Who will protect from hackers? Only the Shadow group knows
Hackers have help
breaking into government networks. They share their resources and techniques on special
mail lists and encrypted chat areas.
Government security administrators are taking a similar team approach to combat the
A small group of government network security experts has been using the method with
industry counterparts. The exchanges have helped them form a consensus, though not full
agreement, on what to do when an intruder penetrates a private network via the Internet.
The Shadow group includes representatives from several Defense Department sites, the
Geological Survey and Energys Los Alamos National Laboratory. Corporate
representatives range from General Dynamics Corp. to Disney Online.
Two big efforts have grown out of these chats. The first is a book: Computer Security
Incident Handling Step by Step. Published by the Sans Institute of Bethesda, Md., at http://www.sans.org, the $27 book discusses how to deal
with intrusions, denial of service attacks, cybertheft and other security events.
The books incident handling report lists six stages of response: preparation,
detection, containment, eradication, recovery and follow-up. By far the largest section
discusses preparation. It stresses yet again the need to be proactive and protect networks
before an attack occurs.
The Shadow group found that a good place to start is by justifying the need for
investment in a security infrastructure. It also found that many sites dont have a
solid security policy or even a philosophy in place, which slows and complicates things
when an incident occurs.
You have to choose which philosophy you will follow and get management
approval, Northcutt said, before formulating a response plan.
And the group learned that everyone needs security training.
The group decided that what works for large organizations doesnt always suit
Large groups have dedicated staffs to handle incidents. Small ones generally press a
staff member into an expert role on short notice.
An inadequately trained network administrator, for example, might begin using a
privileged account the admin had never used before. That would tell intruders they had
been detected, so they would start destroying evidence and cause other damage.
The Shadow groups discussions quickly revealed the flavor of the month in hacker
attacks. Members agreed on ways to deal with malicious code attacks (use virus checkers,
and scan for inexplicable packets sent automatically from your network out to the
They also agreed on probes and network mapping (run your own probes to see what can be
learned from Simple Network Management Protocol commands and pings). And they talked about
denial of service attacks (establish an emergency backup facility), organized espionage
(track traffic, point to false documents to throw intruders off), hoaxes (keep employees
informed, check the hoax page at http://ciac.llnl.gov),
and unauthorized access (restrict IP addresses allowed to connect).
Surprisingly, Northcutt said hes not too concerned about script-driven attacks
that pound away at sites.
The information-gathering probes give me the greatest concern, he said.
In several cases, we have noted very accurate targeting attack attempts, which
indicates someone knows a lot about our structure.
DOD sites turn to their computer incident response teams for fast help. An example
appears at http://www.assist.mil.
The second result to come out of the Shadow group is called the Cooperative Intrusion
Detection Evaluation and Response project, or CIDER. Also a Sans Institute project, with
Navy cooperation, it aims to help organizations build their own network monitoring and
CIDER concentrates on two techniques. The first is TCPdump, a program that monitors and
filters TCP activity for matches that indicate a problem. The second is Network Flight
Recorder, a set of tools under development to monitor, archive and alert authorities.
CIDER details are available at http://www.nswc.navy.mil/ISSEC/CID/. When
you visit, you can download intrusion detection shareware. But because huge log files are
kept, you may need to add gigabytes of drive space to make it work. The tools come with
good user endorsements, however.
Finally, bear in mind that not all emergency recovery scenarios result from hacker
attacks. External causes also include natural disasters, backhoe accidents and faulty
equipment. Having a response plan and a disaster recovery plan is the first step to
control loss of service.
For a list of Web security tools, visit http://www.perl.com/latro.
To monitor UseNet newsgroups dealing with security issues, check out
comp.sys.www.security or comp.infosystems.www.cgi.
See the Best of Security list at [email protected]
and Computer Emergency Response Team advisories at [email protected]. You can
join both sites by e-mail.
Shawn P. McCarthy is a computer journalist, webmaster and Internet programmer for
Cahners Business Information Inc. E-mail him at [email protected].