated using communications and systems logs. A visual World Wide Web interface capability allows network analysts to collaborate when examining particular trends in system usage.
SilentRunner tracks external attacks that have penetrated a network, complementing external threat detection capabilities such as firewalls and intrusion detection systems (IDS). “After an attacker has broken in, IDS can only alert a user to the presence of an anomaly,” Suit declares. “Beyond the initial point of disturbance, there is no way for IDS to track the exact attack path as it moves through the network. SilentRunner picks up where IDS leaves off, pinpointing where and when successive disturbances occur.” When unauthorized movement takes place in a network, the software detects the event at the moment of its inception and charts the attack path, producing a visual explanation of the problem, he says.
SilentRunner provides other forms of assistance to IDS when external network attacks are detected. Multiple intrusions and the resulting anomalies can be isolated more expediently using minimal log analysis resources. The software also identifies vulnerable network access points by compiling periodic intrusion detections to map out attack trends. “The technology takes a proactive approach to network defense,” Suit states. “With IDS and firewalls, users can only wait for potential attacks to be identified. SilentRunner’s constant monitoring of network traffic enables the software to alert the user to potential weak spots before an attack occurs.”
As part of SilentRunner’s visualization process, a graphic display of terminal-by-terminal connectivity within a network is presented. Depicted as miniature linked icons, the data behind each visual can be accessed by clicking on it. The icons reveal information concerning past activities at individual terminals throughout the network. The links between the icons carry any data that have passed through the network at that location. If an anomaly has occurred between one or more network stops, the link between the affected terminals will be highlighted, indicating a potential system abuse. Clicking on the highlighted link will reveal the substance of the transmission.
The software also uses post-collection analysis to alert network administrators to potential illicit or intrusion activities before they occur. By employing previously gathered information, the administrator can develop a picture of a network’s integrity based on past performance trends. The system can help administrators predict potential traffic bottlenecks or backdoor intrusions through a compilation of network characteristics over a period of time. “System abuses only serve to enhance system limitations,” Suit explains. “As a passive listener, SilentRunner is able to prepare an organization for future improprieties while defending the network against present ones.”
Field testing of SilentRunner technology began in January with a concept of operation, standard operating procedures and applicable tactics, techniques and procedure evaluations. “We have two JWID phases in the exploitation year,” Col. Dowis indicates. “The first phase, from January through March 2001, will see the new technologies taken out to various facilities within the U.S. Space Command and put through operations validation testing of standard operating procedures, to include Joint Interoperability Test Command certification.” When product approval has been received from the Joint Staff, limited-quantity contracting by unified international commands could begin in April 2001.