Results of the Forensic Challenge

[InfoSec News <isn () C4I ORG>]

http://project.honeynet.org/challenge/results/

In all, we received 13 submissions from around the world to the
Challenge. An "official" analysis by Dave Dittrich (with assistance
from Wietse Venema) was done as well. All analyses (including the
official one) were done without any data from the IDS, nor with any
tools or techniques from other analyses. Many entrants (and some who
contacted us who couldn't make the deadline) had no idea how much time
this analysis would take, and it took a lot (as you will see.) Most
finished when they ran out of time, not when they felt they were done.

Overall, the efforts put in by those submitting entries are very
thorough and professional, a step above the incident reports you often
see on mailing lists that gives the most basic "at first glance" facts
and asks more questions than it answers. I anticipate that this will
begin to change, as anyone in the security community can now take an
art historian style view of 13 different paintings (14 if you count
the Honeynet analysis) of the same landscape.

Each submission, even within the rules/guidelines for the Challenge,
took a slightly different angle. Nearly every entrant found at least
one thing that the others did not (me included, both in finding things
and missing them.) We tried to comment as much as possible on each
entry, but even the judges had time limitations and a deadline. We
want to thank everyone who participated for contributing to the
project, and hope they gain from it as well.

The average time spent in investigation turned out to be about 34
hours per person. That's a standard week's worth of work to clean up
and deal with the mess left by an intruder in about a half an hour.
That's about a 60:1 ratio! Using a standard upper-mid range annual
salary figure of US$70,000 per investigator, that works out to be a
cleanup cost of over US$2000 for a single incident. It is very likely
one of dozens, if not hundreds, of intrusions just like it. As you
will see when you read the analyses, this wasn't the first time this
intruder did this.

"But all it takes to re-install Red Hat is 30 minutes. How do you come
up with US$2000 damage?" Simple. For the same reasons cited in
i.only.replaced.index.html.txt (and then some, since this is more than
just a web page defacement.)

When a system is compromised, and the data on it and its network are
compromised, it is not simple to determine the extent of the damage
without a lot of work. We do not know if the blackhat stold peoples
passwords, hacked other systems, has implemented sniffers, etc. This
argues for strong prevention, defense in depth (including monitoring
in depth), and trained responders. If all the administrator does is
re-install the OS, they are doing a wholly inadequate job of
responding to a security incident, as the extent of damage may be far
greater then a single system.

Crackers commonly deride system administrators for shoddy security, so
why do they then feel justified in claiming they did "no damage" by
suggesting the system administrator should do a similarly shoddy job
of incident response? Make no mistake. Computer system intrusions have
a cost.

That is not to suggest that every intrusion warrants a complete
forensic investigation, but in some circumstances it is entirely
appropriate and needs to be done quickly (and correctly).

Consider if this were a military site, or a government contractor
doing classified work (e.g., as occured recently with Sandia National
Labs). Those responding to such an intrusion do so under the
assumption that the intruder is a foreign intelligence or military
attacker, not just some teenage kid in their bedroom. I wouldn't want
them to respond any other way, in case it IS a military threat. The
104 hours spent by Teo's team would not be entirely unreasonable in
that case (although I believe the cost of criminal investigation
should be separated from that of incident response and cleanup, and
"intellectual property" and other losses should only be allowed if
such losses can actually be proven, unlike for example the Steve
Jackson Games case where a 911 document which could be purchased for
some US$30 was valued at US$79,449 for purposes of estimating
damages.)

[...]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".