Award recognized innovation and excellence in creating effective teams to identify attackers and eliminate malicious code

WASHINGTON, Oct. 25, 2011 /PRNewswire-USNewswire/ -- The SANS Institute announced today that the Cyber Threat Analysis Division in the Bureau of Diplomatic Security at the State Department has won the 2011 U.S. National Cyber Cybersecurity Innovation Award for its ground-breaking innovation in rapid identification and removal of targeted malware and national leadership in deep network forensics and reverse engineering.

(Photo: http://photos.prnewswire.com/prnh/20111025/DC92511)

Even the best defenses are unable to stop the most determined and well-funded opponents; some attacks get through. When they do, security professionals face one of their hardest tasks: finding the malicious code before it causes more damage. Few groups possess all the skills required to do this, but the Cyber Threat Analysis Division in the Bureau of Diplomatic Security at the State Department has built a good track record in building a team of people skilled in finding, isolating, analyzing, and eliminating malicious code that gets through the defenses.

When the State Department and Commerce Department were both hit with sophisticated, targeted attacks, and had to testify before Congress about what happened in the aftermath, the Commerce Department witness testified they were unable to find the malicious code, had to replace the infected computers, and did not know whether they had found all incidences of the attack so it may still be stealing sensitive U.S. technology data maintained by the Commerce Department. The Bureau of Diplomatic Security witness, on the other hand, testified that their team found and blocked the attackers almost immediately, that they were able to reverse engineer the malicious software to determine exactly how it worked (and found two zero-day attacks in it), that they helped other agencies protect their systems and that they helped the anti-virus companies to enhance their software to discover other incidences of the malicious code. They also cleaned their systems rather than having to replace them.

An analysis by the Center for Strategic and International Studies, performed at the request of the chair of the Congressional subcommittee before which the Commerce and State Department witnesses described their experience, found that the reason the State Department succeeded, where the Commerce Department did not, was simply a matter of skills of the people. The Cyber Threat Analysis Division at the State Department had built a team with high proficiency in each of the following skills:

1. Monitoring current attack and threat information to identify those that are relevant to the enterprise.
2. Identifying elements of the organization that are subject to targeted attacks and identifying traffic patterns that define potential attacks.
3. Differentiating between anomalous traffic patterns caused by misbehaving hardware and that caused by malicious actors using deep understanding of networking, TCP/IP, and logs.
4. Finding evidence of low and slow attacks (stealthy attacks that might send a few packets only every three or four days).
5. Setting up and monitoring honey pots.
6. Establishing expected traffic patterns and log patterns to enable the discovery of anomalous traffic.
7. Developing scripts and short programs for automating analysis of logs and network traffic.
8. Reverse engineering malware to identify behaviors and to point to other systems that may have been attacked.

For creating effective teams to identify attackers and eliminate malicious code by recruiting, training, nurturing, and retaining key people with the right mix of critical skills, the 2011 National Cybersecurity Innovation Award is presented to the Cyber Threat Analysis Division of the Bureau of Diplomatic Security at the U.S. Department of State.

About the National Cybersecurity Innovation Awards
The National Cybersecurity Innovation Awards recognize developments undertaken by companies and government agencies that (1) are innovative in that they are new or have not previously been successfully deployed, (2) have resulted in significant cyber risk reduction, (3) can be scaled quickly to serve large numbers of organizations, and (4) should be adopted by many other organizations. Nominators for the awards include most of the senior U.S. government officials involved with cybersecurity as well as leaders from the major cybersecurity Information Sharing and Analysis Centers (ISACs) and other key cybersecurity leaders. Each nomination was tested by the SANS research department against the criteria; those that met *all* four were recognized.  More than 50 nominations were received; 14 were selected.

Alan Paller, Director of Research, SANS institute   apaller@sans.org

For more information:
US Department of State: Brian Leventhal, 571-345-2499
SANS Institute: Alan Paller, apaller@sans.org, 301-951-0102 x108

SOURCE SANS Institute