General security

EINSTEIN System is Still Too Immature to Protect Fully the US Government Networks

Pierluigi Paganini
February 9, 2016 by
Pierluigi Paganini

On Jun 2105, the US Government announced that a major data breach likely backed by Chinese hackers caused the exposure of data belonging to millions of government workers.

The Obama administration confirmed to have been the victim of a major cyberattack. Federal employees' data belonging to million current and former government workers were exposed in the attack. The attackers accessed individual personal identifying information (PII), including Social Security numbers, the violation begun at least the previous year despite it was uncovered only in April 2015.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The data breach affected US personnel whose information were held by the Office of Personnel Management, the office which handles government security clearances and federal employee records.

The attack was one of a long series of data breaches suffered by illustrious organizations, including the White House and the State Department.

The numerous successfully attacks that breached defense systems deployed by the US Government raised the questions about the resilience to the cyber attacks of government architectures that failed to repel the offensives.


Dealing with defensive measures, the EINSTEIN system is an intrusion detection system designed to monitor and to analyze the Internet traffic as it moves in and out of the US government networks. EINSTEIN analyzes each packet composing the data traffic searching for anomalies. Once discovered an abnormal condition, the system reports it to the United States Computer Emergency Readiness Team at the Department of Homeland Security.

EINSTEIN implements a centralized point of authority for dealing with potential cyber threats.

The system operates in the early identification of patterns of attacks and the prompt notification to the US-CERT, and a number of Government agencies, of any anomaly.

EINSTEIN implements a detection method based on signatures; this means that every time a threat not associated with a specific pattern could be undetected while targeting a system.

This aspect of the EINSTEIN systems impacts the ability of the architecture in detecting new threats seriously.

"The EINSTEIN system is used to protect federal civilian executive branch agencies. It is not used by the Department of Defense or the Intelligence Community. All of the EINSTEIN systems use widely available commercial technology," states the DHS.

EINSTEIN implements perimeter defense for federal civilian executive branch agencies, but it was not designed to block every cyber attack.

Figure 1 - Einstein 2 System

There were different versions of the EINSTEIN system, the first one EINSTEIN 1 developed in 2013 was designed to records any anomaly in the traffic entering and leaving the Government networks and identifies patterns related to potential threats.

"In technical terms, EINSTEIN 1 records and analyzes netflow records. This capability allows DHS to identify potentially malicious activity and to conduct critical forensic analysis after an incident occurs."

The EINSTEIN 2, first deployed in 2008, improved the detection abilities of the previous phase, but like the previous version, it is not able to stop the threats. It is an intrusion detection system that identifies the threats based on a signature-based approach. The DHS confirmed that EINSTEIN 2 sensors generate approximately 30,000 alerts about potential cyber attacks, each alert is evaluated by DHS security staff.

The latest phase of the program, deployed in 2010 and known as EINSTEIN 3A, implements the ability to block actively potential threats from entering the government networks. Theoretically, the EINSTEIN 3A can detect and block the most significant cyber security threats.

"The system would use classified signatures to protect government networks. As noted, using classified indicators allows DHS to detect and block many of the most significant cyber attacks" states the DHS. "In 2012, DHS transitioned to a new approach in which major Internet Service Providers (ISPs) provide intrusion prevention security services for federal civilian agencies using widely available commercial technology. This capability is called EINSTEIN 3 Accelerated (E3A). E3A allows DHS to both detect cyber attacks targeting federal civilian government networks and actively prevent potential compromises."

Government data breaches –EINSTEIN is under question

In 2015, security experts observed a significant number of cyber attacks against the government networks, in many cases, the threat actors successfully breached the targeted systems putting under discussion the efficiency of EINSTEIN.

A report resulting from a secret federal audit confirmed the doubts about the real efficiency of the EINSTEIN defense system. The Government Accountability Office Report was classified 'for official use only', but a sanitized (public version) was released on Thursday, January 28, 2016.

In November 2015, the U.S. Senate Homeland Security and Governmental Affairs Committee suggested the then-confidential audit of the EINSTEIN system would prove the hacker surveillance system is not government-wide.

The newly released audit strengthens the doubts on the systems and points out other misaligned objectives and technologies in the so-called 6-billion U.S. Dollar EINSTEIN.

