The Computer Incident Advisory Capability (CIAC) E. Eugene Schultz, Jr. Lawrence Livermore National Laboratory By now you have probably read one or more bulletins from the DOE Center for Computer Security beginning with the phrase: "The Computer Incident Advisory Capability (CIAC) at LLNL has learned that..." You may have wondered exactly what CIAC is, and what it does. This article will introduce the CIAC effort, explain why CIAC was formed and what its goals are, describe the composition of the CIAC team, and finally explain how CIAC operates. Why CIAC Was Formed Until recently, most computer security events affecting U.S. Government computer systems could be described as either hacker incidents or the result of some kind of internal sabotage. Events occurring over the last two years, however, suggest a changing pattern of attacks on U.S. Government systems. Hacker attacks are becoming more sophisticated, as shown by the West German hacker attacks in 1987-88, and by the December, 1988 hacker attacks on Lawrence Livermore National Laboratory. Still, hacker attacks are becoming increasingly passe'. There is a new "badge of honor" associated with ability to perpetrate new forms of attack--viruses, worms, and Trojan horses. The Internet worm of November, 1988 received substantial national attention, and awoke computer security experts to the potea "non-traditional" and unlikely form of attack. In addition, the potential motivation of those hostile to the United States to disable defense-related computer systems during times of critical need by using time bombs, worms, etc. poses another dimension of problems for computer security experts within the defense arena. As the number and complexity of computer security problems grow, DOE's need to respond efficiently to computer security problems becomes greater. The DOE Community currently has over 100,000 computers located at over 70 classified and unclassified sites. A central capability for analyzing events, coordinating technical solutions, ensuring that necessary information is conveyed to those who need such information, and training others to deal with computer security incidents is essential. At DOE Headquarters, the Office of Safeguards and Security (OSS) and the Office of Automated Data Processing Management (OADPM) recognized the need for a central response capability even before the Internet worm. These offices provided funding to Lawrence Livermore National Laboratory to develop a response effort, the Computer Incident Advisory Capability (CIAC) Team. This team will provide the DOE community with 24-hour capability to efficiently and rapidly handle computer security events. Goals of the CIAC Effort The CIAC effort is a continuing, multi-year effort to meet DOE computer security response needs in both classified and unclassified systems. The goals and objectives of this effort include the following, listed in order of priority: 1. Assistance to DOE Sites in Handling Computer Security Events The CIAC team will provide assistance to DOE sites which request such assistance, or when DOE directs the team to assist. This activity includes assessing the nature and extent of any damage to systems, helping those faced with an event to contact key people and organizations, coordinating technical efforts to develop and collect software "patches," advising site personnel how to perform damage control and recovery procedures, and providing direct technical expertise to sites which lack the types of expertise necessary to handle a particular event. 2. Establishing a Response Center CIAC will establish and maintain an office at LLNL that will become the center for conducting team activities, including helping other DOE sites handle events. The center will also house the computers and other hardware needed to handle communications with DOE sites. 3. Developing Vital Computer and Communications Capabilities CIAC needs to communicate with DOE sites during events and at other times. Some events will be infectious attacks which will rapidly spread to other systems at the site which is attacked as well as other sites. CIAC, therefore, will (through the DOE Center for Computer Security) alert others of infectious attacks, system vulnerabilities, and so on, so that appropriate measures can be taken. Appropriate measures might include shutting down gateway machines, temporarily disconnecting networks, making quick changes to system software, and so forth. CIAC will establish electronic communication capability with DOE sites, so that CIAC can take actions such as sending and receiving electronic mail from numerous sites, and sending and receiving patches and technical data. CIAC will also develop a capability for allowing staff from other DOE sites to quickly obtain information about CIAC's response efforts, technical solution developments during an event, CIAC training and awareness programs, and other important information. 4. Establishing a Clearinghouse of Information on Computer Security Events CIAC will develop databases on previous incidents, known viruses and worms, known vulnerabilities of systems, and key people to contact. The CIAC staff will be able to readily retrieve or archive any desired information from each database. 5. Developing Cooperative Procedures within DOE, with Other Federal Agencies, and Vendors A coordinated response capability is essential. CIAC accordingly is developing cooperative procedures with the DOE Center for Computer Security and Federal agencies such as the FBI, and DARPA's Computer Emergency Response Team (CERT). CIAC is also working with vendors to learn of security holes and fixes, and will work with vendors to ensure that they either fix problems with their products or allow third parties access to source code so that concerned customers can create fixes. 6. Developing Guidelines for Responding to Events CIAC will develop recommended procedures that both CIAC and technical personnel at DOE sites can follow. These procedures include managerial as well as technical guidance for event handling. CIAC will define and prioritize classes of events, so that CIAC can provide assistance where it is most needed. These procedures will be consistent with the DOE Orders pertinent to incident handling, and will contain the necessary details to solve technical problems, conduct coordinated efforts, and preserve evidence which may be important in follow-up prosecution. 