development process and construction stage of network security situation awareness in the united states - security village

Posted by fierce at 2020-03-27

1、 The process of basic defense construction of network security in the United States

In 1996, Presidential Decree No. 13010 was issued, initially defining the scope of key infrastructure, requiring the establishment of key infrastructure protection agencies, which are responsible for studying the weak links and threats of key infrastructure security, and making suggestions for the formulation of relevant policy planning.

In May 1998, pdd-63, the president's order of "protecting the key infrastructure of the United States", was issued, which made the protection of the national key infrastructure security a clear national goal, and determined the relevant departments of the important infrastructure protection. In the same year, the National Security Administration (NSA) formulated the information security technology framework (IATF) and proposed the "defense in depth strategy", which defined the strategic objectives of defense in depth, including network and infrastructure defense, regional border defense, computing environment defense and supporting infrastructure.

In January 2000, the first national plan for the protection of critical infrastructure in the United States, the national plan for the protection of information systems, was released, which specifies the action measures in terms of threat assessment, public-private information sharing, emergency response, personnel training, privacy protection, etc., and strengthens the awareness that the government and private sectors share the responsibility of network security.

The Patriot Act issued in October 2001 redefined the scope of critical infrastructure, and proposed the construction of critical infrastructure modeling, simulation and analysis system. In the same period, President Bush issued presidential decrees 13228 and 13231, which set up the presidential Cyberspace Security Adviser and the presidential Critical Infrastructure Protection Committee.

In 2002, the U.S. Council for critical infrastructure protection implemented a new program called project matrix, which aims to identify the key systems of the government and determine the threats it faces and its ability to resist them. Disa developed the "local defense system" and launched the emergency communication plan.

The Federal Information Security Administration Act (FISMA), published in 2002, defines a broad framework to protect government information, operations, and property from natural and man-made threats. FISMA assigns responsibility to a variety of agencies to ensure federal data security.

In September 2002, the Bush administration released the draft of national strategy for protecting cybersecurity, which became a programmatic document to guide the national information strategic planning of the United States in an all-round way.

In the Homeland Security Act, which came into force in November 2002, the United States newly established the Department of Homeland Security (DHS), which has made specific and detailed provisions on the organization, specific functions and target tasks of key infrastructure protection.

In February 2003, the Bush Administration issued the national strategy for the protection of cybersecurity and the national strategy for the physical protection of key infrastructure and important assets. The former established a preliminary framework for combating cyber attacks launched by terrorists, criminals or hostile countries, while the latter proposed the concept of "important assets", which clarified the protection of key infrastructure by the government and private institutions Responsibilities.

In December 2003, the U.S. government issued national security Presidential Decree No. 7, "identification, priority and protection of critical infrastructure" (hspd-7), which defined the direction for government departments and relevant agencies to protect critical infrastructure from the threat of terrorism, clarified the tasks and responsibilities of DHS and other agencies, and revised the contents of cooperation among various departments in the protection of critical infrastructure 。

On June 30, 2006, DHS issued the national infrastructure protection plan, outlining the tasks and responsibilities of national infrastructure protection, risk assessment strategies, education and training, etc., providing an implementation framework for government agencies at all levels and the private sector on how to manage national important infrastructure and key resources.

At this stage, the US Department of defense has also developed a series of rainbow documents which are more important in the field of information security. The orange book is the predecessor of CC (GB / T), which is now widely used 18336), the overall goal of the United States is to establish the technology and management capabilities to deal with traditional information security threats, which lay a profound foundation for the future situation awareness capability.

2、 Basic capacity building process of us situation awareness

The construction of network security situation awareness in the United States advocates the establishment of complete data capture and analysis capabilities within the scope of the local federation, and the establishment of a national level security operation center to analyze and display the passive monitoring data in real time. During this period, the United States launched the Manhattan plan in the field of information security, which aims to improve the defense capability of the important network facilities in the United States, protect the Cyberspace Security of the United States, prevent the United States from various malicious or hostile electronic attacks, and build and construct the network security defense system at the national level.

There are 12 sub plans in CNCI, which are closely related to situation awareness, including the trusted Internet connection plan (TIC) and the well-known Einstein plan. In addition, CNCI also includes information sharing, operation mechanism, intelligence confrontation, etc. The following is a brief introduction to the main sub plans.

