CERT running security pilots

The CERT Coordination Center at Pennsylvania's Carnegie Mellon University has developed two unique pilot programs designed to bolster the information assurance capabilities of government agencies.

The number and sophistication of cyberattacks against U.S. government systems have increased in recent years, but the refinement of the individuals initiating them has decreased, which makes it even more difficult for agencies to differentiate a high school hacker from an extended, coordinated intrusion attempt, said John McHugh, senior member of the technical staff at the CERT Coordination Center (CCC) at Carnegie Mellon.

Speaking May 2 at an Armed Forces Communications and Electronics Association information technology conference in Quantico, Va., McHugh said the basic idea is to make sure that cyber intruders can't take out all the systems all the time since "survivability is the mission-centric notion of information assurance."

To help agencies improve their defenses, the CCC is working on the Automated Incident Response (AirCERT) program, a data collection and coordination exercise that uses statistical methods to detect emerging threat patterns.

AirCERT uses an open source infrastructure to automatically gather and report security incidents from CCC client Internet sites that agree to have that information inspected, McHugh said. The goal is to "reduce the burden on security analysts by automatically handling well-understood attacks," he said.

The CCC has completed an AirCERT proof-of-concept prototype and is testing the program with members of the Internet community.

The CCC also is working with a defense agency -- which McHugh would not name because of security concerns -- on another program that uses raw data to identify routing anomalies and back doors into a network.

The NetFlow system collects enormous amounts of unbiased data and analyzes it in "chunks at a time" to help establish "traffic baselines" and detects potentially nefarious activity as deviations from the baselines, McHugh said.

The CCC is working with the defense agency on a detailed analysis of its daily traffic and hopes to use real-time data in the future, he said, adding that agencies and companies that use Cisco Systems Inc. routers can do this type of analysis.

"This is a capability in most Cisco routers, and anyone who wants to can collect this data," McHugh told Federal Computer Week. "We're working with a large government client to develop tools to [enable them to] analyze it themselves."