DHS / US-CERT Overview
Brian ZeitzChief, Incident Management Unit, United States Computer Emergency Readiness Team,Department of Homeland Security
Presenter’s Name June 17, 2003 2
DHS History September 11, 2001: Terrorists attack the United States
October 8, 2001: President George W. Bush creates the White House Office of Homeland Security
November 19, 2002: Congress passes legislation mandating the Department of Homeland Security
November 25, 2002: President Bush signs the Homeland Security Act into law
January 24, 2003: The department becomes operational
March 2, 2003: The majority of previously existing agencies transfer to the Department of Homeland Security
Presenter’s Name June 17, 2003 4
Mission Areas
Preventing Terrorism and Enhancing Security
Securing and Managing our Borders
Enforcing and Administering our Immigration Laws
Safeguarding and Securing Cyberspace
Ensuring Resilience to Disasters
555
U.S. Critical InfrastructureThe Department of Homeland Security (DHS) is responsible for securing federal civilian networks, the nation’s cyberspace, and critical infrastructure.
6
DHS Organizational Chart
Director of theOffice of
EmergencyCommunications
Director of theNational
CommunicationsSystem
DirectorCritical InfrastructureCyber Protection &
Awareness
DirectorGlobal Cyber
Security Management
DirectorUS-CERT
Operations
DirectorFederal Network
Security
DirectorNetwork Security
Deployment
Secretary ofHomelandSecurity
National CybersecurityAnd Communications
Integration Center (NCCIC)
Under Secretary ofNational Protection &Programs Directorate
Assistant Secretary ofCybersecurity &Communications
Director of the National Cyber
Security Division
Presenter’s Name June 17, 2003
Securing the Nation’s Critical SystemsVisionTrusted global leader in cybersecurity – collaborative, proactive, and responsive in a dynamic and complex environment.
MissionUS-CERT improves the Nation’s cybersecurity posture, coordinates cyber information sharing, and proactively manages cyber risks to the Nation while protecting the constitutional rights of Americans.
7
Strategic Goals1. Protect the nation’s cyber information
infrastructure by analyzing cyber threats and vulnerabilities and providing timely and actionable information
2. Coordinate partnerships across sectors to achieve shared situational awareness across the global cyber infrastructure
3. Respond to cyber incidents to minimize incidents and support recovery efforts
Core Activities Identify, research, and verify suspicious cyber activity;
Understand the nature of incidents and vulnerabilities, determine impacts and set priorities;
Share timely and actionable information;
Build and maintain strong collaborative partnerships with public, private, and international partners;
Identify, prioritize and escalate cyber incident response activities; and
Collaborate with partners to respond to and mitigate significant cyber incidents.
Presenter’s Name June 17, 20038
US-CERT Organizational Chart
Operations
Mark Austin, Director
Operations
Mark Austin, Director
Deputy Director
Tom Baer
Deputy Director
Tom Baer
Operations Coordination & Integration
Brett Lambo, Director
Operations Coordination & Integration
Brett Lambo, Director
Future Operations
Ray Kinstler, Director
Future Operations
Ray Kinstler, Director
US-CERT Director
Jenny Menna (Acting)
US-CERT Director
Jenny Menna (Acting)
Incident Management
Brian Zeitz, Chief
Incident Management
Brian Zeitz, Chief
Detection and Analysis
Mike Jacobs, Chief
Detection and Analysis
Mike Jacobs, Chief
Digital Analytics
Byron Copeland, Chief
Digital Analytics
Byron Copeland, Chief
Coordination
Dave Brown, Chief
Coordination
Dave Brown, Chief
Communications
Tom Millar, Chief
Communications
Tom Millar, Chief
Plans
Matt Solomon, Chief
Plans
Matt Solomon, Chief
Readiness
Dan Medina, Chief
Readiness
Dan Medina, Chief
Technology Solutions
Nick Jogie, Chief
Technology Solutions
Nick Jogie, Chief
Front Office Support (Exec Sec, Admin)
Front Office Support (Exec Sec, Admin)
Data as of 06/20/2012
Oversight & Compliance
Kurt Steiner, Officer
Oversight & Compliance
Kurt Steiner, Officer
US-CERT maintains a strong presence in the National Cybersecurity and Communications Integration Center (NCCIC), the Nation’s principal arena for organizing response to significant cyber incidents.
24X7 Integrated Operations Center
The NCCIC represents a broader national effort to address the diversity of cyber attacks and prevent potentially devastating consequences.
Each component maintains its own operating mission while supporting the development of a Common Operational Picture (COP).
NCCIC
ICS-CERTNCC I&AUS-CERT
CSMC D/A SOCs DoD FBI ICE CCC
IC-IRC ISACs NCIJTF NICC NOC
NRCC NTOC Treasury USSS ET AL.
The NCCIC is comprised of organizational components and operational partners.
