1 / 25

DHS / US-CERT Overview

DHS / US-CERT Overview. Brian Zeitz Chief, Incident Management Unit, United States Computer Emergency Readiness Team, Department of Homeland Security. September 11, 2001: Terrorists attack the United States

roxy
Download Presentation

DHS / US-CERT Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DHS / US-CERT Overview Brian Zeitz Chief, Incident Management Unit, United States Computer Emergency Readiness Team, Department of Homeland Security

  2. September 11, 2001: Terrorists attack the United States October 8, 2001: President George W. Bush creates the White House Office of Homeland Security November 19, 2002: Congress passes legislation mandating the Department of Homeland Security November 25, 2002: President Bush signs the Homeland Security Act into law January 24, 2003: The department becomes operational March 2, 2003: The majority of previously existing agencies transfer to the Department of Homeland Security DHS History

  3. DHS Structure

  4. Mission Areas • Preventing Terrorism and Enhancing Security • Securing and Managing our Borders • Enforcing and Administering our Immigration Laws • Safeguarding and Securing Cyberspace • Ensuring Resilience to Disasters

  5. U.S. Critical Infrastructure The Department of Homeland Security (DHS) is responsible for securing federal civilian networks, the nation’s cyberspace, and critical infrastructure. 5 5 5

  6. DHS Organizational Chart Secretary of Homeland Security Under Secretary of National Protection & Programs Directorate Assistant Secretary of Cybersecurity & Communications National Cybersecurity And Communications Integration Center (NCCIC) Director of the National Communications System Director of the National Cyber Security Division Director of the Office of Emergency Communications Director Network Security Deployment Director Federal Network Security Director US-CERT Operations Director Global Cyber Security Management Director Critical Infrastructure Cyber Protection & Awareness 6

  7. Securing the Nation’s Critical Systems Vision Trusted global leader in cybersecurity – collaborative, proactive, and responsive in a dynamic and complex environment. Mission US-CERT improves the Nation’s cybersecurity posture, coordinates cyber information sharing, and proactively manages cyber risks to the Nation while protecting the constitutional rights of Americans. Strategic Goals Protect the nation’s cyber information infrastructure by analyzing cyber threats and vulnerabilities and providing timely and actionable information Coordinate partnerships across sectors to achieve shared situational awareness across the global cyber infrastructure Respond to cyber incidents to minimize incidents and support recovery efforts • Core Activities • Identify, research, and verify suspicious cyber activity; • Understand the nature of incidents and vulnerabilities, determine impacts and set priorities; • Share timely and actionable information; • Build and maintain strong collaborative partnerships with public, private, and international partners; • Identify, prioritize and escalate cyber incident response activities; and • Collaborate with partners to respond to and mitigate significant cyber incidents.

  8. Data as of 06/20/2012 US-CERT Organizational Chart US-CERT Director Jenny Menna (Acting) Deputy Director Tom Baer Front Office Support (Exec Sec, Admin) Oversight & Compliance Kurt Steiner, Officer Future Operations Ray Kinstler, Director Operations Coordination & Integration Brett Lambo, Director Operations Mark Austin, Director Incident Management Brian Zeitz, Chief Plans Matt Solomon, Chief Coordination Dave Brown, Chief Readiness Dan Medina, Chief Detection and Analysis Mike Jacobs, Chief Communications Tom Millar, Chief Technology Solutions Nick Jogie, Chief Digital Analytics Byron Copeland, Chief

  9. 24X7 Integrated Operations Center US-CERT maintains a strong presence in the National Cybersecurity and Communications Integration Center (NCCIC), the Nation’s principal arena for organizing response to significant cyber incidents. • The NCCIC represents a broader national effort to address the diversity of cyber attacks and prevent potentially devastating consequences. • Each component maintains its own operating mission while supporting the development of a Common Operational Picture (COP). • The NCCIC is comprised of organizational components and operational partners. NCCIC US-CERT NCC ICS-CERT I&A • Partners 9

  10. Uniquely Positioned Among Federal Cyber Centers National Cyber Investigative Joint Task Force (NCI-JTF) Department of Defense Cyber Crime Center (DC3) US Cyber Command (USCYBERCOM) US Computer Emergency Readiness Team (US-CERT) NSA/Central Security Service (CSS) Threat Operations Center (NTOC) Intelligence Community Incident Response Center (IC-IRC) * US-CERT regularly partners with FBI and USSS teams in the same capacity as those from the cyber centers 10

  11. Einstein Monitoring Einstein Network Analysts within US-CERT’s Operations branch monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation. US-CERT created the Einstein Program to help agencies more effectively protect their systems and networks. • Key capabilities include: • Einstein 1 (E1): Flow Collection • Initial analytics and information sharing capabilities • Einstein 2 (E2): Intrusion Detection • Improved sensors to identify malicious activity • Einstein 3 (E3): Intrusion Prevention • To improve protection to prevent malicious activity 11

  12. Indicators Management Einstein is one source from which US-CERT collects cyber threat indicators. US-CERT is developing an Indicators Database to collect and correlate indicator information. 12

  13. Digital Media and Malware Analysis US-CERT’s Digital Media Analysts and Code Analysts collaborate to improve the understanding of current and emerging threats. 13

  14. Response & Assistance Activities are based on the nature and severity of the incident, and focus on tracking impacted parties’ progress toward resolving the issue. • Dedicated teams ensure appropriate and accurate technical assistance is provided with the right level of subject matter expertise, including: • Digital Media and Malware Analysis • Defensive Analysis • Mitigation Strategy Development • Threat/Attack Vector Analysis • Vendor Analysis Coordination • Deployable teams can provide specialized subject matter expertise required to mitigate an incident or prevent an event from escalating.