7. Developing Software Tools for Event Handling CIAC will determine which software tools can facilitate responding to events. CIAC Team members can then design and implement these tools, or coordinate the development of such tools by others. Candidate tools include anti-virus programs, software for monitoring intrusions, tools for detection and recording capabilities, incident analysis and reverse engineering tools, and tools for real-time notification. 8. Providing an Analysis Capability CIAC will analyze known events to categorize events,determine trends, determine which preventative measures are effective, and so forth. Ultimately, CIAC will develop models of attacks and eradication methods based on what is learned from this analysis activity. 9. Conducting a Training and Awareness Function The CIAC team will cooperate with the DOE Center for Computer Security to conduct workshops and training seminars. In addition, the CIAC team will conduct its own regional training workshops devoted specifically to responding to incidents. The team will also disseminate information about useful software tools to promote computer security and to facilitate incident handling. The CIAC Team The CIAC team currently consists of two full-time and one part-time staff. CIAC will be ramped to four full-time team members by October, 1989 to form the core response capability. The part-time individual will also continue to be available to help during computer security events. In addition to a team leader, Eugene Schultz, the core team will include two specialists in operating systems and one in networking. One UNIX specialist, Ana Maria De Alvare', is already part of the team. We anticipate adding expertise in VMS, MVS, the Macintosh Operating System, and/or other environments when we hire a second operating systems specialist. Because the CIAC team is currently small, the team has been incredibly busy! We have provided information and fixes to sites infected by viruses. Many of you have called us because you suspected that one or more of your site's machines has been affected. We have also been learning of vulnerabilities and relaying vulnerability information to the Center for Computer Security for distribution. Some of you have called us asking for information to be incorporated into your site's training programs, and others have asked us to critique your site's incident handling procedures. We should have an initial version of our guidelines for incident handling available shortly. CIAC Operations Although many issues are currently unresolved, a number of CIAC's operating procedures and plans have been determined. CIAC will, for example, be the point of initial contact for sites requesting assistance. (How to contact CIAC is described at the end of this article.) Sites needing CIAC assistance may also be referred to CIAC by DOE and/or the Center for Computer Security. If there are significant threats and vulnerabilities which may affect other sites, CIAC will inform the Center for Computer Security, which will notify CPPCs, CSSOs, CPPMs, and CSSMs. CIAC, meanwhile, will analyze the event and will attempt to develop or obtain any fixes needed. Once CIAC has verified any fixes, it will inform DOE sites that the fixes are available, and will distribute them. Any fix represents CIAC's best attempt at a solution threats at DOE sites. Because CIAC is not a software development capability, however, CIAC will not assume liability for any fixes it creates and/or distributes. When a site calls CIAC, CIAC will not reveal the identity of that site unless the management of that site gives CIAC permission to do so. If an incident is reportable to DOE under the applicable regulations, it is the responsibility of the site to immediately report the incident in the appropriate manner. When there is a reportable incident or substantial evidence that more than one DOE or other Federal site could be adversely affected by an event at a DOE site, the CIAC team leader will inform the management of that site of the need to immediately report the situation through appropriate channels. CIAC will under these circumstances take no further action until the site has complied with reporting procedures. DOE's current policy is not to charge sites for CIAC services. However, events requiring extensive time and travel on the part of CIAC staff may require negotiation between DOE Headquarters and the site. Several significant events may sometimes occur simultaneously. Under these conditions, DOE will assist CIAC in determining action priorities. Conclusion CIAC is a relatively new concept. Other Federal agencies have formed or are forming incident response teams, but currently CIAC is one of the first of two such teams. CIAC is already working hard to help sites respond to computer security events. CIAC is also working to bring together the many technical resources existing within DOE, to improve our ability to respond to events. Finally, CIAC can enable sites to adopt proactive measures to reduce threats and vulnerabilities, and to make responding to events more efficient. CIAC is constantly discovering information about vulnerabilities and computer security events which could impact DOE sites--it is, in one sense, your "listening post" and early warning center. A support effort like CIAC cannot function without assistance from the DOE community. There are several things you can do to help CIAC. Having your site establish a link to Internet would make the process of distributing and receiving binary and ASCII patches considerably easier and faster for everyone. If you are a CPPM, CSSM, CPPC or CSSO, and your phone number, FAX number, or electronic mail address changes, we would appreciate your keeping us advised any such changes. Finally, if you request a fix on diskette, please ask for only one copy for your site. Your making your own duplicates will save us time, so that we can serve the DOE community better. You can contact CIAC* by: e-mail. . . . . ciac@.llnl.gov phone . . . . . (510) 422-8193/FTS FAX . . . . . . (510) 423-8002/FTS SKYPAGE . . . . 1-800-SKYPAGE PIN(855-0070) or PIN(855-0074) *NOTE; contact information updated January 25, 1993 by Marvin Christensen.