Partne
rs
9
Presenter’s Name June 17, 2003 10
* US-CERT regularly partners with FBI and USSS
teams in the same capacity as those from the cyber centers
10
Uniquely Positioned Among Federal Cyber Centers
National Cyber InvestigativeJoint Task Force (NCI-JTF)
Department of Defense Cyber Crime Center (DC3)
US Cyber Command (USCYBERCOM)
Intelligence Community Incident Response Center (IC-IRC)
US Computer Emergency Readiness Team (US-CERT)
NSA/Central Security Service (CSS) Threat Operations Center (NTOC)
11
Einstein MonitoringEinstein Network Analysts within US-CERT’s Operations branch monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation.
US-CERT created the Einstein Program to help agencies more effectively protect their systems and networks.
Key capabilities include:
Einstein 1 (E1): Flow Collection Initial analytics and information sharing capabilities
Einstein 2 (E2): Intrusion Detection Improved sensors to identify malicious activity
Einstein 3 (E3): Intrusion Prevention To improve protection to prevent malicious activity
Indicators ManagementEinstein is one source from which US-CERT collects cyber threat indicators. US-CERT is developing an Indicators Database to collect and correlate indicator information.
12
13
Digital Media and Malware AnalysisUS-CERT’s Digital Media Analysts and Code Analysts collaborate to improve the understanding of current and emerging threats.
14
Response & Assistance
Dedicated teams ensure appropriate and accurate technical assistance is provided with the right level of subject matter expertise, including:
Digital Media and Malware Analysis
Defensive Analysis
Mitigation Strategy Development
Threat/Attack Vector Analysis
Vendor Analysis Coordination
Deployable teams can provide specialized subject matter expertise required to mitigate an incident or prevent an event from escalating.
Activities are based on the nature and severity of the incident, and focus on tracking impacted parties’ progress toward resolving the issue.
Rapid Response and Assistance – U.S. Government
15
January 19, 2012Prior to 2:00 pm
Provided initial assessment to DOJ and FBI on potential impacts before MegaUpload takedown
Provided on-site analyst support of the operation at FBI DHS and DOJ prepared a joint Public Service
Announcement (PSA) After 2:00 pm US-CERT released the PSA to the US-CERT Portal. A
portion of the PSA is released to the public through the US-CERT.gov website
After 5:00 pm DOJ reported Justice.gov is under a DDoS attack.
US-CERT provided assistance to help mitigate.
US-CERT’s dedicated network defenders augment Federal agency capabilities.
MegaUploadWorked closely with the Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) prior to takedown and to mitigate subsequent distributed denial of service (DDoS) attacks.
After 8:00 pm US-CERT noticed FBI.gov appears to be down, possibly
due to a DDoS. US-CERT confirms with DOJSOC. US-CERT provided assistance to help mitigate.
After 9:00 pm Justice.gov and FBI.gov are back online WhiteHouse.gov under an attempted DDoS attack.
Executive Office of the President provided data to US-CERT to help mitigate.
January 20, 2012 Analyzed data submitted and continued monitoring to
detect and respond to any attacks targeting U.S. Government Departments and Agencies
15
Rapid Response and Assistance – U.S. Government
DOT, State of FloridaReceived an initial report regarding FO2-related activity on DOT State of Florida networks.
January 2011Reached out to the DHS Fusion Center in Florida
The Multi-State Information Sharing and Analysis Center (MS-ISAC) and FBI were already engaged
FO2-related activity had been ongoing for ~one week Florida DOT was unable to contain the situation and
requested assistance from US-CERTDeployed on-site technical assistance
Analysts reviewed logs to identify compromised systems and provided additional insight into malicious activity
January – April 2011Conducted analysis on images acquired from suspectedcompromised system and determined activity was indicative of a known intrusion set
April 2011Delivered a final Digital Media Analysis Report (DMAR)
National Science FoundationProvided considerable support to the National Science Foundation (NSF).
Beginning in May 2011:Provided on-site technical assistanceAfter NSF subscribed to EINSTEIN coverage through a
Managed Trusted Internet Protocol Services (MTIPS)
provider: Attributed malicious activity to multiple FO-
related intrusion sets Led to further assistance, including malware and
forensic analysis
June 2011
Released products to inform of findings, including: Malware Initial Findings Report (MIFR) to capture
preliminary analysis of the submitted malware artifacts
Digital Media Analysis Report (DMAR) detailing malicious files found on the NSF’s machines
US-CERT’s dedicated network defenders augment federal agency capabilities.
16
17
Rapid Response and Assistance – Private Sector
NASDAQFirst large-scale, multi-agency engagement with key law enforcement and intelligence partners.
Collaborative Response – Primary RolesLaw Enforcement: Investigation Intelligence Community: Intelligence GatheringDHS/US-CERT: Mitigation
Key Points Intrusion first detected in October 2010. Nearly six weeks of on-site technical supportDeveloped NASDAQ mitigation strategy, and upon deployment, monitored for actor’s response activityReleased multiple products to inform upon findings, including Early Warning and Indicator Notices (EWINs)* and subsequent EWIN UpdatesDue to the nature of the intrusion and profile of the victim, engaged additional financial sector entitiesDeveloped generally applicable mitigation strategies for the financial sectorEstablished as Mitigation Lead within Joint Action Plan, providing a model for all subsequent engagements
RSALed incident mitigation efforts after information was extracted from RSA’s company network. Deployed Subject Matter Experts (SMEs) within 24 hours of request in March 2011.
