7

Pretend for a moment I am investigating an attack. I find errors in the attack method (mistakes made by the human attacking my network/computer). I compile a database of these "mistakes" treating them like a fingerprint. I then look through sites like security.stackexchange.com comparing the mistakes to questions asked/answered. How many positives would you feel I need before I have a strong lead on a suspect? Keep in mind I can cross reference to other sites. How many cross referenced sites would I be expected to use before I have sufficient cause to call someone a suspect? This is an opinion, so the question might be closed. However, this is also a viable though inexact technique. I'm also considering that many "attacks" are cookbook techniques. In being used over and over, the first person to figure out the technique made the mistake, and everyone else is just reproducing it at some level.

AviD
  • 72,138
  • 22
  • 136
  • 218
Everett
  • 1,506
  • 1
  • 12
  • 20

2 Answers2

4

Essentially you want to apply a Bayesian analysis to a corpus of work, to state something about the likelihood that you would believe an exemplar to be a member of the set constructed by your suspect. That analysis is well-known (and there's a whole statistics stackexchange site, too). You need about as big a corpus of suspect and non-suspect material as a decent spam filter uses.

1

I don't think this technique can hold much water, since it is likely that the attacker simply copypasted his way into your network.
Even if you keep searching for more references, your "suspect" could simply have found those sites too and copied from them. Note this may be the truth, or simply his alibi which you cannot disprove.

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 1
    At this point I'm only looking for suspects. I'm not convicting them of anything, only considering them or not considering them. Does this help sway your opinion in anyway? – Everett Nov 22 '10 at 08:05
  • If I found, say 100 mistakes, and every one of them had the same persons ID attached as a question/answer, you feel that I haven't found anything statistically significant? How about a thousand? – Everett Nov 22 '10 at 08:07
  • @Everett, not really, unless you have some other information. E.g. this was done on internal servers with no outside access, and your suspect HAPPENS to be an employee at your org, AND the timestamps match up to just shortly before the attack... then yeah, maybe this is additional "proof". But not by itself. – AviD Nov 22 '10 at 08:08
  • I have worked with people that SWORE by Shifflet, for example, even though there was a substantial mistake IN EVERY SINGLE POST. If he has reason to "follow" this person, he could have trusted him blindly and taken ALL the mistakes. However, it MIGHT be a little more suspicious... But all you can really "know" (statistically speaking) is that he read the same posts as you. And that he's not smart enough to recognize that its a mistake. – AviD Nov 22 '10 at 08:15