DHS / US-CERT Overview
Brian Zeitz
Chief, Incident Management Unit,
United States Computer Emergency Readiness Team,
Department of Homeland Security
DHS History
 September 11, 2001: Terrorists attack the United States
 October 8, 2001: President George W. Bush creates the White
House Office of Homeland Security
 November 19, 2002: Congress passes legislation mandating
the Department of Homeland Security
 November 25, 2002: President Bush signs the Homeland
Security Act into law
 January 24, 2003: The department becomes operational
 March 2, 2003: The majority of previously existing agencies
transfer to the Department of Homeland Security
Presenter’s Name
June 17, 2003
2
DHS Structure
Presenter’s Name
June 17, 2003
3
Mission Areas
 Preventing Terrorism and
Enhancing Security
 Securing and Managing our
Borders
 Enforcing and Administering our
Immigration Laws
 Safeguarding and Securing
Cyberspace
 Ensuring Resilience to Disasters
Presenter’s Name
June 17, 2003
4
U.S. Critical Infrastructure
The Department of Homeland Security (DHS) is responsible for securing
federal civilian networks, the nation’s cyberspace, and critical infrastructure.
5
DHS Organizational Chart
Secretary of
Homeland
Security
Under Secretary of
National Protection &
Programs Directorate
Assistant Secretary of
Cybersecurity &
Communications
Director
Network Security
Deployment
National Cybersecurity
And Communications
Integration Center
(NCCIC)
Director of the
National
Communications
System
Director of the
National Cyber
Security Division
Director of the
Office of
Emergency
Communications
Director
Federal Network
Security
Director
US-CERT
Operations
Director
Global Cyber
Security
Management
Director
Critical Infrastructure
Cyber Protection &
Awareness
6
Securing the Nation’s Critical Systems
Vision
Trusted global leader in cybersecurity – collaborative, proactive, and responsive in a
dynamic and complex environment.
Mission
US-CERT improves the Nation’s cybersecurity posture, coordinates cyber information
sharing, and proactively manages cyber risks to the Nation while protecting the
constitutional rights of Americans.
Strategic Goals
Core Activities
Protect the nation’s cyber information
infrastructure by analyzing cyber threats and
vulnerabilities and providing timely and
actionable information

Identify, research, and verify suspicious cyber activity;

Understand the nature of incidents and vulnerabilities,
determine impacts and set priorities;

Share timely and actionable information;
2.
Coordinate partnerships across sectors to
achieve shared situational awareness across
the global cyber infrastructure

Build and maintain strong collaborative partnerships with
public, private, and international partners;
3.
Respond to cyber incidents to minimize
incidents and support recovery efforts

Identify, prioritize and escalate cyber incident response
activities; and

Collaborate with partners to respond to and mitigate
significant cyber incidents.
1.
Presenter’s Name
June 17, 2003
7
US-CERT Organizational Chart
US-CERT Director
Jenny Menna (Acting)
Oversight & Compliance
Deputy Director
Kurt Steiner, Officer
Tom Baer
Front Office Support
(Exec Sec, Admin)
Operations
Operations Coordination & Integration
Future Operations
Mark Austin, Director
Brett Lambo, Director
Ray Kinstler, Director
Incident Management
Coordination
Plans
Brian Zeitz, Chief
Dave Brown, Chief
Matt Solomon, Chief
Detection and Analysis
Communications
Mike Jacobs, Chief
Readiness
Dan Medina, Chief
Tom Millar, Chief
Technology Solutions
Digital Analytics
Nick Jogie, Chief
Byron Copeland, Chief
8
Data as of 06/20/2012
Presenter’s Name
June 17, 2003
24X7 Integrated Operations Center
US-CERT maintains a strong presence in the National Cybersecurity and
Communications Integration Center (NCCIC), the Nation’s principal arena
for organizing response to significant cyber incidents.
 The NCCIC represents a broader
national effort to address the
diversity of cyber attacks and
prevent potentially devastating
consequences.
NCCIC
US-CERT
NCC
ICS-CERT
I&A
CSMC
D/A SOCs
DoD
FBI
ICE CCC
IC-IRC
ISACs
NCIJTF
NICC
NOC
NRCC
NTOC
Treasury
USSS
ET AL.
Partners
 Each component maintains its own
operating mission while supporting
the development of a Common
Operational Picture (COP).
The NCCIC is comprised of organizational
components and operational partners.
9
Uniquely Positioned Among Federal
Cyber Centers
National Cyber Investigative
Joint Task Force (NCI-JTF)
Department of Defense
Cyber Crime Center (DC3)
US Cyber Command
(USCYBERCOM)
US Computer Emergency
Readiness Team (US-CERT)
NSA/Central Security Service (CSS)
Threat Operations Center (NTOC)
Intelligence Community Incident
Response Center (IC-IRC)
* US-CERT regularly
partners with FBI and USSS
teams in the same capacity as
those from the cyber centers
Presenter’s Name
June 17, 2003
10
10
Einstein Monitoring
Einstein Network Analysts within US-CERT’s Operations branch monitor
sensor outputs to conduct network security analysis, which can lead to
operational restoration and remediation.
US-CERT created the Einstein Program to
help agencies more effectively protect their
systems and networks.
Key capabilities include:

