On the Offensive
It's time to become proactive about stopping computer crime.
- By Roberta Bragg
- August 01, 2004
One of my adult kids is home for a visit and we've been reminiscing about the things we used to do together. One of Charlie's interests was soccer. For half a dozen years I attended every one of his practices and games. He got pretty good and so did his team—at least at defense. The defense fought hard to keep the opposing team from getting close enough to score and Charlie, as goalie, prevented ball after ball from entering the net. The problem, though, was that the rest of the team rarely moved the ball into their opponents' side of the field.
It was hard to sit there and watch hard-working players struggle with defeat after defeat. As a soccer mom I didn't have a clue; I didn't know what could help the team win a game and advance. I wasn't even sure if it was my place to try, or if anyone would have taken my advice anyway. When it comes to information security, however, I hope I can help give you—the good guys—a fighting chance.
You need it, too, since information security can be a lot like my son's soccer team: The other guys are on the attack, and all you do is keep working on your defense. You don't have to be much of a statistician nor need a crystal ball to see that eventually, without some kind of offense, your opponents will eventually win.
To stop computer crime, here's what you've got to do: Instead of putting all your efforts into defending against attacks, it's time you went on the offensive. It's time you became proactive about stopping computer crime. You can skillfully harden systems; spend big bucks on defensive measures and in complying with legislation and initiatives; carefully design, create, deploy and maintain secure operating systems, applications and infrastructure; but it's still defense. And in the meantime, the bad guys, who don't have to worry about defense and can concentrate solely on offense, continue to score.
This month I'll start with information on identifying attacks and understanding the law. In part two, next month, I'll provide information on collecting and analyzing evidence, reporting crime and enlisting the rest of your organization as part of the offensive team.
You can't stop computer crime if you don't know what it looks like. At this point, we're not interested in the somewhat narrow definition that determines whether an attack is a prosecutable crime; we just want to know if one has occurred or is occurring. There are many ways to identify attacks and discover if you've been compromised.
Most everyone is familiar with the class of attacks known as signature attacks. They can be identified by the evidence they leave. Some are obvious, such as site defacements, worm or virus infestations and common Trojan horses. Other types are found only by diligent awareness and study, or only become evident when stolen information is used or appears where it shouldn't—charges to credit cards and other accounts, products produced with stolen trade secrets, or copies of proprietary source code published on the Internet, for example.
But if the perpetrator is stealthy, you might never realize you've been attacked. Maybe his goal was just to see if he could break in, look around and leave without alerting you; perhaps he was able to use the information discovered without a public or obvious affect; or perhaps the damage was attributed to computer or operator error or instability.
Identifying subtle attacks requires more skill than running worm detection scanners, looking for known Trojan ports or diligently reading unmonitored security lists. You'll have to invest money, time and effort. Intrusion detection and intrusion prevention tools, gateway monitors, application layer firewalls and log analyzers can help. So can knowledge, experience, analytic skill and good common sense. Many of the products are touted as defensive measures; but their ability to detect and record information about an attack can be used for offensive action. Establishing an incident response team is important, too—they can be your first responders for defense, but they can also identify attacks and triage them.
All these attack detection methods have one thing in common: They must know what an attack looks like and identify it, or know what's normal for your network to identify the abnormal as a possible attack. Some of them do both.
- Intrusion detection products can be used to identify many types of attacks. They require tuning and training and may also require a significant investment to purchase, implement and maintain. SANS has a good survey and fact sheet on intrusion detection at www.sans.org/resources/idfaq/.
- Intrusion prevention products take intrusion detection to the next logical step. They can drop packets, log attacks, block an attacker or vulnerable protocol, terminate a session and so on, based on their identification of an intrusion attempt in progress.
- Gateway monitors detect and remove spam, known malware, executable attachments and other suspicious payloads. In addition, they may alert, record, categorize and track such activity and quarantine the filtered data for administrative review. Gateway monitors can be spam filters, antivirus products, SMTP screeners and so forth.
