DHS / US-CERT Overview

Brian ZeitzChief, Incident Management Unit, United States Computer Emergency Readiness Team,Department of Homeland Security

Presenter’s Name June 17, 2003 2

DHS History September 11, 2001: Terrorists attack the United States

October 8, 2001: President George W. Bush creates the White House Office of Homeland Security

November 19, 2002: Congress passes legislation mandating the Department of Homeland Security

November 25, 2002: President Bush signs the Homeland Security Act into law

January 24, 2003: The department becomes operational

March 2, 2003: The majority of previously existing agencies transfer to the Department of Homeland Security

Presenter’s Name June 17, 2003 3

DHS Structure

Presenter’s Name June 17, 2003 4

Mission Areas

Preventing Terrorism and Enhancing Security

Securing and Managing our Borders

Enforcing and Administering our Immigration Laws

Safeguarding and Securing Cyberspace

Ensuring Resilience to Disasters

555

U.S. Critical InfrastructureThe Department of Homeland Security (DHS) is responsible for securing federal civilian networks, the nation’s cyberspace, and critical infrastructure.

6

DHS Organizational Chart

Director of theOffice of

EmergencyCommunications

Director of theNational

CommunicationsSystem

DirectorCritical InfrastructureCyber Protection &

Awareness

DirectorGlobal Cyber

Security Management

DirectorUS-CERT

Operations

DirectorFederal Network

Security

DirectorNetwork Security

Deployment

Secretary ofHomelandSecurity

National CybersecurityAnd Communications

Integration Center (NCCIC)

Under Secretary ofNational Protection &Programs Directorate

Assistant Secretary ofCybersecurity &Communications

Director of the National Cyber

Security Division

Presenter’s Name June 17, 2003

Securing the Nation’s Critical SystemsVisionTrusted global leader in cybersecurity – collaborative, proactive, and responsive in a dynamic and complex environment.

MissionUS-CERT improves the Nation’s cybersecurity posture, coordinates cyber information sharing, and proactively manages cyber risks to the Nation while protecting the constitutional rights of Americans.

7

Strategic Goals1. Protect the nation’s cyber information

infrastructure by analyzing cyber threats and vulnerabilities and providing timely and actionable information

2. Coordinate partnerships across sectors to achieve shared situational awareness across the global cyber infrastructure

3. Respond to cyber incidents to minimize incidents and support recovery efforts

Core Activities Identify, research, and verify suspicious cyber activity; Understand the nature of incidents and vulnerabilities,

determine impacts and set priorities; Share timely and actionable information; Build and maintain strong collaborative partnerships with

public, private, and international partners; Identify, prioritize and escalate cyber incident response

activities; and Collaborate with partners to respond to and mitigate

significant cyber incidents.

Presenter’s Name June 17, 20038

US-CERT Organizational Chart

Operations

Mark Austin, Director

Deputy Director

Tom Baer

Operations Coordination & Integration

Brett Lambo, Director

Future Operations

Ray Kinstler, Director

US-CERT Director

Jenny Menna (Acting)

Incident Management

Brian Zeitz, Chief

Detection and Analysis

Mike Jacobs, Chief

Digital Analytics

Byron Copeland, Chief

Coordination

Dave Brown, Chief

Communications

Tom Millar, Chief

Plans

Matt Solomon, Chief

Readiness

Dan Medina, Chief

Technology Solutions

Nick Jogie, Chief

Front Office Support (Exec Sec, Admin)

Data as of 06/20/2012

Oversight & Compliance

Kurt Steiner, Officer

US-CERT maintains a strong presence in the National Cybersecurity and Communications Integration Center (NCCIC), the Nation’s principal arena for organizing response to significant cyber incidents.

24X7 Integrated Operations Center

The NCCIC represents a broader national effort to address the diversity of cyber attacks and prevent potentially devastating consequences.

Each component maintains its own operating mission while supporting the development of a Common Operational Picture (COP).

NCCIC

ICS-CERTNCC I&AUS-CERT

CSMC D/A SOCs DoD FBI ICE CCC

IC-IRC ISACs NCIJTF NICC NOC

NRCC NTOC Treasury USSS ET AL.

The NCCIC is comprised of organizational components and operational partners.

Partners

9

Presenter’s Name June 17, 2003 10

* US-CERT regularly partners with FBI and USSS

teams in the same capacity as those from the cyber centers

10

Uniquely Positioned Among Federal Cyber Centers

National Cyber InvestigativeJoint Task Force (NCI-JTF)

Department of Defense Cyber Crime Center (DC3)

US Cyber Command (USCYBERCOM)

Intelligence Community Incident Response Center (IC-IRC)

US Computer Emergency Readiness Team (US-CERT)

NSA/Central Security Service (CSS) Threat Operations Center (NTOC)

11

Einstein MonitoringEinstein Network Analysts within US-CERT’s Operations branch monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation.

US-CERT created the Einstein Program to help agencies more effectively protect their systems and networks.

