The CERT Division Research

The CERT Division Research

Working to Assure Cyber-Enabled Missions

As software has become essential to all aspects of system capabilities and operations, there has been a dramatic increase in the significance of cybersecurity. The CERT Division focuses its research on cybersecurity challenges in national security, homeland security, and critical infrastructure protection.

We seek to develop and broadly transition new technologies, tools, and practices that enable informed trust and confidence in using information and communication technology.

Greg Shannon

Note from the CERT Division Chief Scientist, Greg Shannon
Welcome to the CERT Research page. We work at the nexus of government, industry, and academia to research significant concerns in cyber risk and resilience, software vulnerability, insider threat, secure coding practices, and other areas. Our research produces new approaches, analysis tools, and training options to improve the practice of cybersecurity in private and public sector organizations. I invite you to begin your engagement with us through the videos and other resources offered here and to contact us to continue the discussion.

Overview

Insider Threat Mitigation

Andrew P. Moore and William R. Claycomb, Principal Investigators
View »

Malware Analysis

Ed Stoner, Principal Investigator
View »

Malware Distribution Networks

Jose Morales and William Casey, Principal Investigators
View »

Profiling, Tracking, and Monetizing: Analysis of Internet &Online Social Network Concerns

Jason Clark, Principal Investigators
View »

Current Research

Automated Cyber-Readiness Evaluator (ACE)

Rotem Guttman, Principal Investigator

In this project, we are developing an automated cyber-readiness evaluation capability that can interpret the actions a user is performing on a screen within a defined desktop environment and, based on those actions, objectively measure the individualՉ۪s competence within a defined knowledge and skill set.

Ask a Question

Video Presentation

Rotem Guttman describes the benefits of this project.

“The Department of Defense is in the midst of a three year journey that’s going to create a cyber workforce of approximately over six–thousand individuals.”


ADM Michael Rogers, Commander USCYBERCOM, 2014

Behavior-Based Analysis and Detection of Mobile Devices

Jose Morales, Principal Investigator

Both the number of Android OS-enabled mobile device users and the malware targeting Android OS are growing exponentially. This research aims to disallow malicious apps from ever being available for download via app markets and to detect and triage apps exhibiting malicious behavior on a mobile device.

Ask a Question

Video Presentation

Researcher Joseph Yankel discusses a behavior-based analysis approach capable of accurate suspicion assessment of software for mobile devices.

“There is less control—you can download the apps from third party app stores and there is very little checking of the digital signature that you sign the app with.”


Kevin McNamee, Alcatel–Lucent

Cybersecurity Expert Performance and Measurement

Jennifer Cowley, Principal Investigator

This project aims to define and identify experts and assess individual attributes that affect the development of individual expertise nested within teams.

Ask a Question

Video Presentation

Jennifer Cowley discusses the purpose and outcomes of this research.

“Scarcity of cybersecurity experts is a real problem that can be quantified and described—but not one that can easily be solved.”


James Arlen, Leviathan Security Group

Deep Focus: Increasing User Depth of Field to Improve Threat Detection

William R. Claycomb, Principal Investigator

As a recognized leader in insider threat research, the CERT Division is leading the way in finding answers to improving detection capabilities and preventing future leaks. We believe the next step in the insider-threat research roadmap is to develop a fundamental understanding of individual users.

Ask a Question

Video Presentation

William Claycomb describes how widening the “depth of field” in a threat investigation can enhance context to help identify insider threats.

Research Poster

“Malicious activity by insiders looks like their authorized day-to-day online activity. As a result, many insider threat detection tools produce so many false positives that the tools are unusable.”


The CERT Division

Insider Threat Mitigation

Andrew P. Moore and William R. Claycomb, Principal Investigators

By moving into trends that characterize emerging threats, we are able to understand the requirements for next-generation enterprise system architectures needed to defend effectively against insider threats.

Ask a Question

Video Presentation

Andrew Moore discusses how this project aims to develop indicators that can populate an insider threat rules engine.

Research Poster

“This Presidential Memorandum transmits the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (Minimum Standards) to provide direction and guidance to promote the development of effective insider threat programs within departments and agencies...”


Presidential Memorandum, November 21, 2012

Malware Analysis

Ed Stoner, Principal Investigator

Program analysis techniques can be useful in providing automated understanding of software behavior.

Ask a Question

Video Presentation

Researcher Jonathan Spring describes the tasks in this project for the automatic static analysis of malware binaries, the exploration of suffix tree use, and the use of model checking to describe formally invariant behavior that malicious software expresses.

“Malware analysts need an approach that allows them to sort out the massive amount of new samples that arrive daily in a fundamental way so they can assign priority to the most malicious of binary files.”


Jose Morales, The CERT Division, Software Engineering Institute

Malware Distribution Networks

Jose Morales and William Casey, Principal Investigators

This research fundamentally advances the field by providing a way to graph Malicious Distribution Networks (MDNs) accurately using already discovered malicious URLs.

Ask a Question

Video Presentation

Researcher Aaron Volkmann describes how the approach taken in this project allows for rapid graphing and analysis of MDNs over long periods.

“Malware authoring and distribution has become very profitable over the years... The process of propagating and distributing malware has been evolving constantly.”


Symantec

Profiling, Tracking, and Monetizing: Analysis of Internet & Online Social Network Concerns

Jason Clark, Principal Investigators

The results of this research show that network–level anonymity systems are unable to thwart de–anonymization attacks aimed at applications and private data of end users.

Ask a Question

Video Presentation

Jason Clark describes the method and outcomes of this research.

“The exposure of information on the Internet poses a genuine threat to the privacy of users.”


Jason Clark, The CERT Division, Software Engineering Institute

Secure Coding

Robert Seacord, Principal Investigator

The goal of the CERT Secure Coding Initiative is to reduce the number of vulnerabilities to a level that can be mitigated fully in DoD operational environments. This goal will be accomplished by preventing coding errors or discovering and eliminating security flaws during implementation and testing.

Ask a Question

Video Presentation

Robert Seacord explains the tasks involved in in the CERT Division’s current secure coding research.

“The customer trusts us that product is secure, and we as an industry, should accept our responsibility and enforce higher security standards on our products. This starts at practicing secure programming.”


Don Eijndhoven, founder and CEO of Argent Consulting B.V.

Simulating Malicious Insiders in Real Host-Monitored Background Data

Kurt Wallnau and Brian Lindauer, Principal Investigators

We create threat data from a combination of synthetic threat data overlaid on real background data. The novelty of our approach is in the way we make constructive use of background data to create threat data with plausible threats that exhibit richly textured social realism.

Ask a Question

Video Presentation

Kurt Wallnau details the development of insider threat cyberplays.

“Nonetheless, even with numerous safeguards in place, why are there so many high-profile breaches? The reason is because the solutions most organizations employ focus on the wrong thing—data... A better approach is to look at the activities of the user...”


Daniel Yelez, Raytheon Cyber Products

Software Assurance Engineering—Integrating Assurance into System and Software Engineering

Carol Woody, Principal Investigator

The U.S. Department of Defense (DoD) goal of implementing software assurance throughout the development lifecycle needs to be translated into practical actions that designers and developers can take. This project aims to improve capabilities in analyzing cybersecurity risk early in the software lifecycle and using software quality models to support software assurance.

Ask a Question

Video Presentation

Principal investigator Carol Woody explores the Security Engineering Risk Analysis (SERA) framework devised in this project.

Research Poster

“Implementing software with a level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the lifecycle.”


Section 933 of the 2013 NDAA