The Desktop DMZ automatically initiates a browser on a virtual machine when a user clicks on an Internet website link from a browser or other application running on a desktop system. Since the virtual machine is seamlessly integrated into the user's environment, there are minimal behavioral changes required by the user. This DMZ-based virtual machine securely "transmits" the browser window back to the enterprise-connected computer with minimal risk to the host from any malware. The user continues to see a "normal" browser window on his machine. Any malware that is potentially brought back remains on the DMZ-connected disposable computer, which in turn is periodically re-instantiated to a "clean state" to flush the malware. The Desktop DMZ provides an integrated capability to transfer and print files discovered on the riskier Internet zone on existing enterprise resources. By using a persistent list of allowable capabilities, the Desktop DMZ provides a user with customization capability while retaining the ability to regulate configurations using enterprise policies. For enterprise administrators, the system provides a differential patching mechanism to enable patching from a centralized patch library.

References:
Nakamoto, G.; Schwefler, J.; Palmer, K.; Desktop Demilitarized Zone, MILITARY COMMUNICATIONS CONFERENCE, 2011 - MILCOM 2011 , vol., no., pp.1487-1492, 7-10 Nov. 2011.

Traditional detection approaches have not been effective in detecting adversaries after they breach an organization's perimeter, compromising internal networks. With this accomplished, attackers can leverage their "insider" access, using compromised user accounts to gather and exfiltrate sensitive data. To detect this behavior, we believe, based on our experiences with insider threat detection, that organizations must understand how their users interact with internal information and leverage what they know (context) about both users and information, to identify suspicious patterns.

Our ELICIT detection approach identifies masqueraders based on their patterns of information use. We leverage the indicators developed through ELICIT and build others to characterize user information gathering patterns. User behavior, as measured by these indicators, is like a signal. We look for departures from user information-use signals to spot adversaries using the same account for malicious purposes.

To test our concept, we have studied the information gathering patterns of insiders in a large, real-world organization. We believe our approach turns the table on the adversary, taking advantage of the organization's superior understanding of how users behave to spot masqueraders who, until they learn account norms, run the risk of behaving in a detectable manner. This approach adds an additional layer (post-compromise detection) to a defense-in-depth strategy, raising the bar for adversaries.

References:
M.A. Maloof and G.D. Stephens, ELICIT: A System for Detecting Insiders Who Violate Need-to-Know, Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, Volume 4637, Springer, 2007, pp. 146-166.

Deanna D. Caputo, Greg Stephens, Brad Stephenson, Megan Cormier, Minna Kim: An Empirical Approach to Identify Information Misuse by Insiders (Extended Abstract), Recent Advances in Intrusion Detection (RAID), pp. 402-403, 2008.

Deanna Caputo, Marcus A. Maloof, Gregory D. Stephens, Detecting Insider Theft of Trade Secrets, IEEE Security & Privacy 7(6), pp. 14-21, 2009.

Video: Marc Brooks, Kerry McKay, Leveraging Internal Network Traffic to Detect Malicious Activity: Lessons Learned, Presentations at International Conference on Cyber Security (ICCS) and Purdue CERIA Seminar, 2012.

Featured Items

• The MITRE Digest: Insider Threats: Countering Cyber Crime from Within

Honeyclients are dedicated systems that drive client-side applications to access remote content to determine if the content is malicious. MITRE’s operational honeyclients are virtual machines that drive multiple versions of several different web browsers to various websites to determine whether they are attempting to exploit the browsers with unknown vulnerabilities. The intent is to discover and collect new malware variants, and identify previously unknown malicious websites to prevent compromises to real client systems in the enterprise.

Honeyclients detect malicious websites that cause client compromises by performing real-time anomaly detection of the file system, registry, and process information within the virtual machine. During normal browsing, the browser makes "benign" changes to the virtual machine. These changes are codified as lists of acceptable parameters. Therefore, when browsing unknown websites, any activity that does not fall within these lists is deemed malicious.

A distributed architecture has been developed that allows multiple honeyclients on different networks to report back to a central repository with their results and obtain their workload assignments.

Featured Items

• The MITRE Digest: Honeyclients Root Out Attackers' Domains

Resiliency is the ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation. This research activity is exploring new ideas and techniques that enable fight-through capabilities through a secure resilient architecture. The RAMBO lab developed under this research activity provides a venue for continuously developing, improving, integrating, and demonstrating resilience strategies and technologies for transition to MITRE and sponsor infrastructures. Multiple capabilities, scenarios and techniques have been explored and demonstrated in the RAMBO lab.

Featured Items

• The MITRE Digest: Resilient Cyber Architectures Keep Government IT Operations Mission-Ready

Engineering and operational decisions to improve cyber resiliency need to be supported by suitable metrics and assessment processes. The framework and set of metrics developed under this research activity are designed to be extensible, tailorable, and thus applicable to a broad range of organizational users.

Featured Items

• Cyber Resiliency Engineering Framework

This research activity has developed a prototype piece of middleware called DataStorm that transparently fields an application/user query, rewrites it for execution in a fully encrypted DBMS, then decrypts and returns the correct final answers to the application/user without noticeably degrading performance. Using DataStorm, plaintext data and the encryption keys are never exposed at the database server. DataStorm leverages specialized forms of encryption to perform SQL operations on ciphertext.

References:
Kenneth P. Smith, Ameet Kini, William Wang, Chris Wolf, M. David Allen, Andrew Sillers: "Intuitive Interaction with Encrypted Query Execution in DataStorm," ICDE 2012, pp. 1333-1336.

The methods developed under the SMAC research activity are combined in a prototype called Checkmate, which collects measurements of key system components at the firmware and operating system levels, beginning with the boot process, and safely transmits them to a remote verification server to be analyzed. Current versions of Checkmate use a combination of software- and hardware-based attestation to ensure integrity of the Checkmate system and the data it sends. It detects advanced attacks both at the Windows XP operating system level (rootkits) and at the BIOS level (bootkits). It is deployed on ~100 systems within MITRE. Future plans include operational improvements and application integrity verification features.

Featured Items

• New Results for Timing-Based Attestation