Key capabilities include: Einstein 1 (E1): Flow Collection

Initial analytics and information sharing capabilities

Einstein 2 (E2): Intrusion Detection Improved sensors to identify malicious activity

Einstein 3 (E3): Intrusion Prevention To improve protection to prevent malicious activity

Indicators ManagementEinstein is one source from which US-CERT collects cyber threat indicators. US-CERT is developing an Indicators Database to collect and correlate indicator information.

12

13

Digital Media and Malware AnalysisUS-CERT’s Digital Media Analysts and Code Analysts collaborate to improve the understanding of current and emerging threats.

14

Response & Assistance

Dedicated teams ensure appropriate and accurate technical assistance is provided with the right level of subject matter expertise, including:

Digital Media and Malware Analysis Defensive Analysis Mitigation Strategy Development Threat/Attack Vector Analysis Vendor Analysis Coordination

Deployable teams can provide specialized subject matter expertise required to mitigate an incident or prevent an event from escalating.

Activities are based on the nature and severity of the incident, and focus on tracking impacted parties’ progress toward resolving the issue.

Rapid Response and Assistance – U.S. Government

15

January 19, 2012Prior to 2:00 pm

Provided initial assessment to DOJ and FBI on potential impacts before MegaUpload takedown

Provided on-site analyst support of the operation at FBI DHS and DOJ prepared a joint Public Service

Announcement (PSA) After 2:00 pm US-CERT released the PSA to the US-CERT Portal. A

portion of the PSA is released to the public through the US-CERT.gov website

After 5:00 pm DOJ reported Justice.gov is under a DDoS attack.

US-CERT provided assistance to help mitigate.

US-CERT’s dedicated network defenders augment Federal agency capabilities.

MegaUploadWorked closely with the Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) prior to takedown and to mitigate subsequent distributed denial of service (DDoS) attacks.

After 8:00 pm US-CERT noticed FBI.gov appears to be down, possibly

due to a DDoS. US-CERT confirms with DOJSOC. US-CERT provided assistance to help mitigate.

After 9:00 pm Justice.gov and FBI.gov are back online WhiteHouse.gov under an attempted DDoS attack.

Executive Office of the President provided data to US-CERT to help mitigate.

January 20, 2012 Analyzed data submitted and continued monitoring to

detect and respond to any attacks targeting U.S. Government Departments and Agencies

15

Rapid Response and Assistance – U.S. Government

DOT, State of FloridaReceived an initial report regarding FO2-related activity on DOT State of Florida networks.

January 2011Reached out to the DHS Fusion Center in Florida

The Multi-State Information Sharing and Analysis Center (MS-ISAC) and FBI were already engaged

FO2-related activity had been ongoing for ~one week Florida DOT was unable to contain the situation and

requested assistance from US-CERTDeployed on-site technical assistance

Analysts reviewed logs to identify compromised systems and provided additional insight into malicious activity

January – April 2011Conducted analysis on images acquired from suspectedcompromised system and determined activity was indicative of a known intrusion set April 2011Delivered a final Digital Media Analysis Report (DMAR)

National Science FoundationProvided considerable support to the National Science Foundation (NSF).

Beginning in May 2011:Provided on-site technical assistanceAfter NSF subscribed to EINSTEIN coverage through a

Managed Trusted Internet Protocol Services (MTIPS)

provider: Attributed malicious activity to multiple FO-

related intrusion sets Led to further assistance, including malware and

forensic analysis

June 2011Released products to inform of findings, including:

Malware Initial Findings Report (MIFR) to capture preliminary analysis of the submitted malware artifacts

Digital Media Analysis Report (DMAR) detailing malicious files found on the NSF’s machines

US-CERT’s dedicated network defenders augment federal agency capabilities.

16

17

Rapid Response and Assistance – Private Sector

NASDAQFirst large-scale, multi-agency engagement with key law enforcement and intelligence partners.

Collaborative Response – Primary RolesLaw Enforcement: Investigation Intelligence Community: Intelligence GatheringDHS/US-CERT: Mitigation

Key Points Intrusion first detected in October 2010. Nearly six weeks of on-site technical supportDeveloped NASDAQ mitigation strategy, and upon deployment, monitored for actor’s response activityReleased multiple products to inform upon findings, including Early Warning and Indicator Notices (EWINs)* and subsequent EWIN UpdatesDue to the nature of the intrusion and profile of the victim, engaged additional financial sector entitiesDeveloped generally applicable mitigation strategies for the financial sectorEstablished as Mitigation Lead within Joint Action Plan, providing a model for all subsequent engagements

RSALed incident mitigation efforts after information was extracted from RSA’s company network. Deployed Subject Matter Experts (SMEs) within 24 hours of request in March 2011.

