search menu icon-carat-right cmu-wordmark
quotes
2022 Year in Review

Enabling Proactive Cyber Threat Detection in the Federal Civilian Executive Branch

The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for the cybersecurity of the Federal Civilian Executive Branch (FCEB), more than 100 agencies including every cabinet-level department but Defense. CISA analysts reactively query FCEB network records for past suspicious activity.

The recent CISA Strategic Plan calls for the agency to “continuously innovate our threat hunting capabilities to rapidly orchestrate threat identification and mitigation at scale.” To achieve this objective, CISA sought to identify suspicious network activity in the FCEB as it happens. But with limited staff and 100 billion new network flow records every day, the team needed automation to find the few suspicious signals.

In July 2022, the SEI’s CERT Division delivered to CISA the Unexpected Outbound Protocols (UNX-OBP) capability. This first-of-its-kind processor ingests native binary files from SiLK (System for Internet Level Knowledge), a CERT tool suite for capturing and analyzing network flow data, in CISA’s analytics environment.

CISA is currently testing UNX-OBP’s ability to find outbound network activity using the server message block (SMB) protocol. Because SMB is normally used to share files internally, outbound SMB traffic could signal data exfiltration. SMB is one of many protocols that the UNX-OBP processor could be extended to monitor for unusual activity.

The SEI’s knowledge of CISA’s mission and analytics environment, plus its familiarity with SiLK, enabled it to produce an efficient, low-cost, and easily integrated tool. The SEI is making this capability available as a NiFi processor for anyone to download. The processor has been observed in testing to ingest 98 billion flows per day in a single thread, filtering and enriching live, streaming data to a manageable number of alerts.

Automated cyber threat hunting is not new. But the UNX-OBP processor’s unique ability to do it at the scale of the FCEB will enable a sea change in CISA’s threat analytics, from reactive to proactive.

Explore more CERT security tools at tools.netsa.cert.org/index.html.

More Enterprise Risk and Resilience Management from the 2022 Year in Review