While catching up on my reading last night, I came across this story in Wired Magazine about a stalker case involving an employee of Sandia National Labs. It was a flashy case, since the subject of the stalking happens to be the lead singer of the band Linkin Park. However, I found the most intriguing aspect of the story was that the suspect did most of the "stalking" from her desk at Sandia. This is someone who held a fairly high-level security clearance, working at one of the most secured (publicly-known) facilities in the US Government.

Oh, where to start. Forgetting all of the security principles (or lack thereof) that could be expounded upon here, this is what got to me: a statement from the National Nuclear Security Administration in response to this story read that "...the security of Sandia's network was never compromised." In my view, that statement could only be made by someone with near perfect situational awareness, a lack of which this incident demonstrated perfectly. This isn't a case of someone simply abusing the e-mail or phone system to send out a few private messages; this person, known to have access to highly confidential materials, was signing up for online Verizon and Apple accounts from work and sending numerous e-mails a day to and from non-official addresses, and the response is "The only completely effective way to prevent abuse of Internet access is to deny it entirely, and that is not a viable option for a research and development laboratory."

To me, proving statements like this wrong is one of the best parts of being a security professional. Given a business or operational requirement, it's our job to implement security controls that can enable secure operations at the lowest possible cost to productivity or mission accomplishment. Shutting off network access to control or monitor your users? Come on, that's so ten years ago.

Researchers at Lawrence Berkeley National Laboratory, the Munich University of Technology, and the Berlin University of Technology have been working on a project that should be of great interest to IDS and security analysts everywhere. The project’s goal is to address one of the biggest shortcomings in intrusion detection and network-based incident response: how do we gather and analyze all data pertaining to an incident once an intrusion has occurred, knowing that most monitoring solutions only generate alerts and, if we’re lucky, minimal packet data? There are a few vendors that have tried to address this problem (Niksun and McAfee come to mind immediately) by throwing expensive hardware and lots of disk space into solutions designed to maintain full packet captures. Most IDS vendors include some sort of packet capture functionality in their products, but even those usually only provide such data when and if an alert is triggered.

     This new project has been dubbed The Time Machine. It is designed to provide a full-time packet capture capability in Gbps environments using commodity hardware. That may be a tall order, but definitely worth a closer look knowing it comes from the same people that brought us Bro IDS, not to mention security monitoring research since the earliest days of IDS technology. The basic premise is that the Time Machine uses a packet cutoff limit to buffer up to N bytes of traffic for each connection, given what statistical analysis of network traffic has shown to be the most meaningful data for each traffic type, then indexing all captured packets for fast retrieval.

     The capability to keep full packet captures for all connections in the event of an intrusion or event of interest, using an open source utility and commodity hardware, is a welcome proposition and one we plan to research further. The Time Machine is still in early stages of development but can be downloaded from:

http://www.net.t-labs.tu-berlin.de/research/tm/#download.

We’re already working on taking it for a spin, so look for future write-ups on this cool new toy.