Network Situational Awareness Research
Operators of networks of any size struggle to understand the activity of their networks. The challenge is to understand what data needs to be captured, how that data should be collected, how that data should be stored, and ultimately how that data can be effectively analyzed to identify malicious activity and produce valuable metrics.
The CERT Network Situational Awareness (NetSA) group assists network owners and operators with their most challenging problems. The group develops cutting-edge analysis techniques and tools for operational use in high-impact environments. In developing operational views of network attacks and network baselines to uncover anomalies, the NetSA group has developed standards for describing network traffic, designed sensors and analysis tools, and used both existing and SEI-developed network sensor and intrusion detection technology to identify and track malicious activity.
We describe some of our current focal areas below. Please contact us if you'd like more information or if you're interested in collaborating with us.
Scalable Intrusion Detection
As network traffic volumes continue to grow, how do large-scale network operators keep up with their monitoring needs? The CERT NetSA group develops best practices guidance and technical capabilities to effectively monitor large-scale networks. NetSA work includes approaches for prioritizing sensing requirements and developing novel analytics to identify malicious activity.
Only recently has the security industry begun to investigate anomaly detection solutions. While many of these approaches are successful in small environments, CERT researchers are working to develop new techniques that meet today's scalability requirements and minimize the need for human decision makers at various levels. These approaches leverage advanced mathematical models in order to explain and predict events and behaviors.
Network profiling is the discovery of public-facing assets on a network using network flow data. Netflow data can be used for a variety of activities including forensic purposes, for finding malicious activity, and for determining appropriate prioritization settings. The goal of NetSA's network profiling work is to passively create a profile to see a potential attacker's view of an external network. These profiles can also be used as a baseline for anomaly detection efforts.
The NetSA group provides extensive incident handling assistance to large-scale Computer Network Defense (CND) activities within the Department of Defense and Federal Government. Our group quickly analyzes massive data sets to understand the full scope of an incident to aid with containment and remediation. Additionally, NetSA analysts collaborate with other areas of the CERT Division, including the Digital Intelligence and Investigation Directorate (DIID), by providing advanced network analysis assistance to Federal law enforcement.
Advanced Persistent Threat / Intrusion Set Studies
CERT analysts are leading research efforts examining historical network intrusion activity in order to gain an understanding of adversary campaigns based on goal-driven behavior. This research, combined with NetSA Indicator Expansion and Sophisticated Malware detection efforts, has led to extensive new insights into adversary behavior.
Closed Network Defense
NetSA analysts are working to define the concept of closed networks as a leap ahead in computer network defense security applicable to any organization interested in protecting data at rest or data in motion.
The NetSA group is defining best practices for understanding the full scope of a particular campaign and set of malware. Leveraging countless external data sources and working in close collaboration with the CERT Malicious Code team, our analysts seek to understand how particular malware behaves on the network and identify commonalities across families of malware, including similarities in command and control protocols and program structure (through code comparison techniques). Through this effort, our analysts can create the full story surrounding related malware and leverage our extensive data sources to document ongoing activity on monitored networks.
Sophisticated Malware Detection
NetSA analysts are researching new ways to identify sophisticated malware. In addition to analyzing massive network traffic data sets, analysts are also using data from the CERT artifact catalog, extracting indicators from that malware, and using those indicators to discover malicious network traffic on government networks.
Metrics and Measurement
NetSA group members have developed extensive metrics in a number of different areas. At a global scale, NetSA works to define metrics to measure activity across the internet as a whole. Focused on single networks, NetSA researchers have developed models to aid in the evaluation of benefits from network security systems such as sensors. This work focuses on modeling to estimate benefits, and the rationale for collecting certain data items. The goal is to improve managerial decisions regarding network security.
Network Defense Architecture and Engineering
NetSA engineers lead some of the nation's largest network defense programs, often working with architecture teams. The NetSA group focuses on large-scale sensing strategy, data management, and standards development. Additionally, CERT NetSA engineers act as subject matter experts, providing a deep understanding of requirements to aid in architectural designs.
Network Security Testbeds
The NetSA Network Security Deployment team assists our sponsors with not only deploying our solutions, but also testing and evaluating any network security capability. The scope of this work ranges from specific product evaluations to managing large-scale development, test, and modeling and simulation environments.
Network Security Prototyping
The NetSA group, working with our sponsors, helps to identify key gaps in network defense capabilities. To fill many of those gaps, NetSA engineers help prototype new capabilities and technologies that can be transitioned into commercial offerings or open source projects.