Information Security News mailing list archives
Results of the Forensic Challenge
From: InfoSec News <isn () C4I ORG>
Date: Wed, 21 Mar 2001 02:51:06 -0600
http://project.honeynet.org/challenge/results/ In all, we received 13 submissions from around the world to the Challenge. An "official" analysis by Dave Dittrich (with assistance from Wietse Venema) was done as well. All analyses (including the official one) were done without any data from the IDS, nor with any tools or techniques from other analyses. Many entrants (and some who contacted us who couldn't make the deadline) had no idea how much time this analysis would take, and it took a lot (as you will see.) Most finished when they ran out of time, not when they felt they were done. Overall, the efforts put in by those submitting entries are very thorough and professional, a step above the incident reports you often see on mailing lists that gives the most basic "at first glance" facts and asks more questions than it answers. I anticipate that this will begin to change, as anyone in the security community can now take an art historian style view of 13 different paintings (14 if you count the Honeynet analysis) of the same landscape. Each submission, even within the rules/guidelines for the Challenge, took a slightly different angle. Nearly every entrant found at least one thing that the others did not (me included, both in finding things and missing them.) We tried to comment as much as possible on each entry, but even the judges had time limitations and a deadline. We want to thank everyone who participated for contributing to the project, and hope they gain from it as well. The average time spent in investigation turned out to be about 34 hours per person. That's a standard week's worth of work to clean up and deal with the mess left by an intruder in about a half an hour. That's about a 60:1 ratio! Using a standard upper-mid range annual salary figure of US$70,000 per investigator, that works out to be a cleanup cost of over US$2000 for a single incident. It is very likely one of dozens, if not hundreds, of intrusions just like it. As you will see when you read the analyses, this wasn't the first time this intruder did this. "But all it takes to re-install Red Hat is 30 minutes. How do you come up with US$2000 damage?" Simple. For the same reasons cited in i.only.replaced.index.html.txt (and then some, since this is more than just a web page defacement.) When a system is compromised, and the data on it and its network are compromised, it is not simple to determine the extent of the damage without a lot of work. We do not know if the blackhat stold peoples passwords, hacked other systems, has implemented sniffers, etc. This argues for strong prevention, defense in depth (including monitoring in depth), and trained responders. If all the administrator does is re-install the OS, they are doing a wholly inadequate job of responding to a security incident, as the extent of damage may be far greater then a single system. Crackers commonly deride system administrators for shoddy security, so why do they then feel justified in claiming they did "no damage" by suggesting the system administrator should do a similarly shoddy job of incident response? Make no mistake. Computer system intrusions have a cost. That is not to suggest that every intrusion warrants a complete forensic investigation, but in some circumstances it is entirely appropriate and needs to be done quickly (and correctly). Consider if this were a military site, or a government contractor doing classified work (e.g., as occured recently with Sandia National Labs). Those responding to such an intrusion do so under the assumption that the intruder is a foreign intelligence or military attacker, not just some teenage kid in their bedroom. I wouldn't want them to respond any other way, in case it IS a military threat. The 104 hours spent by Teo's team would not be entirely unreasonable in that case (although I believe the cost of criminal investigation should be separated from that of incident response and cleanup, and "intellectual property" and other losses should only be allowed if such losses can actually be proven, unlike for example the Steve Jackson Games case where a 911 document which could be purchased for some US$30 was valued at US$79,449 for purposes of estimating damages.) [...] ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Results of the Forensic Challenge InfoSec News (Mar 21)