February 11, 2010, 10:16 AM — The Department of Homeland Security is detecting new patterns of cyberattacks from foreign adversaries -- some targeted at particular agencies and others aimed at the entire U.S. government -- due to to special-purpose intrusion-detection systems that will be widely deployed in federal networks during 2010.
Only a handful of agencies -- including DHS, the Department of Agriculture, the State Department and the Department of Interior -- have network traffic flowing through the IDSs, which are called Einstein 2.
The U.S. Computer Emergency Readiness Team (US-CERT) is monitoring the IDSs as well as the Einstein 1 appliances, which collect router net flow data from all federal agencies and the carriers that support them.
Einstein 2 "has been very enlightening…to see what intrusion sets they are actually seeing and how certain ones target particular departments and particular agencies and others you can see every place we are currently operational " says Nicole Dean, deputy director of the National Cybersecurity Division of DHS.
Deployment of Einstein 2 is going hand-and-hand with the federal Trusted Internet Connections (TIC) Initiative, an ongoing effort to secure the external Internet connections operated by federal agencies. (See "U.S. Internet security plan revamped.")
Together, the Einstein program and the TIC Initiative are designed to bolster the ability of federal agencies to detect and respond to a rising tide of cyberattacks.
Einstein 2 has been deployed by nine federal agencies that plan to operate their own TIC-compliant Internet access points as well as three carriers: AT&T, Qwest and Sprint. Verizon is in the midst of deploying Einstein 2, Dean says.
All U.S. federal agencies and carriers that will operate TIC-compliant Internet access points are scheduled to deploy Einstein 2 by year-end.
Dean says DHS is detecting between 100 and 10,000 cyberattacks aimed at each federal agency per week through the Einstein appliances.
Einstein 2 "is allowing us to monitor intrusion sets that weren't previously being monitored and to make that information available through the US-CERT of what's actually occurring and what various types of intrusion sets are active that we may not have been aware of before," Dean says..
The Einstein 2 systems are not using commercially available intrusion-detection signatures.