This site will work and look better in a browser that supports web standards, but it is accessible to any browser or Internet device.

Idaho National Laboratory

From the INEEL Archives
Feature Story

INEEL Cyber Security - Aggressive Defense Against an Unseen Enemy

Contributed by Kathy Gatens
October 2003

Diehard science fiction fans know that writer William Gibson brought the word "cyber" to life in his 1984 novel Neuromancer. He coined the term "cyberspace" to refer to an electronic or virtual reality. Today, the meaning of the word has evolved to a synonym for electronics or computers. "Cyber," however, still evokes the image of data invisibly racing to destinations around and beyond the globe, while the word "computer" recalls the familiar display and hard drive found in almost every home and office. Cyber security protects computers, systems and networks from enemy attacks. INEEL's cyber security is both an art and a science.

Rob Horrman and Kevin Barnes

Rob Hoffman (left) working with Kevin Barnes, leads a team of handpicked computer whizzes whose job it is to keep hackers out of the INEELís computer systems.

The INEEL Web site, like many .gov locations, is a prime target for hackers. The site is bombarded with thousands of scans each day - over 90,000 on average weekly. The perpetrators may be trying to weasel their way into the network out of curiosity or with malicious intent. They may be cold professional criminals looking for vulnerabilities to exploit or sell, or they may be citizens of a hostile nation, patiently gathering information, byte-by-byte. Rob Hoffman leads a team of equally professional computer whizzes whose job it is to keep them out. And they take it very personally.

The handpicked team was assembled several years ago after a hacker got in. The individual "touched a box," to use computer lingo - by reaching a server with the potential to modify its contents. Disaster was averted and no damage was done, but the aftertaste remained. As good as INEEL’s computer security had been, it now had to be even better.

"Cyber Security focuses on assisting the programs accomplish their mission in a secure fashion," said Hoffman, summarizing the organization’s goal. "It’s a dynamic process. Security should never inhibit success, but the integrity of the enterprise is paramount."

The first daunting task facing the team was identifying the existing potential avenues of risk. They put together a spreadsheet for the external servers. It listed thousands of vulnerabilities. The goal was to clean up the servers in six months. They did it in three.

Red Team/Blue Team

But every Wednesday like clockwork, vicious attacks still flood INEEL computers. This time around, however, the bad guys are the good guys. The Cyber Security staff takes turns attacking and defending the system. For example, someone may launch a particularly nasty exploit and the rest of the group defends against it. All of this, of course, is conducted on a closed network, but the results benefit every computer user at the laboratory. And the game playing keeps the staff sharp and prepares them to deal with the reality of cyber defense.

"My job, the job of every team leader or manager, is to keep staff challenged, give them the tools and training to do their work, and remove obstacles," said Hoffman. "The red team/blue team efforts really challenge our group to enter the mindset of the hacker."

Collaborative Excellence

The Cyber Security organization supports both operational activities and programmatic customers and is collocated within Information Resource Management and the National Security Division. The rationale for the organization’s support to the Division is clear enough when you consider that the laboratory is a national asset that must be protected. But the Cyber Security wizards do more than guard INEEL’s gates; they conjure up some mean magic for federal agencies and military groups wanting to protect their cyber treasures.

Instead of causing conflicts between fulfilling the routine needs of the laboratory and responding to the sometimes-exotic requests of clients, the two roles of Cyber Security create a symbiotic relationship between the functions that enhances them both.

Cyber security laboratory.

The laboratory is building a specialized cyber test bed to support customers and projects that must be kept separated from even the closed networks due to the proprietary nature of the work or at the request of the agency.

For example, Hoffman’s team doesn’t just use intrusion detection software, team members write their own. They apply this expertise first to INEEL networks, where their tool is sensitive enough to pick up the slow scans than run below the radar of most commercial detection programs. Intrusion detection, however, is more than just a software program. According to Hoffman, it takes a certain mindset, an intuitive feel to detect the traffic patterns within all of the data. The team has this touch.

So when the Department of Defense’s Defense Information Systems Agency looks for intrusion detection experts, it looks to us. For the last several years, Cyber Security staff has worked to integrate custom Snort plug-ins into DoD’s new intrusion detection program, agencywide.

This synergy works both ways according to Kevin Barnes, a Cyber Security team member who primarily focuses on supporting external customers. Barnes has access to the INEEL network that allows him to build and test tools that keep his customer and the laboratory a step ahead of the competition - not other laboratories, but the hackers.

The collaboration between operations and programs isn’t just a good idea; it is essential.

The laboratory’s key mission area within National Security is critical infrastructure assurance. The Division operates complex SCADA (Supervisory Control and Data Acquisition) and Wireless test beds with government and commercial partners (see Need to Know, January 2003 and April 2003). The test beds are used to identify vulnerabilities, and develop and test solutions. Cyber security is an integral component since SCADA and wireless communications systems are especially vulnerable to malicious electronic attacks.

The laboratory is building a specialized cyber test bed to support customers and projects that must be kept separated from even the closed networks due to the proprietary nature of the work or at the request of the agency.

’Zero-Day’ Exploits

Outside of the black hat or hacker community, few have heard or recognize the phrase "zero day," which refers to that nebulous time between the discovery of a vulnerability in a software program and the launching of the patch to fix it, when "Day 1" begins. Zero-day exploits can cause irreparable harm, destroying data, introducing viruses and stealing information.

The Cyber Security team works hard to remain a step ahead of the hackers to minimize zero-day exploits. When the NIMDA virus infected the nation’s computer systems, it contained a virulent strain designed to attack .gov domains. The team reverse engineered the virus to develop a defense and met with the commercial anti-virus software provider to create the solution. INEEL’s network was safe before the patch hit the streets.

Jason Larsen

Jason Larsen wrote the genesis of Hogwash intrusion detection software while still in college.

Another way they stay ahead of the hackers is to infiltrate their lines, officially. Hoffman and colleague Jason Larsen have attended international hacker conferences and rubbed elbows with the top 20 to 25 "ubergeeks" in the world, most less than 30 years old. A common trait among this elite group is an early curiosity about how things work, in this case, infrastructure protocols and low-level code.

Larsen could be considered a card-carrying member of these privileged few, having published his first code at age 13. And while still in college, he wrote the genesis of the Hogwash intrusion detection software, and made it available on the Internet as an open source project. The Web site for Hogwash describes how to set up a honeypot, which is a network configuration that allows a user to observe attackers in a safe environment while protecting their own production server. The source code for establishing a honeypot is followed by some simple instructions that epitomize not just Larsen’s attitude but many of those at the INEEL who go into electronic combat daily: "That’s about all there is to it. Have fun."

General Contact:
Communications, Send E-mail