In October 2003 I reported on the Cyber Incident Detection & Data Analysis Center (CIDDAC), a collaboration of the University of Pennsylvania's Institute of Strategic Threat Analysis and Response (ISTAR) laboratory in Philadelphia, the Philadelphia InfraGard chapter, and Charles "Buck" Fleming, CEO of the apparently dormant AdminForce LLC. Details in 2003 were sparse, but I was skeptical that companies would agree to host "what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible — and eventually the world — and feed incident data to a centrally managed operations facility at the University of Pennsylvania at Philadelphia."
Stories by Infoworld and Computerworld are shedding some light on the situation. First, it does not appear CIDDAC will watch company traffic. Instead, they are just deploying honeypots:
"John Chesson, a special agent at the FBI in Philadelphia, said the RCADS are essentially 'hardened honeypots' that look like they are part of the network an intruder is trying to enter. When the RCADS are attacked, CIDDAC workers monitor the event and collect real-time data that can be forwarded to law enforcement officials, he said."
I found this comparison chart interesting. It allegedly shows how CIDDAC is superior to other data collection methods.
I wonder what metrics CIDDAC used to determine the width of the colored bars for a competing organization, like CERT? It must be a Philly vs. Pittsburgh issue.
Check this out:
"The initial 30 participants, who are anonymous for security reasons, will pay about $10,000 for the installation of the RCADs and for the first year of monitoring and reports.
'We take minutes to analyze what now takes hours,' Fleming said. 'We know it's going to work. We've had prototypes working for years now.'"
According to reporting, CIDDAC is DHS funded:
"The pilot project, which has been in the planning stages for two years, is being funded through a $200,000 grant from the DHS Science and Technology Directorate and with the support of the FBI."
The CIDDAC FAQ offers these details:
"CIDDAC has received its initial funding and construction is underway at our University of Pennsylvania facility. The build-out, setup and testing estimated completion date is no later than October 2005. CIDDAC services will be available by December 2005. 3."
I'll keep my eye on this project. I would be interested in speaking with anyone from CIDDAC who would like the project profiled here. It seems CIDDAC is a honeypot-based managed security services provider that charges $10,000 per year, has start-up funding from DHS, and works with the Philadelphia FBI and U Penn. Am I wrong?