2.1 trusted Internet connection (TIC) plan

The plan strongly promotes the collective access of federal network, and requires "all organizations, whether as tic access service providers or as commercial hosted trusted IP service (mtips) providers under the NetWorx contract managed by the federal General Affairs Bureau", to participate in the tic plan.

The project plans to establish a so-called TiC (trusted Internet connection) organization, and then let all federal agencies connect to the Internet through this tic, so as to cancel the Internet export of each federal agency and reduce the security threat. According to the tic plan, the number of Internet exports from U.S. federal government agencies will drop from more than 4300 to about 100 by the end of 2009.

Trusted network connectivity activities, led by the office of management and budget (OMB) and the Department of homeland security, involve the integration of federal government external access points, including those connected to the Internet. After integration, a unified security solution will be implemented.

2.2 einstein-i

According to the requirements of the homeland security act of 2002 and the Federal Information Security Administration Act (FISMA) Presidential Decree No. 7 issued on December 17, 2003, US-CERT developed the Einstein intrusion detection system. The first version of the system can monitor the abnormal traffic of the network gateway of the U.S. government departments and agencies, which was voluntarily deployed by the federal government agencies from 2004 to 2008.

Einstein 1 plans to use flow based analysis technology, specifically, deep flow detection (DFI) technology based on flow data (such as NetFlow, sFlow, ipfix, etc.). US-CERT collects these flow information of various federal government agencies, analyzes and learns the network situation.

2.3 Einstein II

The US government launched Einstein 2 plan in 2007. Einstein 2 plan is the enhancement of Einstein 1 plan. Based on the original analysis of abnormal behavior, the system increased the analysis ability of malicious behavior, making US-CERT obtain better network situation awareness ability.

Einstein 2's system scans all Internet traffic and replica data of government computers (including private communications) and checks the content and metadata of these data to find "known features" of malicious computer code that may be used to acquire or harm government computer systems.

Einstein 2 plans to realize the technology of malicious behavior analysis, which is network intrusion detection technology. It analyzes the data packets of TCP / IP communication by DPI and finds out malicious behaviors (attacks and intrusions). The IDs that Einstein 2 plans to adopt includes both feature-based detection and anomaly based detection, which are complementary to each other. Einstein 2 project is mainly based on commercial IDS technology, and adopts US-CERT selected feature library.

2.4 Einstein III plan

In 2008, the United States launched a part of CNCI, namely the Einstein 3 plan of DHS (DHS becomes the next generation Einstein plan). The system planned by Einstein 3 will detect malicious attack agents, and take real-time measures to block the operation before the threat of malicious code affects the government computer system, so as to prevent its attack from affecting the government network system.

In Einstein 3 plan, we will use commercial technology and USA NSA technology to carry out real-time FPI and threat based decision analysis for the two-way flow of Internet exports of government agencies. With the deployment of sensors in itcap, the attack can be analyzed and blocked before entering the government network. The overall goal of Einstein 3 project is to identify and mark malicious network transmission (especially malicious mail), so as to enhance the security analysis, situation awareness and security response capabilities of cyberspace. The system will be able to automatically detect network threats and make appropriate response before the harm occurs, that is, it has the dynamic defense ability of intrusion prevention system.

3、 Coordinated operation mechanism of U.S. situation awareness

According to the CNCI, the National Computer Security Center (NCSC) within the Department of land and resources (DHS) provides situational awareness and analysis across six centers by coordinating and synthesizing information from six centers, and reports the network and system status of the United States in intelligence, national defense, homeland security, justice and other aspects to promote cooperation and coordination.

Six centers have advantages in situation awareness, public-private coordination, national defense, and foreign intelligence. Six groups establish contact through communication, information sharing or liaison. The National Computer Security Center (NCSC) creates a cross domain situation awareness system from these six centers.

