Two weeks ago, I essentially claimed that nearly every company I know is hacked -- and in many cases, thoroughly hacked. Although there's a bit of hyperbole in that statement, it isn't that far from reality. That statement, however, has led some readers to believe detecting hackers and preventing attacks is impossible. Nothing could be further from the truth.
Discovering malicious hackers
Despite what the movies show, hackers are never good enough to go unnoticed. Even the professionals hackers who are making millions of dollars really don't do much to stay hidden. They don't need to: Most admins aren't looking.
[ A new Energizer Bunny Trojan is on the loose. | InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
The Verizon 2008 Data Breach Investigations Report [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: "Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon."
Your No. 1 tool for detecting malicious activities is your log files. Most admins don't turn them on, and those who do usually don't monitor them. Additionally, many companies only turn on logging on their servers, even though most of the malicious break-ins occur on their user's workstations.
Every company should enable an enterprise-wide log management plan, a topic I covered the basics of last year. In a very small nutshell, you need to collect all your log events in a central location and generate alerts on abnormal events that dictate a reaction. Don't be that company with an enabled event logging management system that sends dozens to hundreds of "alerts" a day, a figure that guarantees that none will be acted upon. A well-designed events-management system only requests action for the stuff that deserves to be investigated. (On a related note, I'm just finishing up a review of event log management systems that should be published on InfoWorld soon.)
Another effective way to detect hackers is to scan for common hacking tools: password crackers, man-in-the-middle tools, sniffers, and so on. Most anti-malware scanners will detect commonly used hacker tools. Although not all hackers use the same tools, they generally do.
I'm also a big believer in creating network traffic flow baselines. Most data should be going from servers to workstations and vice versa. Unexpected server-to-server traffic should be investigated, as should unexpected workstation-to-workstation traffic. Moreover, if you have a workstation hitting every server in your environment, investigate it. Many insider attacks have been interrupted because astute network flow analysts noticed very large amounts of data going to a single employee's machine.