  15. Rapid Response and Assistance – U.S. Government US-CERT’s dedicated network defenders augment Federal agency capabilities. • MegaUpload • Worked closely with the Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) prior to takedown and to mitigate subsequent distributed denial of service (DDoS) attacks. • January 19, 2012 • Prior to 2:00 pm • Provided initial assessment to DOJ and FBI on potential impacts before MegaUpload takedown • Provided on-site analyst support of the operation at FBI • DHS and DOJ prepared a joint Public Service Announcement (PSA) • After 2:00 pm • US-CERT released the PSA to the US-CERT Portal. A portion of the PSA is released to the public through the US-CERT.gov website • After 5:00 pm • DOJ reported Justice.gov is under a DDoS attack. • US-CERT provided assistance to help mitigate. • After 8:00 pm • US-CERT noticed FBI.gov appears to be down, possibly due to a DDoS. US-CERT confirms with DOJSOC. • US-CERT provided assistance to help mitigate. • After 9:00 pm • Justice.gov and FBI.gov are back online • WhiteHouse.gov under an attempted DDoS attack. Executive Office of the President provided data to US-CERT to help mitigate. • January 20, 2012 • Analyzed data submitted and continued monitoring to detect and respond to any attacks targeting U.S. Government Departments and Agencies 15

  16. Rapid Response and Assistance – U.S. Government US-CERT’s dedicated network defenders augment federal agency capabilities. • DOT, State of Florida • Received an initial report regarding FO2-related activity on DOT State of Florida networks. • January 2011 • Reached out to the DHS Fusion Center in Florida • The Multi-State Information Sharing and Analysis Center (MS-ISAC) and FBI were already engaged • FO2-related activity had been ongoing for ~one week • Florida DOT was unable to contain the situation and requested assistance from US-CERT • Deployed on-site technical assistance • Analysts reviewed logs to identify compromised systems and provided additional insight into malicious activity • January – April 2011 • Conducted analysis on images acquired from suspected • compromised system and determined activity was • indicative of a known intrusion set • April 2011 • Delivered a final Digital Media Analysis Report (DMAR) • National Science Foundation • Provided considerable support to the National Science Foundation (NSF). • Beginning in May 2011: • Provided on-site technical assistance • After NSF subscribed to EINSTEIN coverage through a • Managed Trusted Internet Protocol Services (MTIPS) • provider: • Attributed malicious activity to multiple FO-related intrusion sets • Led to further assistance, including malware and forensic analysis • June 2011 • Released products to inform of findings, including: • Malware Initial Findings Report (MIFR) to capture preliminary analysis of the submitted malware artifacts • Digital Media Analysis Report (DMAR) detailing malicious files found on the NSF’s machines 16

  17. Rapid Response and Assistance – Private Sector DHS/US-CERT has been identified as mitigation lead in joint on-site response. • RSA • Led incident mitigation efforts after information was extracted from RSA’s company network. Deployed Subject Matter Experts (SMEs) within 24 hours of request in March 2011. • Sharing Critical Information to Reduce Risks • March 16: Released a Technical Information Paper (TIP) on System Integrity Best Practices • March 17: Released an Advisory on Increased Threats to Authentication Services • RSA released an open letter acknowledging a sophisticated attack • March 18: Released an Early Warning and Indicator Notice (EWIN),* then subsequent EWIN Updates • March 19: Released a Security Awareness Report (SAR)* including recommended mitigations and a reporting framework for federal departments and agencies • NASDAQ • First large-scale, multi-agency engagement with key law enforcement and intelligence partners. • Collaborative Response – Primary Roles • Law Enforcement: Investigation • Intelligence Community: Intelligence Gathering • DHS/US-CERT: Mitigation • Key Points • Intrusion first detected in October 2010. Nearly six weeks of on-site technical support • Developed NASDAQ mitigation strategy, and upon deployment, monitored for actor’s response activity • Released multiple products to inform upon findings, including Early Warning and Indicator Notices (EWINs)* and subsequent EWIN Updates • Due to the nature of the intrusion and profile of the victim, engaged additional financial sector entities • Developed generally applicable mitigation strategies for the financial sector • Established as Mitigation Lead within Joint Action Plan, providing a model for all subsequent engagements *EWINs and SARs feature US-CERT’s own unique analysis and indicators that partners may not otherwise see from the law enforcement and intelligence communities.

