My last posts were related to Grissom and the adventures of an IT CSI. An interesting aspect of being an IT CSI is that you’re always forced to reconstruct the crime scene based on clues. In some cases, it’s a slam dunk - gun in hand; GSR on hand; bullet through the head; and, no apparent means of entry: suicide. Similarly, the IT CSI may see web server performance drop, increased activity on all ports simultaneously and thousands of port open requests with no further data (SYN Flood): DDOS attack. Or course, it’s rarely this simple.

The challenge is root cause determination. We all know that when we hear thunder (the event) there must have been lightning (the root cause). Similarly, in IT there are thousands of rules used to track events back to root cause. The underlying issue is determinism vs. indeterminism. A rules-based system’s value proposition is based on the premise that determinism exists: we can reconstruct the root cause based on a set of rules and related events. The good news is that rules help with known attacks and even predetermined variations on know attacks. Of course, terms like “known” and “predetermined” imply determinism. And, here lies the problem. As long as there are rules, the rules can be used to the hacker’s advantage. For example, if I’m a hacker and I know that a rule is thunder = lightning, I’ll make sure that I launch my supersonic hack (penetration) during the IT thunderstorm (DDOS attack). This way, if I do create a sonic boom (an event) it would go undetected as an errant lightning strike. Of course it’s not a lightning strike, despite the rule.

Beyond a rule, what is required is the ability to track lightning and thunder and correlate the lightning strikes with the thunder claps. Though this sounds like a rule, it’s not. With this approach, it’s possible to focus forensic activity where there may have been a violation of thunder=lightning: one more thunder clap than lightning strike We still don’t know for sure the root cause (hack) but we can isolate a time window to look deeper for any potential malfeasance.