Sharing Critical Information to Reduce RisksMarch 16: Released a Technical Information Paper (TIP) on System Integrity Best PracticesMarch 17: Released an Advisory on Increased Threats to Authentication Services RSA released an open letter acknowledging a sophisticated attackMarch 18: Released an Early Warning and Indicator Notice (EWIN),* then subsequent EWIN UpdatesMarch 19: Released a Security Awareness Report (SAR)* including recommended mitigations and a reporting framework for federal departments and agencies
*EWINs and SARs feature US-CERT’s own uniqueanalysis and indicators that partners may not otherwise see from the law enforcement and intelligence communities.
DHS/US-CERT has been identified as mitigation lead in joint on-site response.
US-CERT consistently and proactively engages with international entities.
18
DigiNotarReceived notification from a trusted third party regarding fraudulent SSL security certificates issued by Dutch Certificate Authority (CA) DigiNotar.
Timeline of US-CERT’s involvement:Day One (September 5, 2011) Coordinated directly with GOVCERT.NL and Microsoft
Days Two – Three Developed a joint US-CERT/GOVCERT.NL document Reached out directly to GlobalSign
Days Three – Eight Participated in a call with 15 member nations of the IWWN Released the joint US-CERT/GOVCERT.NL product to IWWN
Day Nine GlobalSign resumed issuing certificates
As of November 28: GOVCERT.NL has provided malware to US-CERT for analysis The direct issue from DigiNotar has been resolved
NitroReceived information from Symantec regarding a spear phishing campaign targeting hundreds of individuals in at least 20 different countries.
October 31, 2011
Individuals within the chemical, defense, and several other sectors received emails that, when opened, installed a mechanism that grants the attacker(s) remote access to the infected machines.
November 2, 2011
During the next 48 hours, US-CERT released one Early Warning Indicators Notice (EWIN) and two Situational Awareness Reports (SARs) to its partners and constituents.
US-CERT analysis revealed three additional domains involved in the campaign. One of these domains had not been previously reported and was first-seen by US-CERT the morning the reports were released.
As a result, US-CERT was able to notify its constituents of a new command and control domain on the same day it was being prepped for use.
Rapid Response and Assistance – International
National Cyber Incident Response Plan (NCIRP) Unified Coordination Group (UCG)
Incident Management Team (IMT)
National Response Framework (NRF) Cyber Incident Annex
National Infrastructure Protection Plan (NIPP)
Department of Defense (DoD) Plans Cyber Defense Support
to Civil Authorities (DSCA)
Homeland Defense Cyber Annex
US-CERT influences national-level cybersecurity policy and strategic planning efforts on behalf of its constituency.
NRF
Cyber IncidentAnnex
National Cyber Incident
Response Plan
Sector Operational Plans
Organizational Operational Plans
PhysicalCyber
National-level Strategic Initiatives
19
Working Across Boundaries
20
US-CERT proactively builds partnerships to establish shared situational awareness and facilitate incident response.
CIKR Cyber Information Sharing and Collaboration Program (CISCP) US-CERT analysts collaborate with major private sector firms, Information Sharing and Analysis Centers
(ISACs), and federal cyber centers to mitigate cyber threats
Cyber Operations Resilience Review (CORR) Pilot Program US-CERT proactively assesses threats to five financial sector institutions by analyzing voluntarily
submitted data Joint effort between DHS, Treasury, and the BITS Financial Services Roundtable
Collaboration with International CERTs and CSIRTs Facilitates shared situational awareness of international threats
Includes participation in the IWWN and the Forum of Incident Response and Security Teams (FIRST)
Multi-State Information Sharing and Analysis Center (MS-ISAC) DHS/US-CERT provides funding to extend the US-CERT mission to the States, including managed
security services and netflow monitoring for State and municipal governments
Cyber Exercises US-CERT participates in internally and externally hosted exercises to ensure US-CERT is fully trained on
processes and procedures, including a lead role in DHS’ premier cyber exercise series – CyberStorm
22
US-CERT Tomorrow and Beyond…
US-CERT’s vision is based on several key principles that describe the organization we are building:
CollaborativeProvides technical and non-technical platforms and forums to support information sharing and enhance partner and constituent capabilities
AgileAdapts rapidly to the evolving threat environment by dynamically leveraging people, process, and technology
Responsive Acquires early knowledge of cyber threats and provides actionable guidance that protects the homeland’s cyber assets and information
Trusted Conducts general and targeted outreach to build confidence among partners and constituents
GlobalBuilds and maintains operational relationships with trusted international partners to respond to the transnational cyber threat
LeaderRecognized experts in cybersecurity at strategic, tactical, operational, and technical levels
Vision: Trusted global leader in cybersecurity – collaborative, agile, and responsive in a complex environment.
23
Contact US-CERTTechnical [email protected] Security Operations CenterPhone: +1 888-282-0870
GFIRST Membership
Save the Date8th Annual GFIRST National Conference
August 19-24, 2012
Atlanta Marriott MarquisAtlanta, Georgia