Homeland security's cyber eyes

When it comes to hacking and cyber espionage, few targets are as popular as the U.S. government. According to the U.S. Computer Emergency Readiness Team, federal agencies reported 12,986 cyberattacks in 2007 compared with 3,569 two years earlier. Tallying the numbers is easy. The hard part is rounding up suspects, who often elude authorities with increasingly sophisticated ways of covering their digital tracks and by devising stealthier malware that flies low and slow — in security industry jargon — under intrusion-detection radar.Bolstering these charges were reports last December of a targeted spear-phishing attempt to breach security defenses at the Oak Ridge National Laboratory. Servers in China played a role in the attempt, although officials didn’t say if the machines launched the effort or merely acted as relay points.Although authorities can track attacks back to certain regions or countries, they say it’s still difficult to pinpoint individual perpetrators and determine whether attacks are sanctioned by governments or are the acts of independent groups out for political and financial gain. “Not by any stretch of the imagination is the problem easy,” said Jim Granger, director of capabilities and readiness at the Navy Cyber Defense Operations Command. “This isn’t like ‘CSI’ on TV, where you figure out everything in 46 minutes plus commercials.”Sometimes, with a combination of skill, dogged police work and luck, cyber cops at agencies such as the FBI’s Cyber Division or the U.S. Secret Service’s Electronic Crimes Task Force find success — especially if they’re helped in tracing digital trails by international partners such as the United Kingdom’s MI5. The FBI and the Secret Service declined to discuss what investigative techniques work best, but interviews with military security officials, former government investigators, consultants and vendors turned up a wide range of tools available to investigators. “The tools and techniques have definitely gotten better,” said Shawn Carpenter, principal forensics analyst at security consulting firm NetWitness who, as an analyst at Sandia National Laboratories in 2004, found sensitive documents being shunted overseas by a cyber spy ring called Titan Rain. The damage caused by cyberattacks against agencies and their partners, including contractors and think tanks, is difficult to gauge because today’s attackers value stealth over dramatic system crashes. The latest attacks quietly plant software on internal networks to root around for sensitive information and send it undetected to outside servers, which eventually forward the files to the attackers.The escape odds still favor the black hats, whether they’re state-sponsored cyber spies, technology-savvy terrorist organizations or rogue hackers. One problem is the span of the Internet, which allows hackers to attack at their convenience against vulnerabilities of their choosing and from anywhere in the world. Widely available networks of compromised computers, known as botnets for their robot-like obedience to their managers, are another challenge. Botnet resources are available to any hacker with the right Internet connections and a reserve of cash or an e-gold account, an electronic monetary system based on the gold standard rather than national currencies. Although legal, the system is sometimes used by international hackers to avoid detection by traditional financial transaction monitors. A standard technique is to include stops in countries unsympathetic to U.S. enforcement efforts. “If you went to North Korea and said, ‘It looks like this IP block is attacking the United States,’ the chance is pretty low of getting Kim Jong Il to say, ‘Oh, yeah, here’s the guy,’” said Bill Sta ckpole, assistant professor in the Department of Networking Security and Systems Administration at the Rochester Institute of Technology. Meanwhile, investigators have a number of ways to try to tip the odds in their favor. If the attack is an ongoing attempt to siphon information from an agency’s databases, investigators can request records from large Internet service providers to find the last hop malware made before reaching the ISP’s portion of the Internet cloud. An ancillary technique is to profile the malware itself for insights into its origin, much as law enforcement officers in the physical world construct portraits of more conventional criminals. Investigators “are very, very attuned to trying to do this, especially at the FBI,” said Mike Poor, senior security analyst at security consulting firm Intelguardians Network Intelligence. Investigators comb through malicious code looking for any clues they can find to its origins. “You really want to rip apart the code and look for what type of system it was compiled on, what language it was written in and any characteristics that match other code,” Carpenter said. “A lot of these folks reuse code and then package it differently to avoid antivirus and intrusion-detection systems.”