"Until NCPS' intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies," Gregory C. Wilshusen, GAO director of information security issues, and Nabajyoti Barkakati, director of the GAO Center for Technology and Engineering, wrote in the report.

Only 5 of the 23 major nondefense agencies were under the EINSTEIN umbrella, the U.S. Departments involved in the audit were the departments of Energy and Veterans Affairs, the General Services Administration, the National Science Foundation, and the Nuclear Regulatory Commission.

The report confirms that EINSTEIN does not cover Nation-State 'Advanced Persistent Threats' despite the "The overall intent of the system was to protect against nation-state level threat actors."

According to the experts that audited the EINSTEIN system, it does not include the signatures related to nation-state APT threats.

"EINSTEIN did not possess intrusion detection signatures that fully addressed all the advanced persistent threats we reviewed," the DHS officials tried to defend the system explaining that EINSTEIN is only one of the different technologies used by the US Government when facing with cyber threats. The US Government adopts a multi-layered approach to protect systems managing sensitive data. Every single agency should keep its system protected from cyber threats while DHS should provide the baseline protections and the big-picture perspective of security controls governmentwide.

Another point emerged from the audit is that the EINSTEIN defense system does not know Common Security Vulnerabilities.

EINSTEIN works by sending out the signatures of known attack patterns to 228 intrusion-detection sensors placed throughout the dot-Gov network. The sensors are used to analyze data traffic and recognize patterns associated with the cyber threats. Unfortunately, the signatures used by the systems could be used to identify only a portion of vulnerabilities affecting common applications.

The experts used for their tests five common applications, Adobe Acrobat, Flash, Internet Explorer, JAVA and Microsoft Office, and discovered that only 6 percent of all the security vulnerabilities tested were flagged (29/489 vulnerabilities). This means that EINSTEIN can detect only attacks trying to exploit 29 of the considered vulnerabilities.

"However, the signatures supporting NCPS's intrusion detection capability only identify a portion of vulnerabilities associated with common software applications," according to the report, a possible reason for this issue is the lack synchronization between the EINSTEIN system and the standard national database of security flaws maintained by NIST (National Institute of Standards and Technology).

The experts at DHS confirmed the behavior and explained that it was not required for the first draft of EINSTEIN to be able to synchronize the vulnerability NIST archive, a feature that will be implemented in the next releases.

In my opinion, the most serious issue in the EINSTEIN system is that it has no way to spot Zero- Days attacks.

The report states that "Regarding zero-day exploits there is no way to identify them until they are announced," Only when zero-day threats are discovered by the security community and publicly disclosed, the researchers at DHS can mold a signature to identify the attack pattern and feed it into the EINSTEIN system.

Another problem related to the EINSTEIN its ability to implement an information sharing model.

"DHS's sharing of information with agencies has not always been effective, with disagreement among agencies about the number of notifications sent and received and their usefulness,"

24 percent of the notifications sent in fiscal 2014 were not received by the Departments audited by the experts. Just 56 alerts were communicated successfully, 31 were timely and useful, while the rest arrived out of time, useless, related to false alarms or unrelated to intrusion detection.

Besides this, the DHS has created metrics related to EINSTEIN, "None provide insight into the value derived from the functions of the system," the auditors said.


Security experts correctly believe that the number of cyber attacks will continue to increase, such as the number of the nation-state groups that will target government networks.

This specific category of attackers often used zero-day exploits to compromise the targeted systems and remain under the radar for a long time.

Under this premise, it is essential to improve the EINSTEIN system to repel cyber attacks, even when threat actors are state-sponsored hackers.

The results of the audit show the EINSTEIN must be improved to be effective against hackers. I do not want to discuss the alleged cost of 6 billion U.S. Dollars spent by the US Government, but it is clear that US experts have to work hard. I understand the difficulties when facing cyber threats, but a similar system has a sense only if it can improve the resilience of government networks to cyber attacks.

I agree with DHS experts when they say that EINSTEIN is one of the numerous technologies deployed to defend the US assets in the cyberspace, a layered approach is essential to identify and mitigate cyber threats.

I have no doubts about the possible evolution of the EINSTEIN defense system; it will overwhelm the issues emerged in the last audit and will be improved to mitigate even more advanced zero-day attacks.


FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.