Cliff Stoll, the Mad Scientist Who Invented the Art of Hunting Hackers
When Stoll traced the hacker’s intrusions to the Department of Defense’s MILNET systems, an Alabama army base, the White Sands Missile Range, Navy shipyards, Air Force bases, NASA’s Jet Propulsion Laboratory, defense contractors, and the CIA, Stoll was mapping out an intrusion campaign just as threat intelligence analysts do today.
When he planted hundreds of fake secret military documents on his network that tricked his hacker into staying logged into the Lawrence Berkeley system long enough for a German telecom employee to trace the intrusion to the hacker’s location in Hanover, he was building a “honeypot”—the same sort of decoy regularly used to track and analyze modern hackers and botnets.
“The Cuckoo's Egg documented so many of the methods we now use to deal with high-end intruders,” says Richard Bejtlich, a well-known security guru and author of The Tao of Network Security Monitoring: Beyond Intrusion Detection, who has worked on incident response and network monitoring at companies like Corelight and FireEye. “You can see in the book almost everything you need to do in an incident. The mindset, the thoroughness, the commitment to it. It’s all there.”
Even before his book was published, Stoll’s hacker-tracking work at Lawrence Berkeley National Labs inspired its sister institution, Lawrence Livermore National Labs, to try to develop more systematic, automated defenses against hackers. An engineer there, Todd Heberlein, was given a grant to build the world’s first network security monitoring software. “You could literally say that Cliff Stoll kick-started the entire intrusion detection field. We essentially automated in software much of what Stoll was doing,” Heberlein says. “Once I had our tools turned on, we saw people every day trying to hack our network and sometimes succeeding. An entire crime wave was happening and no one was aware of it.”
Eventually a version of Heberlein’s network monitoring software was deployed to more than 100 Air Force networks, including the ones Richard Bejtlich found himself working on during his time in the military in the late 1990s. As a high school student, Bejtlich had been captivated by a paperback copy of The Cuckoo's Egg, and he reread it during that time in the Air Force. “Every element of what Stoll did, we were doing,” he recalls.
Around 2010, when he was working as director of incident response for General Electric, Bejtlich says he read it again, and found dozens more lessons for his team. He’d later pull them together for a talk about those lessons, "Cooking the Cuckoo's Egg,” that he gave at a Department of Justice cybersecurity conference.
Just as much as its technical lessons, The Cuckoo’s Egg captures a deeply personal side of the job of hacker tracking too. The long hours, friction with bosses, federal agents who demand to be briefed on discoveries without sharing their own information, and tensions with loved ones—Stoll’s then-girlfriend (now ex-wife) didn’t always appreciate his nights sleeping under his desk to hunt an invisible white whale. “There are still incident responders who sleep under desks and are awoken at weird times. You’re at the mercy of the intruder,” Bejtlich says. “Anyone who has done this can relate to being away from the family and working crazy hours. it’s completely familiar even 30 years later.”
But there’s a thrilling side to Stoll's story as well: an ideal for aspiring network defenders, many of whom hope to someday find themselves the protagonist in a detective story like the one Stoll wrote about. “People who get into cybersecurity dream they’ll work on something like this,” says Chris Sanders, a security consultant who created a course based on The Cuckoo's Egg called "The Cuckoo's Egg Decompiled." “They imagine finding the thing that becomes the bigger thing. We all want to live that. Some live it and some don’t. But we all get to live it vicariously through Cliff.”
from Hacker News https://ift.tt/2PyikRR