- Application layer firewalls look inside packets to determine if they really are what they claim to be—or are masquerading as something they're not. Products like Microsoft's Internet Security and Acceleration Server provide special provisions for inspecting Exchange, Web and other types of traffic to ensure it's properly formatted and plays by the rules. ISA Server can also implement URLScan to discard executables, doubly-encoded hexadecimals and other malformed Web requests.
- Log analyzers are exactly what they sound like: They take information from multiple logs and multiple log types and rapidly collate and analyze data, looking for patterns that suggest an attack. Some intrusion detection devices use this process, too, examining data in the Windows event logs for evidence of attack or compromise.
- Knowledge, analytic skill and common sense are necessary if you're going to support any of these solutions to detect and identify attacks, not just defend against them. In fact, these qualities are perhaps the most important, and, especially in smaller environments, can more than make up for the lack of money available for expensive IDSs.
For example, Microsoft's free tool EventCombMT collects and analyzes the data in Windows event logs. An EventComb search for system shutdowns or reboots, which may indicate an attack, will search specified machine logs for events using an admin-supplied list of event IDs (the downside is that you must know which IDs to enter). EventComb generates a text file for each machine reporting any of these events. Since the files only include the specific events, it's easier and faster to scan them for possible attacks than visit each machine and search through hundreds of unrelated events looking for a match.
Understand the Law
Many laws impact information systems. While your legal department should counsel you about the legality of the activity you've uncovered, and your organization's policy may demand—or forbid—contact with law enforcement, you won't know when to seek counsel if you don't have some familiarity with the law.
Like a tiger crouching in the tall grass, identify your prey before pouncing. Laws vary from country to country and even between legislative jurisdictions within countries. Within the United States, for example, simple port scanning may or may not be recognized as a crime, depending on the state.
States may also have laws that address reporting. California requires organizations with state residents as customers to report any successful attack that may have exposed these individuals' private information.
In addition, not every alleged crime will be investigated. Take, for example, the minimum $5,000 in damages necessary before the FBI can start an investigation of violations of the Computer Fraud and Abuse Act.
You don't have to be a lawyer to gain enough understanding of the laws in order to tag an attack for further investigation and possible law enforcement involvement. You should, however, look for a lawyer's interpretation, examine the law and seek legal counsel. Here's a summary of the major laws to get you started.
Computer Fraud and Abuse Act
The most important computer crime law in the U.S. is the Computer Fraud and Abuse Act (CFAA), and the updates applied to it by the Patriot Act and Homeland Security Act. The CFAA, in force since 1986, was written to protect confidentiality, integrity and availability of data and systems.
The CFAA prohibits:
- Unauthorized access of information systems protected for national security reasons
- Unauthorized access of confidential information on the Internet
- Unauthorized access of government, nonpublic computers
- Unauthorized access of a protected computer in furtherance of fraud
- Intentional acts that damage a computer
- Trafficking of passwords that affect interstate commerce or government computers
- Threats to cause damage to protected computers for the purpose of extortion.
The key words to note here are unauthorized, intentional, interstate commerce and protected computers. For an attack to violate the law, there must be proof that the access was unauthorized. An unauthorized user is one who has no authority to access a computer system, or does have permission but exceeds his authority. An authorized user, for example, who elevates his privileges to an administrative level is performing an unauthorized access.
Intentional acts are usually easy to judge. If a user opens an attachment and infects the entire network with a worm or virus, most people would say that was accidental. If the same user created a virus or downloaded one and infected machines on the network, most people would call it an intentional action. However, such a judgment would be made by the courts.
In the U.S., interstate commerce is defined as financial transactions that traverse state lines. This might appear to mean the transaction must start and end in two different states, but it's different with the Internet; if a communication can be traced as traveling across states, even though two parties are within the same state, the transaction may be interpreted as interstate commerce.
