How To Catch Hackers: A Captains Guide

by Hinesh Jethwani    May 24, 2004

’Know your enemy’ - an unwritten rule that every soldier swears by - is quickly turning into the most effective method to stop hackers dead in their tracks. New age IT detectives, with hardcore military expertise in understanding the very psyche of their enemy, have setup a bold front to protect enterprises against hackers.

In an exclusive with CXOtoday, Captain Raghu Raman (ex-military), CEO of a specialized group that provides security consultancy in the country - Mahindra Special Services Group (MSSG), said, “It is easier to teach technology to a security professional, rather than training a technology expert to understand the concepts of security. Today, most security breaches are discovered purely by chance. The only way that security experts can get on top of hackers is by sniffing out a familiar pattern - a technique which is ingrained into the minds of security professionals.”

Speaking in true military parlance, Captain Raman detailed, “Professional hackers always attack in stages - the first stage is almost always a ’reconnaissance’ stage, in which the hacker maps and snoops around on the network. With our training, we are able to look outside the primary attack window, and uncover hidden back attacks, which would have otherwise remained undetected by routine system admin checks. The ability to get into the psyche of a hacker is an invaluable asset, and we have trained ourselves to think and see exactly like a hacker would. It is this very training that is impossible to impart to IT professionals.”

So which hacker ’wars’ has MSSG won by using its new age IT defense tactics? Captain Raman had interesting cases to share. “In carrying out a routine vulnerability test for a major financial institution, we came across a peculiar pattern. The system admin reported that every night at about 2:00 am, a person logged on from a fixed DSL line to post trades for the day. This so-called ’routine’ activity was considered normal by the company but we decided to take a closer look. Checking all his previous records, we discovered a strong link that pointed out the fact that he obviously had insider information, which he was exploiting. If someone followed his trade, he could end up making a fortune. This situation would have gone undetected by normal system checks, as it did not classify as your typical security breach,” he explained.

Captain Raman explained another case where his strong military instinct gained the upper hand. “In another financial institution, during the security audit we found out that one machine on the network was extremely hardened, while all the others in comparison were in a pathetic state. To us, it was a hot lead, as only a few security professionals had the expertise to harden a system to that extent. After ’interrogating’ the system admin, we came to the conclusion that he didn’t have the knowledge to carry out the hardening. When we probed into the file systems of the machine, we came across a shocking discovery: There was a sophisticated Trojan recorded deep inside with root access. We used forensic analysis tools to bitmap the machine, and discovered that an attacker had inserted the Trojan, and intentionally hardened the machine so that no one else could get in. An interesting point to note here is that the hacker couldn’t have installed the Trojan without a hard reboot, something which only the system admin had privileges for. On reviewing system logs, we found that the system had been in fact intentionally rebooted by the admin. The hacker had ingeniously gained the trust of the admin by helping him out with security tutorials, and had tricked him into restarting the system,” he said.

Dismissing the Linux v/s Microsoft security debate, Captain Raman said, “The higher the stakes, the more is the vulnerability. Put simply, the system that has more money banking on it is prone to attack. The OS has nothing to do with it.”

The primary delimiters to a concrete security strategy in enterprises today, are restraining budgets, according to Captain Raman. “To effectively combat threats, professionals should restrict the amount of corporate information going outside the organization. Even detailed system specifications released as requirements in a job advertisement, can end up contributing to a hackers knowledgebase,” he added.

Taking his pick on the arrest of the German teenage responsible for the Sasser worm, he said, “It is definitely going to be a deterrent to juvenile hackers, but it will take a long time before security agencies can net seasoned professionals.”

Captain Raman has over 15 years of experience in information security. In addition to several government agencies, Raman has served United Nations in various information warfare divisions. He has been trained at the College of Telecommunication Engineering and specialized in missile guidance systems (Armored Corps Center and School) and secure communication links. In addition he has been trained at Foundstone & SCIP (US) on advanced hacking techniques and protection against competitive intelligence. Raman is currently on the panel of RSA, Forum Engelberg, MDI, and ITBT.

Tags: Captain