The six centers are ic-irc, ntoc, US-CERT, jtf-gno, DC3 and ncijtf. The specific introduction of each center is as follows:

3.1 National Computer Security Center (NCSC)

The National Computer Security Center (NCSC) is affiliated to DHS, involving four fields: land, intelligence, national defense and justice. NCSC adopts a 24-hour (24h × 7) working mode to formulate policy reports, formulate mitigation measures based on existing threats, and assess the state of cyberspace; coordinate and integrate the information of other six centers, provide cross departmental situation awareness and analysis, and provide the state of the network and systems in intelligence, homeland security, national defense and justice in the United States. The core competitiveness of NCSC is mainly reflected in national defense and situation awareness.

3.2 intelligence community event response center (ic-irc)

Ic-irc belongs to ODNI and involves the field of intelligence. Ic-irc adopts the all-weather (24h × 7) working mode to share and collect information, provide external threat analysis, help to obtain the characteristics of cyberspace attacks; manage and monitor the network of intelligence center, analyze the cyberspace security threats, analyze the correlation between different events, and provide reports. It plays an early warning role in cyberspace. Ic-irc will also conduct cyberspace exercises on ICT systems on a regular basis to better serve Cyberspace Security. The core competitiveness of ic-irc is mainly reflected in three aspects: national defense, situation awareness and foreign intelligence.

3.3 threat Action Center (ntoc)

Ntoc belongs to NSA, involving intelligence and defense. Ntoc cooperates with NIST, US-CERT and jtf-gno to coordinate and organize information system security response events; evaluates information to detect threats and vulnerabilities in cyberspace and formulate corresponding mitigation measures; cooperates with dia to analyze threat information sources; publishes security configuration guidelines and provides Cyberspace Security exercise base. The core competitiveness of ntoc is mainly reflected in national defense and foreign intelligence.


US-CERT belongs to DHS and involves the field of homeland security. US-CERT provides 24 hours a day (24h x 7) It provides communication and cooperation platform for the public, governments at all levels and the private sector; monitors cyberspace security events from different sources in government networks; collects and records cyberspace events or public needs related to government networks; establishes tic and Einstein plans, Analyze all Einstein program data, provide data analysis, malware analysis and related vulnerability assessment, and analyze abnormal and intrusion behaviors in the government network system to protect and improve the federal network of the United States. The core competitiveness of US-CERT is mainly reflected in situation awareness and public-private coordination.

3.5 Joint Task Force - global network operations center (jtf-gno)

Jtf-gno belongs to DoD, involving intelligence and national defense. Jtf-gno mainly establishes policy framework for the operation of the global information grid (GIG) system; monitors the DOD network, detects vulnerabilities, identifies emerging technologies and related threats, and analyzes the anomaly and intrusion detection behaviors in the DOD system; provides event reports and possible corresponding measures for all Netops centers. The core competitiveness of jtf-gno is mainly reflected in situation awareness and national defense.

3.6 cyberspace crime Center (DC3)

DC3 belongs to DoD, involving intelligence, national defense and judicial / counterintelligence. DC3 mainly provides investigation results for national defense crime investigation organizations. Through these investigations, national defense computer forensics laboratory obtains digital forensics results of media, conducts digital forensics intelligence work, and provides anti intelligence analysis and diagnosis services. It also provides recognized standards, processes, methods, research tools and technologies on computer forensics for national defense cyberspace Crime Research Institute To meet DoD's current and future needs. The core competitiveness of DC3 is mainly reflected in national defense.

3.7 national joint cyberspace survey task force (ncijtf)

Ncijtf belongs to the FBI, involving intelligence and judicial / counterintelligence. Ncijtf adopts all-weather (24h × 7) The main work mode is to formulate the global strategy of information war, to create a strategic framework for the centralized coordination of existing institutions, and to formulate new measures; to monitor and analyze all source data, and identify the differences between intelligence; to collect and synthesize the general activity photos of intrusion related activities, and to find out the computer network that endangers national security; to target some products related to Cyberspace Security To investigate and respond to the threat of counterintelligence; to disconnect and respond to the threat of Cyberspace Security in a timely manner. The core competitiveness of ncijtf is mainly reflected in situation awareness.

According to the national cyberspace security incident response plan (ncirp) issued by the United States in 2010, in order to effectively understand the risks in cyberspace, departments, bureaus and agencies are required to share the identified threats, vulnerabilities and potential impacts on a daily basis. DHS is responsible for the integration and maintenance of national level common situation map (COP) through nccic. Cop provides cross domain situation awareness information, which is a comprehensive network threat, vulnerability and impact map updated constantly, including the identification and early warning of immediate events.

