How Are The Crackers Tracked?

This not-so Anonymous Coward asks: "I work at a large corp, and our daily firewall logs measure over 12GB. For the average cracker to actually do any real damage, they would need to be in the system for at least a month (keep in mind this is a large telco). With all the recent press regarding the cracking community, the FBI seems to be nabbing these guys awfully quickly as those terabytes of logs must be analyzed to trace these guys. How are these arrests made so quickly, or are they? " More than likely, law enforcement agents will use more tried-and-true methods in parallel with log analysis (and they have access to real hard iron to do this on, too). What other tools are available for law-enforcement agencies to use to track users (crackers and non-crackers alike) online?

Analyzing Logs

[Keeper+ofthe+Keys]

It really just comes down to what pattern-matching algorithms they use to detect an entry. In most cases the network is probed first, usually between a specific time on a repeating basis (between classes, after work, weekends, etc). Next a would-be cracker must find an exploit, this would usually involve determining characteristics of a specific point of entry - a single server, discovering the software version, patch level, security updates, etc. Then comes the entry to the system, and following what is done afterwards.

Unless you have an extremely patient cracker, with foreknowledge of the layout, it would be almost impossible to not leave traces in the logs.

I am guessing you could use a modified version of the psychiatric profiling software many law enforcement branches use, since they also look for a needle-in-a-haystack comparison between dissimilar crimes (dissimiler origin IP addresses)

hmmm

Analyzing Logs and Brazilian law enforcement

[Brazilian+Geek]

I'm not trying to be rude, but isn't analyzing logs - especially 12 Gigs - a bit slow? I've been logging all my network traffic onto DAT tapes (~ 600 Megs a week, I've got a slow internet connection) and every time I try to print out any useful information I end up wasting a whole afternoon. I imagine someone running a sequencial search on such a massive database...

BTW, here in Brazil, law enforcement keeps it's "ear" on cracker IRC channels, since impatient crackers (kiddie scripters) love to brag. Also a good network admin would have at least one snort or NFR running, now a days it should be mandatory.

I've got a snort with intrusion detection rules running on 2 machines and a third running tcpdump to the aforementioned DAT.

Arlington Road...

[affegott]

I think it all comes down to what happens in the movie "Arlington Road". All the people care about the crackers and virus guys want is a name... someone to blame for all the damages... I agree that there is just too much information to search through...

Just a lame thought...

Ryan

How to track at all?

[jeroenb]

I'm amazed at how easy most crackers are traced these days. I think it will have to go a bit further than just analyzing logs.

Example: you find some entry in your logfile that would give you someone's IP address. So you call the hostmaster of that machine, he tells you that the cracker also logged in remotely on his machine. Repeat the above 10-20 times and then discover the login came from a FreeBSD 0.x machine somewhere in Siberia. So you call these people and ask them about it and all they say is: "Logfiles? What are those?"

Then how do you trace them? Although most likely, today's crackers login directly from their home DSL or cable uplink, which is pretty stupid.

To trace these people, all you can do is probably do some investigating on IRC and gather as much (circumstantial) evidence as you can...

Logs aren't the only tool

[anticypher]

Your logs are only 12Gb? Thats all? :-)

There are a bunch of other tools available, the telephone, contact names and numbers on web pages, whois database, online telephone directories, honeypots, sniffer or etherdump, openview, traceroute, nslookup, dig, looking glass, nmap, netcraft, finger, irc, email, bugtraq, dejanews, attrition.org, and the list goes on. Some are used to track the attack directly, but as Cliff points out, most are used in parallel as out-of-band investigations.

Firewall logs aren't the only tool available to those tracking the crackers. Many organizations are implementing Intrusion Detection Systems, which tend to pinpoint suspicious behaviour without all the large logs. This cuts the time needed to start watching a crack from hours to a few seconds. With a little quick reconfiguring of a network sniffer, much of the attack can be monitored in real time, allowing a quick response to keep the script-kiddie out of the network.

Firewalls are not the only place to be logging activity, in fact they are probably the worst for huge quantities of useless information. Key systems should be logging out-of-normal behaviour as well, allowing system admins to work with the network admins to limit intrusions. But 12Gb of information per day is easily searchable, once you know what you are looking for. It may take a few dozen refinements of your search as you analyse an attack, but a half days worth of work can get you some very precise information out of a few hundred Gbytes.

I use a stripped down, heavily customised version of a commercial system management tool. The real-time filtering and text analysis are fantastic, the engine is a compiled compiler, so analysing 50 to 100 Gbytes per day doesn't even load a sparc ultra 60 with 4 Gbytes of RAM. Many of the searches I run are on the previous week's worth of log files from several dozen systems, which pegs the system load for 10-60 seconds. I can go back and easily identify previous actions such as netPD illegally probing my systems looking for metallica on napster and other security holes.

Start with a packet sniffer to see where the packets are originating. Unless you get lucky and the idiot is coming directly from a dial-up, assume they are coming from a compromised system. Contact the NOC or system admins of those systems, using tools like a web browser (www.compromisedcompany.com) and whois for initial contacts. Also contact the NOC of the internet provider who controls that block of IP addresses, and let them know what is going on. They may have better contact details and can put the sysadmin in touch with you quicker than just leaving voicemail and email on a saturday morning. If the upstream cracked admins track the intrusion back even further, lather, rinse, repeat.

While waiting for the NOCs to respond, look at the types of intrusion probing, and try to figure out what tools the crackers are using. Then go back to your firewall and system logs and look for similar behaviour, you may find other similar attacks which failed, giving you better understanding of what berferd wants. Also, go look at recent postings on bugtraq, attrition.org, search dejanews, and monitor some irc channels. You may just find your network cracker likes to brag about their exploits, thus ensuring they will end up in jail at some point :-)

If you think it would take a knowledgable systems hacker an entire month to do any damage, you are very naive. A knowledgable hacker can get into a system with automated tools, and have a very good idea what is worth poking at after a matter of seconds or at most a few minutes. The best crackers use automated tools to get onto a system, log everything they can in a few seconds, then analyse the results offline. When they come back days or weeks later, the intrusion again only lasts a few minutes. Imagine the fines mediaone would have to pay if the cracker just corrupted some billing information, and thousands of customer complained about outrageous bills. That could be done by a slightly clued in cracker in less than an hour on a system.

And the best tool for actually catching and punishing crackers is a corporate policy allowing network admins to contact law enforcement and work with them. I have an ex-client completely compromised by crackers, but management refuses to implement a policy allowing the sys/net admins to deal with the problem. However, they are willing to throw millions of dollars at any security product with vague promises. They have a 200% turnover rate of their admins because of this.

the AC