The Department of Homeland Security is detecting new patterns of cyberattacks from foreign adversaries -- some targeted at particular agencies and others aimed at the entire U.S. government -- due to to special-purpose intrusion-detection systems that will be widely deployed in federal networks during 2010.
Only a handful of agencies -- including DHS, the Department of Agriculture, the State Department and the Department of Interior -- have network traffic flowing through the IDSs, which are called Einstein 2.
The U.S. Computer Emergency Readiness Team (US-CERT) is monitoring the IDSs as well as the Einstein 1 appliances, which collect router net flow data from all federal agencies and the carriers that support them.
Einstein 2 "has been very enlightening…to see what intrusion sets they are actually seeing and how certain ones target particular departments and particular agencies and others you can see every place we are currently operational " says Nicole Dean, deputy director of the National Cybersecurity Division of DHS.
Deployment of Einstein 2 is going hand-and-hand with the federal Trusted Internet Connections (TIC) Initiative, an ongoing effort to secure the external Internet connections operated by federal agencies. (See "U.S. Internet security plan revamped.")
Together, the Einstein program and the TIC Initiative are designed to bolster the ability of federal agencies to detect and respond to a rising tide of cyberattacks.
Einstein 2 has been deployed by nine federal agencies that plan to operate their own TIC-compliant Internet access points as well as three carriers: AT&T, Qwest and Sprint. Verizon is in the midst of deploying Einstein 2, Dean says.
All U.S. federal agencies and carriers that will operate TIC-compliant Internet access points are scheduled to deploy Einstein 2 by year-end.
Dean says DHS is detecting between 100 and 10,000 cyberattacks aimed at each federal agency per week through the Einstein appliances.
Einstein 2 "is allowing us to monitor intrusion sets that weren't previously being monitored and to make that information available through the US-CERT of what's actually occurring and what various types of intrusion sets are active that we may not have been aware of before," Dean says..
The Einstein 2 systems are not using commercially available intrusion-detection signatures.
"Our signatures are highly specialized and are developed with information that US-CERT analysts have gleaned from very particular attacks being sent through our foreign adversaries," Dean says. "We've partnered with the Defense Department…and we've developed signatures based on information we've shared with them."
Einstein 2 is a passive network data collection system that doesn't operate in real time.
"As traffic comes into a department or agency, a mirrored copy is sent to Einstein 2, and Einstein 2 has the signature sets loaded into it and some of that traffic would fire a signature that sends an alert to the US-CERT analyst. Once the signature is fired, then US-CERT will work with the department to deal with the attack," Dean says.
Einstein 2 isn't detecting new cyberattacks; instead it's showing patterns of known malicious activity.
"Every time one of those signature sets shows, we work with the department or agency to clean up that machine and remove it from their network so it can be re-imaged and brought back online in a non-infected state," Dean says.
Next on the DHS' cybersecurity agenda is the deployment of Einstein 3, which will add intrusion-prevention capabilities to federal networks.
With Einstein 3, federal agencies will have near real-time defense against cyberattacks including distributed denial-of-service attacks, which are on the rise.
"Einstein is a spiral development program," Dean says. "That means we will keep adding new capabilities."
Dean recommends that all network operators deploy security capabilities similar to Einstein 2.
Industry "needs to be doing something very similar to what we're doing for the .gov environment," Dean says. "They need to be monitoring their traffic and then looking at the trending data. The trending data is very eye opening. From that, you can tell if your current defenses are working or not. Now that we have Einstein 2 collecting data, we can see if the same intrusion sets are continuing to spread or if agencies' internal mechanisms are keeping that from happening."
Read more about wide area network in Network World's Wide Area Network section.
This story, "Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon" was originally published by Network World.