[Infowarrior] - Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon

Richard Forno rforno at infowarrior.org
Fri Feb 12 12:39:35 UTC 2010 

http://www.networkworld.com/news/2010/021110-cybersecurity-einstein-2.html


Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon
DHS intrusion-detection system spots new cyberattack patterns
By Carolyn Duffy Marsan, Network World
February 11, 2010 08:01 AM ET

The Department of Homeland Security is detecting new patterns of  
cyberattacks from foreign adversaries -- some targeted at particular  
agencies and others aimed at the entire U.S. government -- due to to  
special-purpose intrusion-detection systems that will be widely  
deployed in federal networks during 2010.
Only a handful of agencies -- including DHS, the Department of  
Agriculture, the State Department and the Department of Interior --  
have network traffic flowing through the IDSs, which are called  
Einstein 2.

The U.S. Computer Emergency Readiness Team (US-CERT) is monitoring the  
IDSs as well as the Einstein 1 appliances, which collect router net  
flow data from all federal agencies and the carriers that support them.

Einstein 2 "has been very enlightening…to see what intrusion sets they  
are actually seeing and how certain ones target particular departments  
and particular agencies and others you can see every place we are  
currently operational " says Nicole Dean, deputy director of the  
National Cybersecurity Division of DHS.

Deployment of Einstein 2 is going hand-and-hand with the federal  
Trusted Internet Connections (TIC) Initiative, an ongoing effort to  
secure the external Internet connections operated by federal agencies.  
(See "U.S. Internet security plan revamped.")

Together, the Einstein program and the TIC Initiative are designed to  
bolster the ability of federal agencies to detect and respond to a  
rising tide of cyberattacks.

Einstein 2 has been deployed by nine federal agencies that plan to  
operate their own TIC-compliant Internet access points as well as  
three carriers: AT&T, Qwest and Sprint. Verizon is in the midst of  
deploying Einstein 2, Dean says.

AT&T wins $5M cyber security deal with FTC|
AT&T, Verizon, other carriers eyeing federal government cybersecurity  
deals

All U.S. federal agencies and carriers that will operate TIC-compliant  
Internet access points are scheduled to deploy Einstein 2 by year-end.

Dean says DHS is detecting between 100 and 10,000 cyberattacks aimed  
at each federal agency per week through the Einstein appliances.

Einstein 2 "is allowing us to monitor intrusion sets that weren't  
previously being monitored and to make that information available  
through the US-CERT of what's actually occurring and what various  
types of intrusion sets are active that we may not have been aware of  
before," Dean says..

The Einstein 2 systems are not using commercially available intrusion- 
detection signatures.

"Our signatures are highly specialized and are developed with  
information that US-CERT analysts have gleaned from very particular  
attacks being sent through our foreign adversaries," Dean says. "We've  
partnered with the Defense Department…and we've developed signatures  
based on information we've shared with them."

Einstein 2 is a passive network data collection system that doesn't  
operate in real time.

"As traffic comes into a department or agency, a mirrored copy is sent  
to Einstein 2, and Einstein 2 has the signature sets loaded into it  
and some of that traffic would fire a signature that sends an alert to  
the US-CERT analyst. Once the signature is fired, then US-CERT will  
work with the department to deal with the attack," Dean says.

Einstein 2 isn't detecting new cyberattacks; instead it's showing  
patterns of known malicious activity.

"Every time one of those signature sets shows, we work with the  
department or agency to clean up that machine and remove it from their  
network so it can be re-imaged and brought back online in a non- 
infected state," Dean says.

Next on the DHS' cybersecurity agenda is the deployment of Einstein 3,  
which will add intrusion-prevention capabilities to federal networks.

With Einstein 3, federal agencies will have near real-time defense  
against cyberattacks including distributed denial-of-service attacks,  
which are on the rise.

"Einstein is a spiral development program," Dean says. "That means we  
will keep adding new capabilities."

Dean recommends that all network operators deploy security  
capabilities similar to Einstein 2.

Industry "needs to be doing something very similar to what we're doing  
for the .gov environment," Dean says. "They need to be monitoring  
their traffic and then looking at the trending data. The trending data  
is very eye opening. From that, you can tell if your current defenses  
are working or not. Now that we have Einstein 2 collecting data, we  
can see if the same intrusion sets are continuing to spread or if  
agencies' internal mechanisms are keeping that from happening."

More information about the Infowarrior mailing list