A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
collects over one million pieces <strong>of</strong> malicious code each month, entering <strong>the</strong> malware into its Artifact<br />
Catalog. As incident responders deal with <strong>the</strong> growing frequency <strong>of</strong> malcode-based attacks,<br />
<strong>the</strong>y need <strong>the</strong> ability to analyze malicious coded packages quickly, determine <strong>the</strong> effects <strong>of</strong> <strong>the</strong><br />
malicious code, and understand how to mitigate those effects. Similarly, law enforcement agents<br />
investigating cybercrimes need <strong>the</strong> ability to identify <strong>the</strong> source <strong>of</strong> malicious code attacks. The<br />
CERT/CC has an ongoing effort to develop analysis techniques, tools, and <strong>the</strong> training to help<br />
o<strong>the</strong>r responders and investigators increase <strong>the</strong>ir capability to research and mitigate malicious<br />
code-based attacks. Automated tools significantly decrease analysis time and enable researchers,<br />
analysts, and investigators to be increasingly effective at identifying and understanding malicious<br />
code. As a result <strong>of</strong> CERT/CC work, federal agencies have recovered from serious cyber attacks<br />
quickly and solved cybercrimes.<br />
The CERT Secure Coding Initiative grew from <strong>the</strong> conviction that it is not sufficient to merely respond<br />
to security compromises and <strong>the</strong> vulnerabilities behind <strong>the</strong>m. Ra<strong>the</strong>r, vendors need to release<br />
less vulnerable s<strong>of</strong>tware in <strong>the</strong> first place. CERT secure coding guidelines and standards help developers<br />
prevent vulnerabilities by addressing <strong>the</strong>m early in product development. Tools for analyzing<br />
<strong>the</strong> code enable vendors to validate conformance to <strong>the</strong> standards. The result is more secure out-<strong>of</strong><strong>the</strong>-box<br />
s<strong>of</strong>tware products and protection for DoD, federal agency, and business systems. Secure<br />
coding practices are in use by virtually all defense contractors as well as industry vendors.<br />
DoD needs led to <strong>the</strong> development <strong>of</strong> network situational awareness tools, along with analysis<br />
techniques for quantitatively characterizing threats and targeted intruder activity. At <strong>the</strong> time,<br />
DoD security operations were driven by known issues that were dealt with in real time without<br />
knowledge <strong>of</strong> <strong>the</strong> threat behind <strong>the</strong>m. The DoD needed retrospective analysis with historical data<br />
and a baseline <strong>of</strong> <strong>the</strong> Non-Secure Internet Protocol Router Network (NIPRnet) as a whole. CERT<br />
toolsets are now in use at large operations centers in <strong>the</strong> DoD and <strong>the</strong> Department <strong>of</strong> Homeland<br />
Security; <strong>the</strong> tools collect and analyze large volumes <strong>of</strong> data that enable analysts to understand<br />
broad network activity and take appropriate action. US-CERT has used Einstein 26 to meet statutory<br />
and administrative requirements <strong>of</strong> DHS to help protect federal computer networks and <strong>the</strong><br />
delivery <strong>of</strong> essential government services. The CERT Division gains far-reaching influence with<br />
open source tools and participation in Internet Engineering Task Force (IETF) working groups.<br />
DoD interest in incidents by insiders—staff, former staff, and contractors—prompted <strong>the</strong> CERT Division’s<br />
initial work on insider threat. CERT analysts realized just how critically serious insider threat is<br />
when <strong>the</strong>y met with <strong>the</strong> Olympic Committee on cyber aspects <strong>of</strong> <strong>the</strong> Salt Lake City Olympic Games, a<br />
U.S. Secret Service National Special Security Event (NSSE). It formed a CERT insider threat group,<br />
which collected hundreds <strong>of</strong> case studies <strong>of</strong> actual incidents and worked with federal law enforcement<br />
pr<strong>of</strong>ilers to examine both <strong>the</strong> technical and behavioral aspects. This research has expanded to specific<br />
domains and types <strong>of</strong> attack, including espionage, enabling <strong>the</strong> recently established CERT Insider<br />
Threat Center to provide more specific and actionable guidance. Using <strong>the</strong> center’s results, information<br />
assurance staff and counterintelligence analysts have implemented technical controls for catching insiders.<br />
The DoD and federal civilian agencies are identifying insider threat proactively using <strong>SEI</strong> techniques<br />
and tools instead turning to forensics after a crime.<br />
26 Einstein is an intrusion detection system that monitors <strong>the</strong> network gateways <strong>of</strong> government departments<br />
and agencies in <strong>the</strong> United States for unauthorized traffic (en.wikipedia.org/wiki/Einstein).<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 164<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.