Modern-Day Intrusion Detection: Of Needles, Haystacks, and Cybercrime

Posted on by John Linkous

After a corporation discovers a data breach, there is a flurry of law enforcement activity. From the FBI, Department of the Treasury, and Secret Service to state and local police, a cadre of law enforcement officials will be part of the investigation into how the data breach occurred, how detection technologies could have been more effective, and who was criminally responsible.

One of the hardest lessons learned from recent data breaches is that most organizations and law enforcement agencies sorely lack capabilities for detecting intrusions. There are certainly many reasons for this, one being that simple signature scanning doesn't find sophisticated targeted attacks such as APTs. Security professionals often are unaware of systemic threats that go beyond basic known vulnerabilities, or are aware, but lack the budget to detect them. Organizations might not even have the data necessary to identiy attacks, especially if the intruders used malware to destroy critical data. Those reasons, of course, are solely in the domain of the organization being attacked. Victims just want to to recover as much of the data as possible and minimize the financial impact. But what about law enforcement agencies who are tasked with finding an actual attacker and holding him accountable under the law?

The relationship between law enforcement and private industry can be complex, especially in case of cybercrime. While private organizations want law enforcement to do as much as possible and as fast as possible to identify perpetrators and retrieve stolen data before it hits the open market (or otherwise causes substantial damage), they also don't want law enforcement getting too "cozy" with their infrastructure or data. Co-locating law enforcement equipment in a data center, for example, is something that few organizations would voluntarily do unless mandated to do so under the law. And, of course, there's always the concern of NSA-style monitoring that occurs at the federal law enforcement level, which often gives private industry an uneasy feeling that their business data isn't as confidential as they think. For law enforcement agencies themselves, issues such as fragmentation and lack of information sharing makes detecting and tracking intrusions a complex and tangled affair.

Unfortunately, law enforcement is not likely going to get better at intrusion detection is not likely to change until the fundamental way law enforcement officials approach cybercrime changes. Much of the approach to fighting cybercrime is based on traditional law enforcement tactics and assumptions. For example, when someone steals something in the real world, possession has transferred from one person to another. The person stealing the object now has it, and the person it was stolen from does not. But this isn't the case in cybercrime: Most attackers are focused on copying data, rather than moving and/or destroying it. The person from whom the data was stolen still, technically speaking, is in possession of it, it's just that he's not the only person who possesses it anymore.

Another example is physical proximity: While a traditional "attack" (think of a break-in at a jewelry store) requires physical proximity, cybercrime attacks can take place literally from anywhere on the planet with an Internet connection. Tactics such as anonymization, spoofing, and redirection of the attacker's digital footprint coupled with relatively immature digital forensics processes (at least, when compared to physical forensics) make detection of the crime difficult, let alone the discovery of who actually committed the crime. A further problem is one of tactics: Unlike a physical intrusion into a relatively well-secured building, which may leave a physical attacker with few options for success, the complexity of distributed computing systems leaves many, many gaps that can be exploited by an attacker. From phishing attacks to exploiting known (or unknown, zero-day) vulnerabilities, to brute-force attacks against poorly protected Internet-facing components, attackers have a virtual smorgasbord of approaches available for getting to the data they want—including tying multiple attack vectors together into unique, complex attacks. Together, these issues can make it difficult to take historical approaches to criminal law and law enforcement.

So, what can be done to help law enforcement find the proverbial needle in the haystack of cybercrime? First, a fundamental shift in tactics on the part of law enforcement is needed. Fortunately, that has already begun in several ways. Critically, law enforcement is now getting some tools necessary to help detect and investigate cybercrime. Federal law enforcement has made great strides in the last few years to provide information sharing and centralized research and analysis tools to law enforcement peers at the state and local level, and this is helping the process of detection and investigation. Just as importantly, law enforcement agencies are becoming more collaborative with potential targets—such as private companies within critical infrastructure industries such as energy, transportation, and financial services—to promote the sharing of data. In fact, a recent presidential executive order on cybersecurity is designed specifically to promote voluntary sharing of information security–related data between private industry and law enforcement.

We're a long way off from the day when law enforcement and private industry can work together to immediately identify intrusions and investigate and identify perpetrators in near real time. However, the fact that law enforcement and private companies are starting to work together collaboratively as partners, rather than as siloed "investigators" and "victims," will result in more effective detection of cybercrime—and faster, better justice.

John Linkous

, Technology Advisor


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs