Question

Do you believe that homeland security can protect us from cyber crimes? If so, provide an example. If not, explain why you feel this way.  

please give me unique answer

Answer 1

Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.

Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.

On May 16.2018, the Department of Homeland Security released a strategy to provide the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient.

Here is the link to the Strategy: https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf

Here is a description of the new technologies in the new DHS policies:

Socrates

This software platform automatically seeks patterns in data sets, and can tease out those that represent cyber threats. It tries to provide both analysis and computer science capabilities, a pairing that human analysts often lack.

The platform can perform unsupervised analysis of data – seeking patterns that may reveal future outcomes. Socrates has been used to study travel patterns of large groups to discover unknown associates of persons of interest, for example.

PcapDB

This is a software database system that captures packets to analyze network traffic by first organizing packet traffic into flows.

Its creators liken its function to that of the black box flight recorders on airplanes. “Pcap allows reconstruction of malware transfers, downloads, command and control messages, and exfiltrated data,” they say.

The platform optimizes the data captured so it can be stored on less disk space and accessed more quickly for analysis. By stripping away unnecessary features, PcaDBcan store months of traffic data on commodity Serial Attached SCSI (SAS) disks, a plus when investigating intrusions. “The longest history possible is key when investigating a cyber incident,” its creators write.

REDUCE

This is a software analysis tool to reveal relationships between malware samples and to develop signatures that can be used to identify threats.

The software performs static analysis on malware samples to identify similar code sections that link the samples to previously analyzed malware groups. This enables rapid inferences about who wrote the new malware and what its technical characteristics might be.

Unlike some commercial tools that compare two malware samples at a time, REDUCE can compare multiple samples simultaneously. When it discovers similarities in code patterns it displays them along with existing knowledge about those patterns.

The tool is designed for use by security practitioners who don’t have a lot of reverse engineering background.

Dynamic Flow Isolation

DFI leverages software defined networking to apply security policies on-demand based on current operational state or business needs.

This is done by enabling, disabling or rate limiting communications between individual users and network services. This can be done either automatically or manually.

The software gains awareness of the network’s operational state by integrating with devices such as authentication servers and intrusion detection systems. It also integrates with SDN controllers to change allowable network connections in response to changing network state. This enables quarantining of individual machines or groups and blocking active attacks from reaching critical assets.

The software includes a policy enforcement kernel implemented within SDN controllers to update access rules for switches in the network. It works with existing SDN hardware and is portable across SDN controllers.

TRACER

Timely Randomization Applied to Commodity Executables at Runtime (TRACER) is a means to alter the internal layout and data of closed-source Windows applications such as Adobe Reader, Internet Explorer, Java and Flash.

Because these applications are closed and have static data and internal layout, adversaries can craft attacks that can be effective on a large scale.

By randomizing the sensitive internal data and layout every time there is an output from the application, attackers can’t prepare effective attacks against them. Even if information about the data and layout leak during one output, the arrangement will be different the next time.

In this way TRACER can thwart control-hijacking attacks against these Windows applications. It is installed on each machine and doesn’t interfere with normal operation. The downside is it increases execution time by 12% on average.

Other randomization schemes such as Address Space Layout Randomization, compiler-based code randomization and instruction set randomization perform one-time randomization. Patient attackers can wait for data leakage from the applications to create effective attacks.

FLOWER

Network FLOW AnalyzER inspects IP packet headers to gather data about bi-directional flows that can be used to identify baseline traffic and abnormal flows as a way to spot potential breaches and insider threats.

The data, collected via small appliances throughout the network and at its perimeter, can also be used as a resource for forensic investigations into incidents.

FLOWER has been deployed in more than 100 government and business networks since 2010. It has detected and mitigated coordinated attacks and used to create attack signatures.

SilentAlarm

This platform analyzes network behaviors to identify likely malicious behavior to stop attacks including zero-days for which there are no signatures.

Network events are fed to its analysis engine from existing sensors. The engine incudes knowledge nodes, analysis segments tuned to certain types of network behaviors such as failed or successful SMTP attempts or failed Internet connections. Based on historical behavior, each new event is characterized as normal or abnormal.

These characterizations are fed to hypothesis nodes that conclude whether observed behavior indicates malicious activity. If malicious activity is spotted SilentAlarm can send an alert or intervene.