HUNTING THE HUNTERS
In the event of a cyber attack, ethical hackers form the first line of defense. They are keen and alert, just like warriors who respond impulsively to slightest provocation. And, at the same time, their job is analogous to that of Hercule Poirot’s patient detective work or to that of the most celebrated sleuth created by Sir Arthur Conan Doyle. This may sound glamorous but the work ethical hackers undertake is far removed from fiction. Soon after learning about an attack, system administrators first carry out a thorough search of the system to identify a loophole or entry point—a digital door or window left open—from where an intruder might have gained ingress. Hackers often leave behind evidence of their activity—a digital footprint, for instance—which an ethical hacker picks up to learn more about the attack. With that knowledge, they are able to guess what might have been copied or stolen from the critical data.
Initially, everyone thought that cyber attacks would hardly affect the normal routine of life. Nowadays, however, people get to have ‘close encounters’ with the hackers routinely and their lives are adversely affected. Not far back in time, the Obama administration formally accused Russia of manipulating US presidential elections. This statement was based on the investigative efforts carried out by cyber security experts of US who worked for private companies and government institutions. The experts believed that hackers infiltrated into data bases stored in the systems maintained by Democratic National Committee. This amounted to embarrassing key political figures of the US by divulging confidential information. The Obama administration contended that Russian hackers wanted to tilt the balance of election results in favor of candidates they preferred.
In a similar manner, K Electric, the largest power supplier of Pakistan’s southern business capital, suffered a ransomware attack. The attack disabled various customer focused facilities including one to lodge complaints related to power outages and technical faults. When customers complained that they were unable to avail KE’s 118 helpline, 8119 SMS service and KE Live App, the company made an admission of cyber attack. After admitting to the ransomware attack, officials of KE consulted international security experts and local authorities to handle the situation .
The process of tracking down hacker’s activities, their identity and their origin is not only tedious but
labor intensive as well. Cyber security specialists work day and night to understand and figure out what the hackers have done and how the induced malfunctioning can be undone. They examine files and data in minute detail and try to remove all signs of malware from the systems. At times, they have to coordinate with businessmen, lawyers and government officials to see things from a different angle.
THE BEGINNING OF DETECTION
The investigation of a cyber attack begins with the detection of unusual activity in a system. Whenever hackers decide to intrude, they must take care to pass unnoticed. But that does not happen so easily. Most of the network administrators have learnt to adopt safety measures which would ward off attacks or, at least, signal an impending attack by activating some form of ‘alert mechanism.’ It is similar to an alarm system installed in houses. The software is designed to keep a watch on specific area of a system such as the main hub of data transfer or the area where sensitive data are stored.
Whenever the intrusion detection system detects unusual and suspicious activity, like the presence of an unidentified user or excessive data traffic to and from an external server , it triggers an ‘alert’ and prepares the cyber security personnel to respond to the threat. The network administrators are the first to respond to the new development. Their role is similar to those of firefighters, paramedics and policemen who are in front line of defense in an event of emergency. And they are tasked to find out what really has happened to trigger the alert or alarm.
The attacks can come from many sources. Some of them can be random, unstructured intrusions launched by small groups or individuals. The more sinister are usually launched by organized gangs of hackers backed by governments and resourceful groups. Any activity, whether tiny or noticeable, and by anyone can trigger the alert and activate the staff to adopt preventive measures.
FIRST REACTION
Computer networking systems and servers installed in a business or organization maintain a record of those who connect to the system, the tasks they perform and the places from where they connect. The initial reaction after detection of some intrusion is to collect, organize and analyze such data.
Often the intrusions that triggered the alarm are of trivial nature and administrators can fix them immediately. They can block a certain user from accessing the computer if they think that the user is suspicious or unidentified. Alternatively, they can block all traffic originating from a particular place if it appears unusual. But intrusions are not all so simple to resolve. More sophisticated ones require special teams with focused skills to deal with such issues. It is the job of ‘incident response teams.’
Large businesses or organizations have their own team to look into such problems. Some others choose instead to have access to a team of cyber security experts capable of responding instantly to intrusions. Nowadays, countries, too, have their own national response teams comprising government employees supported by private operators with specialized skills.
Often these teams have ethical hackers on their list of workers . These ethical hackers receive special training to dig deeper into network data and detect challenging intrusions. Higher education and some exposure to the military environment are parts of their training package because the kind of work they indulge in is no less than warfare. And on top of all this, they are also trained to apply their knowledge to new situations as they arise during the detective process. The team’s scope of work ranges from large scale digital forensic inquiries to analysis of malware intended to cause damage to the system. The task is to find a solution to the attack and protect the system from further damage. While working on these tasks, the team also makes sure that attacks of this type do not recur. At times, the team gets a bounty, a priceless trophy for their efforts: they hunt down the cyber criminals who were out to destroy the company’s systems. This is a rare event and the team deservedly earns all the accolades from every quarter.
IDENTITY OF THE ATTACK
Identifying the attacker or fixing his location is a rather arduous undertaking because physical evidences that can be observed or gathered are absent. On the other side, hackers do not leave any trace of their activity by covering their digital tracks. Yet there are various ways at the disposal of ethical hackers to nab the cyber criminals or, at least, identify them and block their activities. Among these are ‘attribution techniques’ which help the teams handling the intrusion to make short work of the attackers. A combination of these techniques, a sort of cocktail, is the most effective approach to getting closer to the target. The teams usually look for data left behind by the cyber criminals, or they analyze information that is stolen and released during the intrusion. They can also examine the grammar shared and embedded in software code. Hackers commonly leave notes for each other or for later use by other hackers. A close examination of metadata reveals if the text of the notes originate from other languages and translated.
In the Democratic National Committee episode, American teams handling the attack looked for files’ metadata and learned that some text originated from Cyrillic characters of Russian alphabet which were later converted to the Latin characters of English.
The hunting continues. The teams working against the attack recognize peculiar socio-cultural indicators which provide a clue to the identity of the attackers. For instance, the attacker of DNC claimed to be Romanian but was not fluent in Romanian as a native of that country would. Besides he used a smiley face “)” instead of “:)” which indicated that he belonged to some East European country.
Ethical hackers add another bow to their arsenal when they track older hacks and look for similarities in mode of operation and the choices hackers make while coding and custom designing the malicious software.
This customization reveals a lot of information like the style of programming, choice of language and other subtle clues which provide a fair idea about who might be responsible for the intrusion. This method of tracking older cases is particularly effective for sophisticated type of attacks known as ‘advance persistent threats’ which progress over an extended period of time.
The hunting is not over yet. There is one advantage, though not technical in nature, that outweighs others. While the hackers operate either in small groups or in isolation, far away from prying eyes, the investigating teams do not have any fear of being caught. And they can be large in number and they have cooperation and support from other ethical hackers from all corners of the world. The knowledge sharing is key to beating cyber crimes in their tracks.
In spite of the edge the investigative teams have over the clandestine activities of hackers, the attacks will continue to happen. The charm of making a lot of money very quickly is too great a temptation to resist. The need of teams dedicated to fighting these crimes is permanent. The ethical hackers working on such teams have to be ever vigilant, they should expand their knowledge base continuously and they should have up-todate information of newer ways the hackers are adopting to infiltrate systems across the world. That’s how the ethical hackers will succeed in hunting the hunters.