  18. Rapid Response and Assistance – International US-CERT consistently and proactively engages with international entities. • DigiNotar • Received notification from a trusted third party regarding fraudulent SSL security certificates issued by Dutch Certificate Authority (CA) DigiNotar. • Timeline of US-CERT’s involvement: • Day One (September 5, 2011) • Coordinated directly with GOVCERT.NL and Microsoft • Days Two – Three • Developed a joint US-CERT/GOVCERT.NL document • Reached out directly to GlobalSign • Days Three – Eight • Participated in a call with 15 member nations of the IWWN • Released the joint US-CERT/GOVCERT.NL product to IWWN • Day Nine • GlobalSign resumed issuing certificates • As of November 28: • GOVCERT.NL has provided malware to US-CERT for analysis • The direct issue from DigiNotar has been resolved Nitro Received information from Symantec regarding a spear phishing campaign targeting hundreds of individuals in at least 20 different countries. October 31, 2011 Individuals within the chemical, defense, and several other sectors received emails that, when opened, installed a mechanism that grants the attacker(s) remote access to the infected machines. November 2, 2011 During the next 48 hours, US-CERT released one Early Warning Indicators Notice (EWIN) and two Situational Awareness Reports (SARs) to its partners and constituents. US-CERT analysis revealed three additional domains involved in the campaign. One of these domains had not been previously reported and was first-seen by US-CERT the morning the reports were released. As a result, US-CERT was able to notify its constituents of a new command and control domain on the same day it was being prepped for use. 18

  19. NRF Cyber Incident Annex PhysicalCyber National Cyber Incident Response Plan Sector Operational Plans Organizational Operational Plans National-level Strategic Initiatives US-CERT influences national-level cybersecurity policy and strategic planning efforts on behalf of its constituency. • National Cyber Incident Response Plan (NCIRP) • Unified Coordination Group (UCG) • Incident Management Team (IMT) • National Response Framework (NRF) Cyber Incident Annex • National Infrastructure Protection Plan (NIPP) • Department of Defense (DoD) Plans • Cyber Defense Support to Civil Authorities (DSCA) • Homeland Defense Cyber Annex 19

  20. Working Across Boundaries US-CERT proactively builds partnerships to establish shared situational awareness and facilitate incident response. • CIKR Cyber Information Sharing and Collaboration Program (CISCP) • US-CERT analysts collaborate with major private sector firms, Information Sharing and Analysis Centers (ISACs), and federal cyber centers to mitigate cyber threats • Cyber Operations Resilience Review (CORR) Pilot Program • US-CERT proactively assesses threats to five financial sector institutions by analyzing voluntarily submitted data • Joint effort between DHS, Treasury, and the BITS Financial Services Roundtable • Collaboration with International CERTs and CSIRTs • Facilitates shared situational awareness of international threats • Includes participation in the IWWN and the Forum of Incident Response and Security Teams (FIRST) • Multi-State Information Sharing and Analysis Center (MS-ISAC) • DHS/US-CERT provides funding to extend the US-CERT mission to the States, including managed security services and netflow monitoring for State and municipal governments • Cyber Exercises • US-CERT participates in internally and externally hosted exercises to ensure US-CERT is fully trained on processes and procedures, including a lead role in DHS’ premier cyber exercise series – CyberStorm 20

  21. Continuing to Grow Capabilities • EINSTEIN 3 • The next generation of EINSTEIN will provide the capability to stop attacks as they occur • Block 2.2 • Cyber Indicators Repository (CIR) • Interactive analytical platform for sharing and evaluating indicators of malicious activity across multiple sectors • Information Sharing and Collaboration Environment (ISCE) • Dynamic collaboration platform bring together stakeholders from multiple sectors • Enhanced toolsets to facilitate more dynamic and efficient analysis • CNCI-5 Information Sharing Architecture • Closely engaging with other federal cyber centers to develop a comprehensive framework for near real time information sharing • USSS Critical Systems Protection (CSP) • Providing unique subject matter expertise to the USSS to support the protection of critical systems with which POTUS and VPOTUS interact when on travel 21

  22. US-CERT Tomorrow and Beyond… Vision: Trusted global leader in cybersecurity – collaborative, agile, and responsive in a complex environment. • US-CERT’s vision is based on several key principles that describe the organization we are building: • Collaborative • Provides technical and non-technical platforms and forums to support information sharing and enhance partner and constituent capabilities • Agile • Adapts rapidly to the evolving threat environment by dynamically leveraging people, process, and technology • Responsive • Acquires early knowledge of cyber threats and provides actionable guidance that protects the homeland’s cyber assets and information • Trusted • Conducts general and targeted outreach to build confidence among partners and constituents • Global • Builds and maintains operational relationships with trusted international partners to respond to the transnational cyber threat • Leader • Recognized experts in cybersecurity at strategic, tactical, operational, and technical levels 22

  23. Contact US-CERT Save the Date 8th Annual GFIRST National Conference • August 19-24, 2012 Atlanta Marriott Marquis Atlanta, Georgia

More Related