EINSTEIN 2.0 (also referred to as EINSTEIN 2) is an intrusion-detection system developed by the Department of Homeland Security (DHS), in coordination with the Office of Management and Budget, to detect unauthorized network intrusions and data exploitations against the Executive Branch’s civilian unclassified computer systems. In December of 2008, EINSTEIN 2.0 was incorporated into NCPS, a larger collection of systems that includes not only the Einstein sensors, but also other systems providing data correlation and analysis.
How it works Edit
EINSTEIN 2.0 technology is comprised of computers (“sensors”) configured with commercial off-the-shelf intrusion-detection software as well as government-developed software. That technology will be located at certain Internet access points known as Trusted Internet Connections (TICs), which connect Federal Systems to the Internet. It does not monitor traffic on internal agency networks nor does it monitor commercial or private traffic traversing the public Internet.
EINSTEIN 2.0 intrusion-detection sensors will observe in near-real time the packet header and packet content of all incoming and outgoing Internet traffic of Federal Systems ("Federal Systems Internet Traffic") for the “signatures” of malicious computer code used to gain access to or to exploit Federal Systems. Because Internet traffic is IP-address based, only Federal Systems Internet Traffic destined to or sent from an IP address associated with an executive department or agency participating in EINSTEIN 2.0 (“EINSTEIN 2.0 Participant”) would be scanned by EINSTEIN 2.0 technology. Thus, EINSTEIN 2.0 technology will scan only the Federal Systems participants that connect to the Internet at TICs.
Such traffic flows to an EINSTEIN sensor either through an authorized Networx Managed Trusted Internet Protocol Service (MTIPS) Internet Service Provider (ISP) TIC location or a TIC location run by an authorized Federal Executive Branch civilian department or agency. Mechanisms are in place under either deployment option to ensure that only data traveling to and from Federal Executive Branch civilian networks is routed through EINSTEIN. Both options require the relevant department or agency to identify a set range of Internet Protocol addresses (IP addresses) that are used in its network. The department or agency will work with its ISP to ensure that only data addressed to or from that Federal network is routed through to the EINSTEIN system.
An EINSTEIN 2.0 sensors will not scan actual Federal Systems Internet Traffic for malicious computer code as that traffic is in transmission, but instead will scan a temporary copy of that traffic created solely for the purpose of scanning by the sensors. The “original” Federal Systems Internet Traffic will continue to its destination without being scanned by EINSTEIN 2.0 sensors; thus, EINSTEIN 2.0 operations will not disrupt the normal operations of Federal Systems. But EINSTEIN 2.0 technology will create a temporary mirror image of all Federal Systems Internet Traffic of EINSTEIN 2.0 Participants for parallel scanning by the sensors.
The temporary copy of Federal Systems Internet Traffic is created only for identifying known signatures. When EINSTEIN 2.0 sensors identify Federal Systems Internet Traffic containing packets with malicious computer code matching a signature, EINSTEIN 2.0 technology is designed to generate — in near-real time — an automated alert about the detected signature. The alert generally will not contain the content of the packet, but will include header information, such as the source or remote IP address associated with the traffic that generated the alert, metadata regarding the type of signature that was detected, and the date/time stamp.
In addition to generating automated alerts, EINSTEIN 2.0 operations will both acquire and store data packets from the mirror copy of Federal Systems Internet Traffic that are associated with a detected signature. Those packets, which may include the full content of the Internet communications, such as e-mails, may be reviewed by analysts from US-CERT and other authorized persons involved in computer network defense.
All Federal Executive Branch civilian agencies are required to participate in the use of the EINSTEIN 2 intrusion detection system, in accordance with the OMB Memorandum M-08-05, Implementation of Trusted Internet Connections (November 20, 2007).
- ↑ The term “malicious computer code” means not only malware, such as viruses, spyware, and Trojan horses, but also malicious network intrusion and exploitation activities, such as identifying network backdoors and network scanning activities, and so-called social engineering activities, such as phishing exploits that seek usernames, passwords, social security numbers, or other personal information.
See also Edit
- GAO, Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies (GAO-10-237) (Mar. 12, 2010) (full-text).