IT Security in Health Care: Where Are We Now? Take Survey - Enter to Win iPad

SANS Announces that the Cyber Threat Analysis Division in the Bureau of Diplomatic Security at the State Department wins 2011 U.S. National Cybersecurity Innovation Award

Bureau of Diplomatic Security Wins US National Cybersecurity Innovation Award

Award recognized innovation and excellence in creating effective teams to identify attackers and eliminate malicious code

Christopher Lukas, Chief of the Cyber Threat Analysis Division of the Bureau of Diplomatic Security at the US Department of State receiving the award with White House Cyber Coordinator Howard Schmidt, at the National Cybersecurity Innovation Conference in Washington, DC.

Washington DC, October 25, 2011

The SANS Institute announced today that the Cyber Threat Analysis Division in the Bureau of Diplomatic Security at the State Department has won the 2011 U.S. National Cyber Cybersecurity Innovation Award winner for its ground-breaking innovation in rapid identification and removal of targeted malware and national leadership in deep network forensics and reverse engineering.

Even the best defenses are unable to stop the most determined and well-funded opponents; some attacks get through. When they do, security professionals face one of their hardest tasks: finding the malicious code before it causes more damage. Few groups possess all the skills required to do this, but the Cyber Threat Analysis Division in the Bureau of Diplomatic Security at the State Department has built a good track record in building a team of people skilled in finding, isolating, analyzing, and eliminating malicious code that gets through the defenses.

When the State Department and Commerce Department were both hit with sophisticated, targeted attacks, and had to testify before Congress about what happened in the aftermath, the Commerce Department witness testified they were unable to find the malicious code, had to replace the infected computers, and did not know whether they had found all incidences of the attack so it may still be stealing sensitive US technology data maintained by the Commerce Department. The Bureau of Diplomatic Security witness, on the other hand, testified that their team found and blocked the attackers almost immediately, that they were able to reverse engineer the malicious software to determine exactly how it worked (and found two zero-day attacks in it), that they helped other agencies protect their systems and that they helped the anti-virus companies to enhance their software to discover other incidences of the malicious code. They also cleaned their systems rather than having to replace them.

An analysis by the Center for Strategic and International Studies, performed at the request of the chair of the Congressional subcommittee before which the Commerce and State Department witnesses described their experience, found that the reason the State Department succeeded, where the Commerce Department did not, was simply a matter of skills of the people. The Cyber Threat Analysis Division at the State Department had built a team with high proficiency in each of the following skills:

  1. Monitoring current attack and threat information to identify those that are relevant to the enterprise.
  2. Identifying elements of the organization that are subject to targeted attacks and identifying traffic patterns that define potential attacks.
  3. Differentiating between anomalous traffic patterns caused by misbehaving hardware and that caused by malicious actors using deep understanding of networking, TCP/IP, and logs.
  4. Finding evidence of low and slow attacks (stealthy attacks that might send a few packets only every three or four days).
  5. Setting up and monitoring honey pots.
  6. Establishing expected traffic patterns and log patterns to enable the discovery of anomalous traffic.
  7. Developing scripts and short programs for automating analysis of logs and network traffic.
  8. Reverse engineering malware to identify behaviors and to point to other systems that may have been attacked.

For creating effective teams to identify attackers and eliminate malicious code by recruiting, training, nurturing, and retaining key people with the right mix of critical skills, the 2011 National Cybersecurity Innovation Award is presented to the Cyber Threat Analysis Division of the Bureau of Diplomatic Security at the US Department of State.

About the National Cybersecurity Innovation Awards

The National Cybersecurity Innovation Awards recognize developments undertaken by companies and government agencies that have developed and deployed innovative processes or technologies that (1) is innovative in that it has not been deployed effectively before, (2) can show a significant impact on reducing cyber risk, (3) can be scaled quickly to serve large numbers of people, and (4) should be adopted quickly by many other organizations. Nominators for the include most of the senior government officials involved with cybersecurity as well as those from the major Cybersecurity Information Sharing and Analysis Centers (ISACs). Corporations and individuals, including SANS instructors also nominated innovations. Each nomination was tested by SANS research department against the criteria; those that met *all* four were recognized. More than 50 nominations were received; 14 were selected.

Press persons who want to talk with the AF 39thIOS and ask other questions contact:
Alan Paller, apaller@sans.org, (301) 951-0102 x108
US Department of State: Brian Leventhal, 571-345-2499

About SANS

Established in 1989 as a cooperative research and education organization, SANS' programs reach more than 400,000 security professionals, auditors, system administrators, and network administrators who share the lessons they are learning and jointly find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. (www.sans.org)

****