A protected computer was defined in the original law as one used by a financial institution, the U.S. government, interstate or foreign commerce, or communications. In 1996 the definition of “interstate commerce” was expanded to include all computers connected to the Internet, since Internet traffic may cross state boundaries even when buyer and seller reside in the same state. In 2001, the Patriot Act expanded the definition again, to include computers outside the U.S. that affect U.S. interstate commerce.
Another key element in most cases is the required minimum of $5,000 in damage or losses. But that that figure can include more than one computer, including the cost to repair, recover, disinfect, discover and otherwise put things back to normal.
Furthermore, some types of attacks don't carry minimum damage requirement. These include:
- Loss due to modification of medical diagnosis
- Physical injury
- Threat to public health or safety
- Damage to a government computer used law enforcement, national defense or national security.
The Patriot Act also allows victims to recover the costs of an attack.
|This is Not Legal Advice
|I'm not a lawyer, nor attempting to provide legal advice in this article. I'm simply providing some basic information on the law gleaned by examination, study and research. Clarify with your own legal representatives whether specific incidences might be violations of the law. You should also determine your organization's policy and seek counsel from its lawyers. Finally, learn the law to avoid inadvertently breaking the law while attempting to provide security for your organization or following company policy. Being a party to illegal practices simply because it's company policy to perform illegal actions won't prevent you from being prosecuted.
Electronic Communications Privacy Act
On the books since 1986, this prohibits the unauthorized interception or disclosure of communications. It also covers stored communications like e-mail.
Two exceptions to this rule exist: consent and self-defense. If consent is given to read or listen in on a communication, the law doesn't apply. This means it's important to inform employees if e-mail may be monitored. In addition, an IT department that administers and maintains the mail server, and might therefore access and see information included in an e-mail, is probably not breaking the law by doing so.
It isn't easy to define where the line between normal job operations and overt, illegal monitoring may fall. IT pros are often called upon to monitor communications of all types, as part of troubleshooting a problem or determining if an attack is in progress. This is another example of the importance of knowing the law. While you might conclude that using a packet sniffer to monitor an attack in progress is an example of the self-dense exception to the law, it still may require specific permission to do such monitoring even though you're charged with maintaining the network.
Privacy and Security
Attacks on your systems from outsiders or insiders aren't the only things that should be detected, monitored and dealt with. While the previous laws address attacks on computers, other laws specify what organizations must do to protect the privacy of personal information and the security of the information kept on computers. They may define how organizations should handle information security and possible penalties for not using care and due diligence. A side benefit is that these laws may assist you in promoting good security practices in your organization and heighten your understanding of how they might impact your information management processes. The major laws include:
- The Gramm-Leach-Bliley Act of 1999, enacted to reform the banking industry, includes standards that a financial institution needs to meet to ensure the security and confidentiality of customer records and information (www.ftc.gov/privacy/glbact/).
- The Sarbanes-Oxley Act of 2002 probes public companies by requiring that annual reports include a report on internal controls. It also establishes management's responsibility for the establishment and maintenance of controls that ensure the integrity of data used in financial reporting (www.sarbanes-oxley.com).
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the U.S. Department of Health and Human Services to issue Privacy and Security Rules to protect an individual's electronically maintained health information (www.hipaa.org).
Do the Right Thing
These laws might be collectively entitled “Do What's Right” laws, as they specify things like protection of private financial and health information—something everyone recognizes should be done—and dishonesty in reporting. Three important points need to be made:
- Compliance with these laws is mandatory for affected organizations. Your offensive actions should include a determination of their impact for your organization and a push for compliance. Even if your organization doesn't strictly fall under these regulations, the practices outlined are good to follow.
- Many organizations may not realize they're under these laws. For instance, schools that make student loans and organizations that manage employee health insurance may be subject to Gramm-Leach-Bliley and HIPAA, respectively.
- Finally, these laws do not specify hardware and software that will make your organization compliant; beware of vendors making such claims.
Keep these thoughts in mind until next month, when I outline offensive strategies and suggest ways to collect and analyze evidence, report crime and enlist the rest of your organization as part of the security team.