Bejtlich on Intrusion Data
Richard Bejtlich posts on “Will Compromises at Universities Aid Security Research?:
Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According to Carlos Ramos, assistant secretary at CDSS, the compromise “was discovered on Aug. 30 by Berkeley IT staff using intrusion detection software.” I wonder if the IDS was Vern Paxson’s Bro, developed in the International Computer Science Institute and featured in chapter 9 of The Tao of Network Security Monitoring? As I mention in the book, Vern previously used Bro to track intruders at UC Berkeley.
The three events that he mentions are clearly a source of data that should be studied. But the data I need is on hundreds, or thousands of intrusions. Enough to do statistical analysis. Enough to analyze defensive postures and test hypotheses about what goes wrong enough to allow a break-in. For example, a question that a sample of three doesn’t answer is: “Were these events typical, or extraordinary?”
Does that mean we need a highly automated/industrialized forensic process?
Maybe!
It means we need a highly automatable and repeatable post-comprimise analysis process. Is that forensics? Usually forensics is for taking someone to court.