Einstein Presents Big Challenge to U.S.-CERTIG: U.S.-CERT Fails to Adequately Share Critical Data with Agencies
By Richard L. Skinner
Inspector General, Department of Homeland Security
The United States Computer Emergency Readiness Team needs to improve its information sharing and communication efforts with federal agencies to ensure that threats and vulnerabilities are mitigated timely. Specifically, officials from other federal agencies expressed concerns that US-CERT was unable to share near real-time data and classified and detailed information to address security incidents.
Officials from eight agencies interviewed indicated that Einstein is an effective tool but expressed concerns regarding the effectiveness of the U.S-CERT's information sharing and communication. Officials from six agencies expressed concerns regarding U.S.-CERT not sharing Einstein data and analysis results.
According to some of the federal agency officials we interviewed, U.S.-CERT agreed that they would have access to the Einstein flow data but subsequently did not provide the information. This data could assist agencies in performing analyses with their locally collected data to identify potential threats and vulnerabilities. Also, agency officials stated that it would be helpful for U.S.-CERT to list which agencies are being attacked and provide common trends to other agencies to determine whether the incident is isolated or systemic.
Einstein is being deployed in three different versions, whereby, each builds on the capabilities of the previous version:
- Einstein 1 collects and relies on net flow analysis capability and uses net flow collectors. Net flow data is queried for analysis.
Einstein 2 is an intrusion detection system, but is still passive, performing analysis while traffic is continuous. Einstein 2 looks for anomalous activity from net flow information based on every session between two computers on the internet. Einstein 2 is more beneficial for detecting and mitigating cyber incidents because of its ability to analyze packet data. Additionally, Einstein 2 performs full session packet analysis.
Einstein 3 draws on commercial technology and specialized government technology to conduct real-time full packet inspection and threat-based decision making on network traffic entering or leaving the executive branch networks. This system also deploys an intrusion prevention feature.
Agencies indicated that U.S.-CERT has not provided sufficient training on the Einstein program. Some agencies indicated that they received compact disk, portable document format brochures and handbooks about the Einstein program, while other agencies received nothing. Agencies indicated that they would like to receive additional Einstein training from U.S.-CERT. U.S.-CERT officials acknowledged that there are communications issues regarding sharing classified and detailed information with other agencies. For example, U.S.-CERT collects and posts information from several systems and sources to different portals, all of which have different classification levels. As a result, U.S.-CERT officials believe that communications needs could be best addressed by developing a consolidated information sharing portal. The consolidated portal could provide a multiple classification platform and serve as a central repository to meet the needs of the stakeholders.
A challenge U.S.-CERT faces is that many intelligence agencies communicate classified information on top secret/sensitive compartmented information networks. Since not all agencies have access to classified networks, U.S.-CERT is limited in what it can convey. Some agencies do not have secure facilities, equipment and cleared personnel to send or receive classified information.
Fragmented Infrastructures, Legacy Systems, Limited Budgets
U.S.-CERT also has to deal with the various network architectures of the different agencies. Since U.S.-CERT does not have access to each agency's architecture, it is imperative to have the agency chief information officer and chief information security officer involved in addressing cyber activities. Establishing direct, regular communication with agency CIOs/CISOs or key security assurance personnel ensures that U.S.-CERT's cybersecurity efforts are implemented. For example, U.S.-CERT and the CIO/CISO can determine what should be implemented to improve the agency's situational awareness.
Further, they can address network and cybersecurity challenges such as fragmented infrastructures, legacy systems and limited budgets. U.S.-CERT uses working groups and portals to share information with the public and private sectors. For example, U.S.-CERT established the Joint Agency Cyber Knowledge Exchange and Government Forum of Incident Response and Security Teams, or GFIRST, to facilitate collaboration on detecting and mitigating threats to the ".gov" domain and to encourage proactive and preventative security practices. The Joint Agency Cyber Knowledge Exchange meetings are held at a classified level to discuss threat-related tactics, techniques and protocol. Additionally, U.S.-CERT disseminates various reports and notices through the GFIRST and U.S.-CERT portals.
Products U.S.-CERT disseminates include: situational awareness reports, critical infrastructure information notices, federal information notices, early warning indicator notices and malware initial findings reports. These products contain a summary of the incident, mitigation strategies and best practices. The products are disseminated to stakeholders on an as-needed, daily, monthly or quarterly basis.
It is essential that U.S.-CERT and the public and private sectors share cybersecurity information to ensure that appropriate steps can be taken to mitigate the potential effect of a cyber incident. U.S.-CERT cannot defend against and respond consistently and effectively to cyber activity without other agencies' involvement. By sharing potential security threats collected through its data sources, U.S.-CERT can provide agencies with detailed information regarding attacks to their networks.
U.S.-CERT is unable to monitor federal cyberspace in real time. The tools U.S.-CERT uses do not allow real-time analyses of network traffic. As a result, U.S.-CERT will continue to be challenged in protecting the federal cyberspace from security-related threats. U.S.-CERT maintains near real-time situational awareness as it performs information aggregation activities. U.S.-CERT collects data real-time but it must perform analysis on the data in near real-time. Cyber analysts receive information from a variety of sources and other U.S.-CERT activities to identify potential incidents and to assess their possible scope and impact on the nation's cyber infrastructure.
With Einstein, U.S.-CERT can gather more network traffic information and identify cyber activity patterns. However, U.S.-CERT cannot capture all network traffic because Einstein has not been deployed to all federal agencies. Initially, the deployment of Einstein 1 to federal agencies was entirely voluntary. In September 2008, OMB made Einstein part of the Trusted Internet Connections initiative and required all agencies to install sensors on their networks. As of October 2009, National Cybersecurity Division's Network Security Deployment Branch had deployed Einstein 1 to 19 agencies and Einstein 2 to eight agencies. U.S.-CERT is conducting a pilot exercise of Einstein 3 to evaluate its capabilities. According to the Comprehensive National Cybersecurity Initiative and U.S.-CERT officials, Einstein 3 will contain real-time full packet inspection and an intrusion prevention feature. These additions should give U.S.-CERT better response and monitoring capabilities.
According to U.S.-CERT officials, many agencies have not installed Einstein because they have not consolidated their gateways to the Internet. Some agencies have fragmented networks and must upgrade their architectures before Einstein can be deployed.
Six Months Needed to Fix Problems
U.S.-CERT does not have an automated correlation tool to identify trends and anomalies. With this vast amount of network traffic, U.S.-CERT experienced a long lead time to analyze potential security threats or abnormalities. To reduce the lead time, the National Cybersecurity Division purchased an automated correlation tool to analyze the vast amount of data from Einstein. However, U.S.-CERT is experiencing problems with reconfiguring the tool to collect data and understand the overall data flow. U.S.-CERT management stated that it may be six months before the problems are corrected and the benefits of the system can be seen. An effective analysis and warning program is critical to secure the federal information technology infrastructure.
For U.S.-CERT to perform its responsibilities successfully it must have sufficient state-of-the-art technical and analytical tools and technologies to identify, detect, analyze and respond to cyber attacks. Cybersecurity information can provide the public and private sectors with valuable input for mitigating risks and threats, protecting against malicious attacks and prioritizing security improvement efforts.
- Develop a process to distribute and share Einstein trends, anomalies and common/reoccurring attacks with other federal agencies.
- Provide training to federal agencies on using available features of Einstein to foster better cooperation in analyzing and mitigating security incidents.
- Establish a capability to share real time Einstein information with federal agencies partners to assist them in the analysis and mitigation of incidents.
Read Part 1: U.S.-CERT Needs Enforcement Authority.