How to catch hackers security sensors don’t see – Part 1
Throughout this blog and my book, I discuss hackers that are able to avoid detection. If a hacker survives on a network for more than 72 hours, it’s unlikely that the system administrator or security team is going to find evidence of a compromise unless they stumble upon the evidence by accident. There are many tools on the market that can help someone find evidence of a compromise, but if these tools don’t sound an alarm, how will someone ever know that a system is compromised?
One of the most successful tools in my security tool bag is an Advanced Network Profiler. I developed this tool from scratch and it is very effective. It’s not going to catch every hacker that might be on a network (that would be too good to be true), but it gets pretty close. There are three basic concepts that this tool is based upon and once these concepts are understood, it becomes very apparent why this tool is so effective.
Concept 1: There can be no network compromise without connectivity.
No matter if an alarm is tripped or not, a hacker can’t operate in any network without connectivity. Connectivity itself is not an alarm, it is an audit record of communication between two devices. If a person audits network connectivity, he will find evidence of compromise.
Concept 2: Connectivity can be classified as “authorized” or “unauthorized”.
Authorized connectivity adheres to an organization’s concept of operation, business rules and security policies. Unauthorized connectivity goes against an organization’s concept of operation, business rules or security policies. Given enough information, all connectivity can be classified into one of these two categories. The question that should be asked is, “Should this connectivity be occurring?”
Concept 3: Authorized and unauthorized connectivity can be profiled.
Once an organization’s connectivity is understood, a profile can be built of what is “normal” and “abnormal” activity for each device attached to the network. Any abnormal activity automatically comes to an analyst’s attention, irrespective of intent or alarms.
One thing to keep in mind, is that once a hacker establishes a base of operation on a network, whatever security measures and configurations a person thinks are in place may no longer be in place. A common mistake that many people make when analyzing network traffic, is assuming a device is secured against certain type of connectivity – when it may no longer be secured against certain type of activity. Auditing connectivity is all about what is actually happening on a network.
Now the cool thing is, that the activity from all the security tools on a network can be profiled as well, to include firewalls, network intrusion detection systems and access control lists. This information can be “superimposed” onto the connectivity records to provide a comprehensive data set. Once all of this information is at someone’s finger tips, it makes it very hard for a hacker to hide on a network, because an analyst essentially “knows all and see all” on a network.
Does all of this make sense so far?
There is one major issue that people always bring up when it comes to profiling and auditing all of this activity – and that is volume. A network may have millions of connectivity and security records per day and many don’t see how it’s possible to reduce that amount of traffic to a manageable size to analyze. Fortunately, given a good understanding of the data and the right algorithms, it’s possible to crunch all of this information down to manageable size.
There is a lot more to all of this than presented above, but I’ll save that information for another post…