It was early morning on a typical business day when an intrusion detection system generated an alert of unusual TCP activity at a customer’s Boston branch office. Someone was scanning the network’s internal subnets for a backdoor program that could be used to control remote systems.
Network security specialists quickly determined this activity as hostile and identified the intruder as a consultant working for the client. After a verbal warning the hacking attempt ceased, only to resume later that night as a more sophisticated and difficult-to-track User Datagram Protocol (UDP) hacking attempt.
The hacker had switched to another remote control program consisting of two components: a server component that uses a virus like stealth mode to distribute itself on a network, and a client component the intruder can then use to explore and control the infected network.
But good detective work and a mistake on the part of the intruder, led to his demise. Rather than confront the intruder immediately, security personnel scanned the hacker’s own computer and began capturing forensic data. That analysis revealed that the hacker had inadvertently installed both the client and server components of the remote control program on his own system – a flaw the security exploited to turn the hacker’s own tool against him.
A detailed examination of the consultant’s computer revealed sensitive information taken from the customer’s network, and by logging the intruder’s actions, the security team amassed absolute proof of the attempted theft.
Realizing he had been caught, the consultant worked desperately to delete both the pilfered files and his hacking tools, but thanks to good intrusion detection technology and sound security management, this hacker was shut down before he could do any serious damage.
Highlighting the trends
That early-morning threat can be seen as the exception that proves the rule of internet security. It was an exception, because unlike so many cyber attacks, the intruder was identified and thwarted before he could cause significant harm. Yet it proved the rule that in today’s online society, companies and agencies of all kinds are threatened by a rising tide of internet-based intrusion, crime and warfare.
“To protect themselves, organizations must understand who is trying to compromise their networks and the tools those intruders use,” says Mike Stute, co-founder and Chief Technology Officer of Global DataGuard. “They must also understand the technologies that are available to identify and fight those attacks.”
Experts who track online attacks say the perpetrators can be categorized into five broad groups: the archetypical hacker who takes perverse pleasure in successfully breaching a network or in the creation of a new worm or virus; an insider acting out of anger or greed; industrial spies opening online pathways to steal intellectual property; individual or organized criminals committing web-based fraud; and governments and non-government groups using cyber attacks to further their political objectives.
When internet security issues were first raised more than 15 years ago, most intrusions amounted to little more than the exploitation of passwords or other clear vulnerabilities.
In today’s far more complex world, the intrusion profile includes the exploitation of known flaws in protocols, source code and executable files, sniffer programs, IP source address spoofing, DoS attacks, automated scanning, distributed attacks, and the creation of command and control networks that use compromised computers to launch attacks.
A growing threat