“When you start to comb through malware, you just get a feel for where it’s coming from,” said Jim Butterworth, director of incident response and federal services at Guidance Software and a retired Navy officer who specialized in cryptology and information warfare. Analysts quickly distinguish between the crude code of hobbyists who aren’t state sponsored and “the really tricky stuff” from well-funded organizations that successfully harvest sensitive information. Some tools also probe deeply into the electronic envelopes that route data across the Internet. Inspectors can use these deep-packet analyses to study the digital DNA of innocent-looking files that hide keystroke loggers and other malicious code, said Jeffrey Jaime, a security consultant and retired Air Force captain formerly affiliated with DOD’s Joint Task Force-Global Network Operations.Law enforcement might also count on the fact that cyberattackers, like more mundane criminals, often return to the scene of the crime. Breakthroughs can come if investigators identify a compromised computer that continues to act as a steppingstone for international hackers. Officers then could install software on the machine to alert them when the attacker returns. “They hope the guy is actually coming from his own machine,” which makes him vulnerable to a physical raid by cyber cops, said Alan Paller, director of research at the SANS Institute. A number of military and civilian tools monitor the Internet like video cameras scanning the perimeters of physical buildings. The Navy gleans information from thousands of network sensors that monitor traffic patterns and message destinations worldwide. Some civilian organizations, including public-sector customers, receive data from security software vendor Symantec’s collection of 40,000 sensors in 180 countries, said Oliver Friedrichs, director of emerging technologies at the company. The downside to sensors is the large volume of data they produce, making it difficult for investigators to see relevant patterns. To address data overload, the Navy uses a software program called Prometheus to collect and correlate large volumes of information. Teamed with data-warehousing software, the system provides a combination of real-time alerts and more methodical data mining and analysis, Granger said. The Homeland Security Department manages a similar set of data-crunching applications called Einstein, built on tools originally design d by C arnegie Mellon’s Software Engineering Institute. Einstein can help investigators locate computers outside the United States that might be serving as drop sites for stolen information. “You can paint some pictures that are pretty revealing and know about attacks before they are reported,” Jaime said.U.S. security officials might soon rely on more than hard work and luck to stop international cyber spies. Various security groups, both inside and outside the government, are discussing and, in some cases, prototyping so-called hack-back programs that would allow investigators to launch return volleys against hackers.“You could implant your own exploit in a juicy-looking document that has the illusion of containing proprietary information that an adversary is interested in,” Carpenter said. “If someone does steal the document and opens it, the code can then beacon out information to a server that’s not affiliated with the address space of your organization. Then you can actually access the [hacker’s] computer and do your own sniffing around.”The Navy declined to comment directly on whether it’s developing such tools.  “But I would assume if you can be attacked by somebody, you can probably attack them back,” Granger said.Others said such programs are not only technically feasible, they’re being prototyped. IntelGuardians organized a project called Salmon to study the viability of “code that swims back to its origins,” Poor said. “I think it’s absolutely possible to build it.”But counterattack code also raises numerous red flags. Because proxies impede investigators’ attempts to determine the true source of an attack, chances are high that countermeasures could harm an innocent steppingstone across the Internet. “You essentially would have to get back on the channel that the attacker has opened up, and you may be using the machines of 15 or 1,000 other people,” Poor said. “For this type of system to work properly, they’d have to run your code as well, which, according to U.S. Code Title 18 Section 1030, is a no-no, especially if you cause damage” on the intermediary computers. Poor said the concept has sparked heated debates among security professionals over whether track-back worms would be justified as self-defense against a computer system that has already inflicted harm to homeland security. The pressure to take increasingly drastic counteractions could mount in the years ahead, Carpenter said. “People are starting to get that this is a big problem — especially regarding our [supervisory control and data acquisition] infrastructure — and the tide could turn,” Carpenter said. But for now, “the bad guys definitely are winning.”