[TriLUG] NSA hunting and hacking sysadmins

Aaron Joyner aaron at joyner.ws
Fri Mar 21 13:42:56 EDT 2014


On Fri, Mar 21, 2014 at 1:24 PM, Aaron Joyner <aaron at joyner.ws> wrote:

> ....Defense in depth, careful auditing (read: paying attention for
> anomalies, and investigating them thoroughly), and good old fashioned
> paranoia are the only things standing between very competent and well
> funded adversaries and the data of your users.
>

To elaborate on that just one touch more... remember, even the very
competent and well funded adversaries are human.  They make the same (or
similar) errors when attempting to cover their tracks, that those of us on
the defensive make when we try to secure the doors.  I posit that the key
to noticing the types of attacks we're discussing on this thread (APTs[1]),
is noticing those slip ups.  Think of it as seeing a glitch in The Matrix.
 Having a really good mental model of a Unix system, what traffic flows on
your network should look like, when your systems are busy or idle; these
skills allow you to notice when something seems to violate your
expectations.  Noticing very well may make all the difference.  Stumbling
onto irregular mtimes or atimes, or a graph that has an odd spike you can't
explain, may be the first thing you notice.  You might not even have the
opportunity to spot another mistake like the first one for a week, a month,
or ever.  The next signal you see might be the DOJ knocking at your
door[2].  In the worst/scariest cases, like the glitch in The Matrix, all
trace of the anomaly might be gone by the time you can look into it.

Having the bandwidth to investigate every anomaly you come across is a
luxury probably none of us have.  Knowing when it's critical to investigate
a particular anomaly comes with experience.  Hopefully that experience
doesn't have to be too hard-won.  :)

Aaron S. Joyner

1 - http://en.wikipedia.org/wiki/Advanced_persistent_threat
2 -
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data


More information about the TriLUG mailing list