The information sources of SA map are wide, including federal departments and agencies, national security and intelligence community, judicial community (including federal, state and local judicial departments), corporate departments, open information sources, cyberspace security providers. Real time situation awareness will be provided to national infrastructure Coordination Center (nicc) and National Action Center (NOC). Although situation awareness map is the basis of network event response activities, effective network event response activities in cyberspace need real-time and accurate situation awareness coordination.

4、 Coordinated operation mechanism of U.S. situation awareness

The construction stage of us cyber deterrence and retroactive countervailing capacity spans from 2011 to 2018. In this stage, the US national strategy gradually changes from "active defense" to "attack deterrence". At this stage, the U.S. government not only issued a number of strategic policies related to cyber deterrence, but also carried out a series of specific action projects.

4.1 network deterrence and anti system policies

On July 14, 2011, the United States Department of defense released its first cyberspace action strategy. Although the Department of defense emphasizes that the new strategy focuses on defense, that is, strengthening the network security protection of the U.S. military and important infrastructure, from various signs, the U.S. military has promoted the deterrence and attack capability of cyberspace to a more important position. US media believe that the expansion of US forces in cyberspace may lead to the militarization of cyberspace and lead to an online arms race.

On April 23, 2015, the United States released a new version of the DoD's network strategy. As an upgraded version of the first edition of "cyber action strategy" in July 2011, this document aims to define the new goals of us cyber action in the next five years, and the three most noteworthy keywords -- deterrence, attack and alliance represent the development direction of us cyber power. The new strategy claims that in order to prevent cyber attacks, it is necessary to develop and implement a comprehensive cyber deterrence strategy, "deterring such acts before the occurrence of malicious acts on the Internet". In order to effectively implement deterrence, the United States should have the following capabilities: first, to show the attitude of counterattack through policy declaration; second, to form a strong defense capability, to protect the Department of defense and the whole country from complex cyber attacks, to achieve "denial" deterrence; third, to improve the recovery capability of the network system, to ensure that the network of the Department of defense can continue to operate even after being attacked, so as to reduce adversary cyber attacks The odds of success.

On September 18, 2018, the U.S. Department of defense released a summary of the 2018 DOD cyber strategy. This paper consists of three parts: preface, strategic policy and conclusion, among which the strategic policy part puts forward five specific strategic policies, which are to build a more lethal force, to compete and deter in cyberspace, to strengthen alliance and partnership, to reform the Ministry of national defense, and to train talents. The 2018 DOD cyber strategy guides the DOD to actively confront and deter U.S. competitors, achieve defense in advance, shape daily competition, and prepare for combat. Taken together, these mutually reinforcing activities will enable the Department of defense to compete, deter and win in cyberspace.

4.2 traceability and main counter measures

In terms of network attack, Stuxnet industrial virus and wannacry extortion virus, which are the shadow of NSA and CIA, have caused serious harm to the global network; in terms of traceability, they have promoted Lockheed Martin and mitre to develop killchain and att & CK models, promoted the landing of Stix / taxii and other Threat Intelligence standards, and strengthened the ability of apt discovery Power. And use fireeye, mandiant and other institutions to expose a series of apt attacks, forming a network deterrent.

Since 2013, NSA has been responsible for the establishment and maintenance of Utah data center, the world's largest data center, to collect and save the exchange information of all individuals and organizations around the world, including personal e-mail, mobile communication records, Google search records and any other personal tracking information, such as parking receipts, travel routes, book purchase records, electronic consumption expenditure records, etc. With powerful big data processing and analysis capabilities, the data center collects and processes all financial information, stock trading information, business information, military, diplomatic, legal documents of various countries and top secret personal exchange information, and implements global network monitoring.

In 2013, Snowden provided confidential documents to the media, exposing a number of secret intelligence surveillance projects of the U.S. government, including the prism project. Through the project, the U.S. government directly collects information from nine corporate servers including Microsoft, Google, Yahoo, Facebook, Paltalk, AOL, Skype, youtube and apple, and even invades other countries' networks to implement network monitoring.

Pay attention to the author's official account and get more details.