Einstein 1 (E1): Flow Collection
Initial analytics and information sharing capabilities

Einstein 2 (E2): Intrusion Detection
Improved sensors to identify malicious activity

Einstein 3 (E3): Intrusion Prevention
To improve protection to prevent malicious activity
11
Indicators Management
Einstein is one source from which US-CERT collects cyber threat
indicators. US-CERT is developing an Indicators Database to collect and
correlate indicator information.
12
Digital Media and Malware Analysis
US-CERT’s Digital Media Analysts and Code Analysts collaborate to
improve the understanding of current and emerging threats.
13
Response & Assistance
Activities are based on the nature and severity of the incident, and focus
on tracking impacted parties’ progress toward resolving the issue.
Dedicated teams ensure appropriate and accurate technical assistance is
provided with the right level of subject matter expertise, including:
 Digital Media and Malware Analysis
 Defensive Analysis
 Mitigation Strategy Development
 Threat/Attack Vector Analysis
 Vendor Analysis Coordination
Deployable teams can provide specialized subject matter expertise
required to mitigate an incident or prevent an event from escalating.
14
Rapid Response and Assistance – U.S. Government
US-CERT’s dedicated network defenders augment Federal agency
capabilities.
MegaUpload
Worked closely with the Department of Justice (DOJ) and Federal Bureau of Investigation (FBI)
prior to takedown and to mitigate subsequent distributed denial of service (DDoS) attacks.
January 19, 2012

Prior to 2:00 pm







DOJ reported Justice.gov is under a DDoS attack.
US-CERT provided assistance to help mitigate.
US-CERT noticed FBI.gov appears to be down, possibly
due to a DDoS. US-CERT confirms with DOJSOC.
US-CERT provided assistance to help mitigate.
After 9:00 pm


US-CERT released the PSA to the US-CERT Portal. A
portion of the PSA is released to the public through the
US-CERT.gov website
After 5:00 pm
After 8:00 pm

After 2:00 pm


Provided initial assessment to DOJ and FBI on potential
impacts before MegaUpload takedown
Provided on-site analyst support of the operation at FBI
DHS and DOJ prepared a joint Public Service
Announcement (PSA)
Justice.gov and FBI.gov are back online
WhiteHouse.gov under an attempted DDoS attack.
Executive Office of the President provided data to USCERT to help mitigate.
January 20, 2012

Analyzed data submitted and continued monitoring to detect
and respond to any attacks targeting U.S. Government
Departments and Agencies
15
15
Rapid Response and Assistance – U.S. Government
US-CERT’s dedicated network defenders augment federal agency capabilities.
DOT, State of Florida
National Science Foundation
Received an initial report regarding FO2-related
activity on DOT State of Florida networks.
Provided considerable support to the National
Science Foundation (NSF).
January 2011

Reached out to the DHS Fusion Center in Florida




The Multi-State Information Sharing and Analysis Center
(MS-ISAC) and FBI were already engaged
FO2-related activity had been ongoing for ~one week
Florida DOT was unable to contain the situation and
requested assistance from US-CERT
Deployed on-site technical assistance

Analysts reviewed logs to identify compromised systems
and provided additional insight into malicious activity
January – April 2011

Conducted analysis on images acquired from suspected
compromised system and determined activity was
indicative of a known intrusion set
Beginning in May 2011:
 Provided on-site technical assistance
 After NSF subscribed to EINSTEIN coverage through a
Managed Trusted Internet Protocol Services (MTIPS)
provider:
 Attributed malicious activity to multiple FOrelated intrusion sets
 Led to further assistance, including malware and
forensic analysis
June 2011

Released products to inform of findings, including:

April 2011

Delivered a final Digital Media Analysis Report (DMAR)

Malware Initial Findings Report (MIFR) to capture
preliminary analysis of the submitted malware
artifacts
Digital Media Analysis Report (DMAR) detailing
malicious files found on the NSF’s machines
16
Rapid Response and Assistance – Private Sector
DHS/US-CERT has been identified as mitigation lead in joint on-site response.
NASDAQ
RSA
First large-scale, multi-agency engagement with
key law enforcement and intelligence partners.
Led incident mitigation efforts after information was
extracted from RSA’s company network. Deployed
Subject Matter Experts (SMEs) within 24 hours of
request in March 2011.
Collaborative Response – Primary Roles



Law Enforcement: Investigation
Intelligence Community: Intelligence Gathering
DHS/US-CERT: Mitigation
Key Points


Intrusion first detected in October 2010. Nearly six
weeks of on-site technical support
Developed NASDAQ mitigation strategy, and upon
deployment, monitored for actor’s response activity




Released multiple products to inform upon findings,
including Early Warning and Indicator Notices
(EWINs)* and subsequent EWIN Updates
Due to the nature of the intrusion and profile of the
victim, engaged additional financial sector entities
Developed generally applicable mitigation strategies
for the financial sector
Established as Mitigation Lead within Joint Action Plan,
providing a model for all subsequent engagements
Sharing Critical Information to Reduce Risks


March 16: Released a Technical Information Paper
(TIP) on System Integrity Best Practices
March 17: Released an Advisory on Increased
Threats to Authentication Services



RSA released an open letter acknowledging a
sophisticated attack
March 18: Released an Early Warning and Indicator
Notice (EWIN),* then subsequent EWIN Updates
March 19: Released a Security Awareness Report
(SAR)* including recommended mitigations and a
reporting framework for federal departments and
agencies
*EWINs and SARs feature US-CERT’s own unique
analysis and indicators that partners may not otherwise
see from the law enforcement and intelligence communities.
17
Rapid Response and Assistance – International
US-CERT consistently and proactively engages with international entities.
DigiNotar
Nitro
Received notification from a trusted third party
regarding fraudulent SSL security certificates issued
by Dutch Certificate Authority (CA) DigiNotar.
Received information from Symantec regarding a
spear phishing campaign targeting hundreds of
individuals in at least 20 different countries.
Timeline of US-CERT’s involvement:
October 31, 2011
Day One (September 5, 2011)
Individuals within the chemical, defense, and several other sectors
received emails that, when opened, installed a mechanism that
grants the attacker(s) remote access to the infected machines.

Coordinated directly with GOVCERT.NL and Microsoft
Days Two – Three


Developed a joint US-CERT/GOVCERT.NL document
Reached out directly to GlobalSign
Days Three – Eight


Participated in a call with 15 member nations of the IWWN
Released the joint US-CERT/GOVCERT.NL product to IWWN
November 2, 2011
During the next 48 hours, US-CERT released one Early Warning
Indicators Notice (EWIN) and two Situational Awareness Reports
(SARs) to its partners and constituents.
Day Nine

GlobalSign resumed issuing certificates
As of November 28:


GOVCERT.NL has provided malware to US-CERT for analysis
The direct issue from DigiNotar has been resolved
US-CERT analysis revealed three additional domains involved in
the campaign. One of these domains had not been previously
reported and was first-seen by US-CERT the morning the reports
were released.
As a result, US-CERT was able to notify its constituents of a new
command and control domain on the same day it was being
prepped for use.
18
National-level Strategic Initiatives
US-CERT influences national-level cybersecurity policy and strategic
planning efforts on behalf of its constituency.
 National Cyber Incident Response Plan (NCIRP)
 Unified Coordination Group (UCG)
NRF
 Incident Management Team (IMT)
 National Response Framework (NRF)
Cyber Incident Annex
 National Infrastructure Protection Plan (NIPP)
 Department of Defense (DoD) Plans
Cyber Incident
Annex
Physical
Cyber
National Cyber
Incident
Response Plan
Sector Operational Plans
 Cyber Defense Support
to Civil Authorities (DSCA)
 Homeland Defense Cyber Annex
Organizational Operational Plans
19
Working Across Boundaries
US-CERT proactively builds partnerships to establish shared situational
awareness and facilitate incident response.
CIKR Cyber Information Sharing and Collaboration Program (CISCP)
 US-CERT analysts collaborate with major private sector firms, Information Sharing and Analysis Centers
(ISACs), and federal cyber centers to mitigate cyber threats
Cyber Operations Resilience Review (CORR) Pilot Program
 US-CERT proactively assesses threats to five financial sector institutions by analyzing voluntarily
submitted data

Joint effort between DHS, Treasury, and the BITS Financial Services Roundtable
Collaboration with International CERTs and CSIRTs
 Facilitates shared situational awareness of international threats

Includes participation in the IWWN and the Forum of Incident Response and Security Teams (FIRST)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
 DHS/US-CERT provides funding to extend the US-CERT mission to the States, including managed security
services and netflow monitoring for State and municipal governments
Cyber Exercises
 US-CERT participates in internally and externally hosted exercises to ensure US-CERT is fully trained on
processes and procedures, including a lead role in DHS’ premier cyber exercise series – CyberStorm
20
Continuing to Grow Capabilities
EINSTEIN 3
 The next generation of EINSTEIN will provide the capability to stop attacks as they occur
Block 2.2
Cyber Indicators Repository (CIR)
 Interactive analytical platform for sharing and evaluating indicators of malicious activity across
multiple sectors
Information Sharing and Collaboration Environment (ISCE)
 Dynamic collaboration platform bring together stakeholders from multiple sectors
 Enhanced toolsets to facilitate more dynamic and efficient analysis
CNCI-5 Information Sharing Architecture
 Closely engaging with other federal cyber centers to develop a comprehensive framework for
near real time information sharing
USSS Critical Systems Protection (CSP)
 Providing unique subject matter expertise to the USSS to support the protection of critical systems with
which POTUS and VPOTUS interact when on travel
21
US-CERT Tomorrow and Beyond…
Vision: Trusted global leader in cybersecurity – collaborative, agile, and
responsive in a complex environment.
 US-CERT’s vision is based on several key principles that describe the
organization we are building:
 Collaborative
Provides technical and non-technical platforms and forums to support information sharing and enhance
partner and constituent capabilities
 Agile
Adapts rapidly to the evolving threat environment by dynamically leveraging people, process, and technology
 Responsive
Acquires early knowledge of cyber threats and provides actionable guidance that protects the homeland’s
cyber assets and information
 Trusted
Conducts general and targeted outreach to build confidence among partners and constituents
 Global
Builds and maintains operational relationships with trusted international partners to respond to the
transnational cyber threat
 Leader
Recognized experts in cybersecurity at strategic, tactical, operational, and technical levels
22
Contact US-CERT
Technical Questions
soc@us-cert.gov
US-CERT Security Operations Center
Phone: +1 888-282-0870
Save the Date
8th Annual GFIRST National Conference
August 19-24, 2012
GFIRST Membership
Atlanta Marriott Marquis
Atlanta, Georgia
gfirst@us-cert.gov
23
25