Sharing Critical Information to Reduce RisksMarch 16: Released a Technical Information Paper (TIP) on System Integrity Best PracticesMarch 17: Released an Advisory on Increased Threats to Authentication Services RSA released an open letter acknowledging a sophisticated attackMarch 18: Released an Early Warning and Indicator Notice (EWIN),* then subsequent EWIN UpdatesMarch 19: Released a Security Awareness Report (SAR)* including recommended mitigations and a reporting framework for federal departments and agencies

*EWINs and SARs feature US-CERT’s own uniqueanalysis and indicators that partners may not otherwise see from the law enforcement and intelligence communities.

DHS/US-CERT has been identified as mitigation lead in joint on-site response.

US-CERT consistently and proactively engages with international entities.

18

DigiNotarReceived notification from a trusted third party regarding fraudulent SSL security certificates issued by Dutch Certificate Authority (CA) DigiNotar.

Timeline of US-CERT’s involvement:Day One (September 5, 2011) Coordinated directly with GOVCERT.NL and MicrosoftDays Two – Three Developed a joint US-CERT/GOVCERT.NL document Reached out directly to GlobalSignDays Three – Eight Participated in a call with 15 member nations of the IWWN Released the joint US-CERT/GOVCERT.NL product to IWWNDay Nine GlobalSign resumed issuing certificates

As of November 28: GOVCERT.NL has provided malware to US-CERT for analysis The direct issue from DigiNotar has been resolved

NitroReceived information from Symantec regarding a spear phishing campaign targeting hundreds of individuals in at least 20 different countries.

October 31, 2011Individuals within the chemical, defense, and several other sectors received emails that, when opened, installed a mechanism that grants the attacker(s) remote access to the infected machines. November 2, 2011 During the next 48 hours, US-CERT released one Early Warning Indicators Notice (EWIN) and two Situational Awareness Reports (SARs) to its partners and constituents.  

US-CERT analysis revealed three additional domains involved in the campaign. One of these domains had not been previously reported and was first-seen by US-CERT the morning the reports were released.  

As a result, US-CERT was able to notify its constituents of a new command and control domain on the same day it was being prepped for use.

Rapid Response and Assistance – International

National Cyber Incident Response Plan (NCIRP) Unified Coordination Group (UCG) Incident Management Team (IMT)

National Response Framework (NRF) Cyber Incident Annex

National Infrastructure Protection Plan (NIPP)

Department of Defense (DoD) Plans Cyber Defense Support

to Civil Authorities (DSCA) Homeland Defense Cyber Annex

US-CERT influences national-level cybersecurity policy and strategic planning efforts on behalf of its constituency.

NRF

Cyber IncidentAnnex

National Cyber Incident

Response Plan

Sector Operational Plans

Organizational Operational Plans

PhysicalCyber

National-level Strategic Initiatives

19

Working Across Boundaries

20

US-CERT proactively builds partnerships to establish shared situational awareness and facilitate incident response.CIKR Cyber Information Sharing and Collaboration Program (CISCP) US-CERT analysts collaborate with major private sector firms, Information Sharing and Analysis Centers

(ISACs), and federal cyber centers to mitigate cyber threats

Cyber Operations Resilience Review (CORR) Pilot Program US-CERT proactively assesses threats to five financial sector institutions by analyzing voluntarily

submitted data Joint effort between DHS, Treasury, and the BITS Financial Services Roundtable

Collaboration with International CERTs and CSIRTs Facilitates shared situational awareness of international threats

Includes participation in the IWWN and the Forum of Incident Response and Security Teams (FIRST)

Multi-State Information Sharing and Analysis Center (MS-ISAC) DHS/US-CERT provides funding to extend the US-CERT mission to the States, including managed

security services and netflow monitoring for State and municipal governments

Cyber Exercises US-CERT participates in internally and externally hosted exercises to ensure US-CERT is fully trained on

processes and procedures, including a lead role in DHS’ premier cyber exercise series – CyberStorm

Continuing to Grow Capabilities

21

22

US-CERT Tomorrow and Beyond…

US-CERT’s vision is based on several key principles that describe the organization we are building:

CollaborativeProvides technical and non-technical platforms and forums to support information sharing and enhance partner and constituent capabilities

AgileAdapts rapidly to the evolving threat environment by dynamically leveraging people, process, and technology

Responsive Acquires early knowledge of cyber threats and provides actionable guidance that protects the homeland’s cyber assets and information

Trusted Conducts general and targeted outreach to build confidence among partners and constituents

GlobalBuilds and maintains operational relationships with trusted international partners to respond to the transnational cyber threat

LeaderRecognized experts in cybersecurity at strategic, tactical, operational, and technical levels

Vision: Trusted global leader in cybersecurity – collaborative, agile, and responsive in a complex environment.

23

Contact US-CERTTechnical Questionssoc@us-cert.govUS-CERT Security Operations CenterPhone: +1 888-282-0870

GFIRST Membershipgfirst@us-cert.gov

Save the Date8th Annual GFIRST National Conference

August 19-24, 2012

Atlanta Marriott MarquisAtlanta, Georgia

25