Archive for June 4, 2010

How to catch hackers security sensors don’t see – Part 1

Throughout this blog and my book, I discuss hackers that are able to avoid detection. If a hacker survives on a network for more than 72 hours, it’s unlikely that the system administrator or security team is going to find evidence of a compromise unless they stumble upon the evidence by accident. There are many tools on the market that can help someone find evidence of a compromise, but if these tools don’t sound an alarm, how will someone ever know that a system is compromised?

One of the most successful tools in my security tool bag is an Advanced Network Profiler.  I developed this tool from scratch and it is very effective. It’s not going to catch every hacker that might be on a network (that would be too good to be true), but it gets pretty close. There are three basic concepts that this tool is based upon and once these concepts are understood, it becomes very apparent why this tool is so effective.

Concept 1: There can be no network compromise without connectivity.

No matter if an alarm is tripped or not, a hacker can’t operate in any network without connectivity. Connectivity itself is not an alarm, it is an audit record of communication between two devices. If a person audits network connectivity, he will find evidence of compromise.

Read more…