As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.

1.0 Top Risks

1.1 Drive-by-download infections

Drive-by infections (malicious code on websites that exploit vulnerable web applications) continue to be our most significant source of damage. However, our protections implemented in Q1 limit and isolate the damage early - in Q2 we isolated 390 computers with vulnerable versions of Flash and 40 computers with vulnerable versions of Java. In addition, to protect against other web applications, we expanded BigFix, a tool to patch third party applications, to 2700 clients including both PCs and Macs. With BigFix for Macs we are well positioned to enforce patching if the threat environment starts to focus on Macs.

1.2 Continued Threats from Advanced Persistent Threat (APT)

This is an ongoing top risk, although we have not witnessed any significant activity in the last quarter.

1.3 Emergent Security Risks and Evolving Threats

An attack of Macs via the Flashback malware emerged on the Internet. A drive-by-download could install malware on Mac systems with vulnerable versions of JRE. We were one of the first to identify network indicators of the Flashback malware and shared them with REN-ISAC, NSM, ESnet, and Kapersky to facilitate detection. We were able to quickly deploy Bro policy to detect and remove 23 infected Macs from the network.

The emergence of a Mac-targeted trojan suggests that Apple’s growth in market share may generate more targeted attacks. We are well positioned to deal with this threat as we can leverage BigFix to automate patching.

2.0 LBNL Performance

2.1 Business Plan Performance

The Cyber Team made significant progress on its FY12 business plan. In addition to other items in this report, progress included:

• Objective 1.1:
  • Detection. To enhance our ability to detect malicious insiders, we implemented new netflow technology to detect internal scanners.
  • Forensics. Full packet storage allows cyber analysts to examine the content of transactions in the event of an attack. Commercial solutions offer highly limited storage (e.g. a few days) or can be prohibitively expensive. After evaluating and being unsatisfied with commercial full packet storage solutions, we implemented a homegrown solution that allows us to vary the amount of packet storage based on evolving risks and attack vectors. With this tool, we can cost-effectively capture up to 6 months of data - unheard of in the industry.
• Objective 3.1: The "Bro Intelligence Framework" - an ability to digest and act on external data sets - is now in production. This framework incorporates REN-ISAC and DOE NSM data into Bro alerting. This implementation and the data gathered for it were used by ISCI and LBNL as the basis for a paper submitted to RAID titled "A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence".

2.2 Audit: DOE Inspector General Audits

The Department of Energy’s Inspector General included Berkeley Lab in the following audits which are already in process:

• Cyber Security Incident Management
• IT General & Application Controls
• FISMA
• IT Vulnerability Assessment (internal and external)

As always, we will consider any recommendations based on these audits in the context of our risk management approach and cost/benefit analysis.

3.0 PEMP Goals, Objectives, Notable Outcomes

PEMP Objective 8.2 Notable Outcome to “Implement improved intrusion detection by fully deploying a next generation malware protection system and incorporating it into the Laboratory's continuous monitoring program.”

With the integration of FireEye last quarter, we finalized our deployment with fully automated responses to FireEye alerts.

4.0 Noteworthy Accomplishments

Our cyber team had several successes that provided or will provide broad benefit for the cyber community:

• As one of the earliest detectors for the Flashback malware our early sharing of key signatures helped facilitate detection.
• The Bro Intelligence Framework can serve as a model to consolidate disparate data feeds into actionable cyber responses. This project combined our operational knowledge with UC researchers and by publishing our approach the general community will benefit.

Our policy team participated in several key activities that broadly benefited or are intended to benefit the DOE complex, including:

• Initiated and facilitated M&O team to identify desired approaches to cyber security topics in Science cyber management plan. This led to the development of a M&O/federal team to rewrite the plan and we are contributing to ongoing meetings.
• We contributed heavily to several DOE orders this quarter, including the property management order (which introduces a flexible, risk-based approach to identifying and managing sensitive and accountable property) and the IT project management order. These contributions should help increase efficiency by enabling contractors across DOE to make local, risk-based decisions.
• Helped to further refine proposal for alternative Clinger-Cohen reporting to OMB for the Laboratories.