It was early morning on a typical business day when an intrusion detection system generated an alert of unusual TCP activity at a customer’s Boston branch office. Someone was scanning the network’s internal subnets for a backdoor program that could be used to control remote systems.
Network security specialists quickly determined this activity as hostile and identified the intruder as a consultant working for the client. After a verbal warning the hacking attempt ceased, only to resume later that night as a more sophisticated and difficult-to-track User Datagram Protocol (UDP) hacking attempt.
The hacker had switched to another remote control program consisting of two components: a server component that uses a virus like stealth mode to distribute itself on a network, and a client component the intruder can then use to explore and control the infected network.
But good detective work and a mistake on the part of the intruder, led to his demise. Rather than confront the intruder immediately, security personnel scanned the hacker’s own computer and began capturing forensic data. That analysis revealed that the hacker had inadvertently installed both the client and server components of the remote control program on his own system – a flaw the security exploited to turn the hacker’s own tool against him.
A detailed examination of the consultant’s computer revealed sensitive information taken from the customer’s network, and by logging the intruder’s actions, the security team amassed absolute proof of the attempted theft.
Realizing he had been caught, the consultant worked desperately to delete both the pilfered files and his hacking tools, but thanks to good intrusion detection technology and sound security management, this hacker was shut down before he could do any serious damage.
Highlighting the trends
That early-morning threat can be seen as the exception that proves the rule of internet security. It was an exception, because unlike so many cyber attacks, the intruder was identified and thwarted before he could cause significant harm. Yet it proved the rule that in today’s online society, companies and agencies of all kinds are threatened by a rising tide of internet-based intrusion, crime and warfare.
“To protect themselves, organizations must understand who is trying to compromise their networks and the tools those intruders use,” says Mike Stute, co-founder and Chief Technology Officer of Global DataGuard. “They must also understand the technologies that are available to identify and fight those attacks.”
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.