[403] in Intrusion Detection Systems
Re: I got an intruder ...
daemon@ATHENA.MIT.EDU (Diane Davidowicz)
Sun Nov 19 21:24:47 1995
Date: Mon, 20 Nov 1995 08:30:01 +1100 (EST)
From: Diane Davidowicz <diane_d@sun1.wwb.noaa.gov>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
spaf@cs.purdue.edu (Gene Spafford) wrote:
> 2) Don't push an investigation yourself until you have contacted law
>enforcement, if you have any possible intent in prosecution. The
>reason for this is that certain acts must be done in the right order,
>and with proper record keeping. If you investigate too far, you may
>contaminate evidence that is needed for prosecution. Furthermore, you
>may actually muck up the trail to where it is not possible to track
>the intruder. The majority of system admins do not have the necessary
>training or legal background to do this by themselves. Get law
>enforcement and other professionals involved early.
This is a very important issue and can not be overemphasized. If your
company/organization decides for whatever reason (policy, deterrence,
revenge, etc. ) to proceed with investigating with the hopes of prosecuting,
the law enforcement agents will advise you along every step of the way.
Even to the point where they can determine whether the case can be brought
to court. Its just like any other criminal law, if there is enough evidence
to prosecute and convict, then it might be worth bringing a case to court. If
the evidence lacks minimum criteria such as proving a hacker's intent as
defined in the Federal Computer Fraud and Abuse Act of 1986, they will tell
you this as well. It's not that it isn't worth their time, its that the laws
state you must provide hard facts of such activity and this can sometimes be
a very difficult thing to do.
> 3) The field of computer crime investgation is new. Law enforcement
>personnel are learning as they go. They need good cases and cooperation to
>get that experience, though.
The "learning as they go" is quite true and most unfortunate, because it
instills a lack of confidence when you deal with the law enforcement agents
that exhibit such deficiencies. It's typical that they aren't as familiar
with all the ins and outs of, say, a Unix box as you would expect, but it also
does not mean that they don't know the law, which is where they will
benefit you the most. Perhaps the field *is* too new for law officers to be
up to par with expectations of system proficiency, but I think it goes deeper
than that. How many law enforcement officers turned computer crime
investigators do you expect to become overnight systems experts or even have
the time to invest in doing so? :-( Probably not too many, but it still
does not mean that, for example, while reviewing a keystroke monitoring log
with them, you shouldn't share your in depth knowledge of the hackers
activites if you notice that the law officer is not up to par. Remember what
comes around goes around :-)
I would like to add one more thing since I am on the topic of sharing
information with the law officers. I personally know of an unfortunate change
in policy that one law enforcement agency has recently undergone. They have
decided to keep a tight lip on their knowledge of the on going hacking
activity in which your systems are involved (i.e., the victims get very little
feedback as to the overall activities of the hackers). IMO, this a
bad idea. In dealing with them in the past, they have given much needed
information to track down and prosecute hackers. In two investigations of
which I know led to arrests, this information pacified and calmed management
as tracking and tracing the hackers continued for over a month. Without the
intelligence feedback, the investigation would have been halted by management
because there was too much at risk. By deciding to not provide this "crucial"
feedback, it will become much harder for companies and organizations to want
to pursue the investigation till arrests are made mostly because management
does not know what is going on and that is too much liability to put on their
shoulders. The result of this is that many companies unable to hire private
investigators will simply employ security measures to shut the door on the
hacker(s) and not investigate. This, in return, will probably undermind the
comes around goes around :-)
I would like to add one more thing since I am on the topic of sharing
information with the law officers. I personally know of an unfortunate change
in policy that one law enforcement agency has recently undergone. They have
decided to keep a tight lip on their knowledge of the on going hacking
activity in which your systems are involved (i.e., the victims get very little
feedback as to the overall activities of the hackers). IMO, this a
bad idea. In dealing with them in the past, they have given much needed
information to track down and prosecute hackers. In two investigations of
which I know led to arrests, this information pacified and calmed management
as tracking and tracing the hackers continued for over a month. Without the
intelligence feedback, the investigation would have been halted by management
because there was too much at risk. By deciding to not provide this "crucial"
feedback, it will become much harder for companies and organizations to want
to pursue the investigation till arrests are made mostly because management
does not know what is going on and that is too much liability to put on their
shoulders. The result of this is that many companies unable to hire private
investigators will simply employ security measures to shut the door on the
hacker(s) and not investigate. This, in return, will probably undermind the
ability to create an ora of deterrence on the Internet as Spaf had talked
about.
Diane Davidowicz
