To Catch a Thief
Effective incident response against network intruders
by Jay Lyman
May 2002
Your firewall is in place. Your antivirus software is updated regularly, and you check daily to make sure you have all of the latest OS and server patches. The only way in is through your virtual private network (VPN). By all accounts, you should be able to sleep easy, but you know better.
Intelligence and information gathering have progressed to the point that most computer attacks are quickly reported. However, there are still many vulnerabilities, unreported bugs, and complex worms out there. In addition, the double threat posed by Trojan horse worms that leave systems vulnerable to later attack by intruders is growing. It may just be a matter of time before everybody is hit. No matter what preventative measures administrators take, intruders on the company network, Web defacements, and virus outbreaks are often inevitable.
Forrester Research Analyst Laura Koetzle stresses that a comprehensive security policy is the most important item to start with when defending a computer network and its data—whether the threat is the latest mass-mailing virus, an exploit that is making the rounds among hackers, or an internal compromise. "Having a coherent policy—what to do, who to call, what to shut down, the first-fix things—is important," she says.
Vincent Weafer, director of Symantec Security Response, agrees. "First and foremost is having a security policy in the first place," he says. "People forget about that and focus on the products and techniques. When they then get into an incident response, they may destroy evidence or not know what to do."
Log and Load
Knowing just what to do in an incident response situation can often be difficult, given the lack of public discourse on the subject. Despite this, companies are often reluctant to discuss the details of their own security breaches. For example, Exodus Communications declined to discuss its ongoing case against accused hacker Jerome Heckenkamp, who also allegedly broke into the systems of many large companies including eBay, Juniper Networks, E-Trade, and Cygnus in 1999.
Yet it's becoming harder to keep attacks quiet, according to SecurityFocus Incident Analyst Ryan Russell—particularly given the Web defacements that often accompany intrusions. "Now, it's basically not possible to hide if you get nailed properly," he says. "Only the really big-profile cases get prosecuted, but that doesn't mean [administrators] shouldn't gather evidence and go to law enforcement."
Russell emphasizes that reporting attacks and intrusions, despite the potential negative connotations and damage to customer relationships, is an integral part of reacting to security breaches. By reporting even minor incidents to law enforcement, he explains, companies can work together to add to the total existing body of evidence.
Take, for instance, the "Mafiaboy" case, in which a Canadian teenager pleaded guilty in January 2001 to charges of mischief stemming from his denial-of-service (DoS) attacks on major Web sites. His targets included Yahoo, CNN.com, Amazon, and eBay, all of which later helped to condemn him. "Apparently he had been doing it for a while—a known perpetrator and nothing was done," Russell says. "Now that he's charged, there's a laundry list of things, charges against him."
Jill Knesek, director of Exodus's Cyber Attack Tiger Team (CATT), is a former FBI agent who was involved in the cases against both Mafiaboy and convicted computer criminal Kevin Mitnick. Knesek says attack victims should contact law enforcement in the case of unauthorized access that has resulted in damage of $1,000 or more. "The company should identify the source IP [address] of the attacker and contact the owners of that IP to ask their assistance in obtaining any logs or data associated with [it]," she says. Mitnick adds that law enforcement can send an order to request the preservation of evidence under federal law 18 USC 2703(f).
Even if cases don't go to court, a high number of reported incidents could help pressure ISPs into taking action, including terminating questionable accounts. "You're not going to get a whole lot of satisfaction out of law enforcement," Russell admits. "One of the things you can do, and it helps clean up the neighborhood, is to go ahead and go to the ISP." Russell explains that while law enforcement is ill-prepared to handle all of the cyber-crime that's out there, attack and intrusion victims can still present their evidence to ISPs. These companies often have policies in place that allow them to boot abusers from their networks.
Plan of Attack
To present evidence, you must first gather usage logs, IP traces, and other signs of cyber trespassing. Symantec's Weafer explains that any and all information that can be collected about an incident—network audit logs, antivirus logs, router firewall logs, and file changes—can be useful both for securing the network and taking action against an intruder or data thief. "Basically, anything that will give you a trace back to where the intruder came in and what they're doing. It's all giving you information about what's happening in your environment," he says.
Thus, sometimes the best plan of action is knowing when not to act. If you intend to pursue a case against an intruder, be prepared to wait a couple of days before taking action. Although it's often difficult to convince upper management to let an intruder run rampant through your network, it may be the only way to gather enough evidence to prove trespassing and take action.
Weafer doesn't deny that pretending to ignore attacks can be frustrating. Yet, he says, once they've broken in, attackers can be used to guide administrators and security pros to the cause of the attack. "You may want to watch them to see how they're getting in, and to learn about their attack techniques to learn the true source of the problem," Weafer says. "That's the hard part, particularly in the middle of an incident. You may not be able to do much for the day except the lesson learned, so that you can go back and improve your overall security."
Forrester's Koetzle remembers one company that "really had it down." Every time it experienced an attack or security breach, she explains, the company sent out a survey to security, network administrators, and other IT staff to reconstruct the event from all angles. "They would look at what worked, what didn't, time lost, time spent dealing with the attack, and assess the real [incident] so they could do it better next time," she says.
To protect the network, you not only have to thwart attacks, but understand how the attack was perpetrated: thus, vulnerabilities can be corrected and your response improved with each attack. "You can't recover unless you know how you're broken into," says Russell. "A lot of times, you can be running a pretty secure ship and go back and find a hundred holes. There's always the possibility you're going to get broken into."
