back to article Even 'super hackers' leave entries in logs, so prepare to drown in data

Gartner: Super hackers basically don't exist, your incident response plan sucks, and you should relish the opportunity to drown in data: such are the lessons from incident response fanatic Anton Chuvakin. The analyst, physicist, and former director of Security Warrior Consulting gave delegates of the Gartner Security and Risk …

  1. Anonymous Coward

    Teeth grating

    The incidence of the misuse of "incidence", when an author actually means "incidents", is very high, as this and similar incidents demonstrate well.

    1. Anne-Lise Pasch

      Re: Teeth grating

      But only in this incidence.

      1. Buzzword

        Re: Teeth grating

        It's quite insidious.

        1. h4rm0ny

          Re: Teeth grating

          And invidious.

    2. BlartVersenwaldIII

      Re: Teeth grating

      This is because you don't work day in, day out on IR and are unaware of how deep the incidents rabbit hole goes and it's very easy to get confused. Here's some of the other uses we have in the trade:

      Inside Ants - Ants nest in the datacentre.

      Inside Ents - Downtime related to rampaging forest elementals in the data centre protesting your rampant overuse of fossil fuels destroying the environment.

      Arthur Dents - Tea-drinking everyman who nevertheless seems to court disaster on a regular basis.

      Eensy Dents - As Ted Crilly would testify, this is the wrong way to repair bodywork on a Rover 213.

      Ince Idents - Pen tests from individuals posing as famous Ince's, such as Sir Godfrey Ince, William Ince MP, or Clayton Ince.

      Its A Fence - Theft of server equipment due to insufficient amount of walls between datacentre and criminal underworld, kit sold to guy(s) at a pub.

      Coe Indidents - Spectacularly expensive operations that quite by accident are backed by Sebastian Coe.

      1. Joey M0usepad Silver badge

        Re: Teeth grating

        have an upvote for effoirt!

  2. Anonymous Coward
    Anonymous Coward

    Not really surprising

    Just as regular software engineering went from a waterfall to a continuous development model, so did malware and security breaches.

  3. Anonymous Coward
    Anonymous Coward

    Super hackers don't exist because everyone leaves entries in logs.

    Am I the only one thinking that is a stupid comment? If "super hackers" did in fact exist then you wouldn't know as they wouldn't leave entries in logs.

    I love a good oxymoron.

    Click the 'Start' button to shut down the computer.

  4. LucreLout Silver badge

    "Monetary cost is a question that should have been left in the 1990s," Chuvakin says.

    Yeah, good luck with that. The 90s were all about ignoring the monetary question, hence the dot com bust. "You have more money than time." - Anyone else remember the war cry of the fishies? As a way to bill people it was genius, but as a way to run your business, not so much.

    1. Khaptain Silver badge

      Agreed and it appears that Chuvakin is not a frequent member if the Budget/Project decision committee meetings.

      Security is obviously a balance of Cost vs Risk... The questions are always the same "Can the risks be mitigated, if so how much will it cost?" What's that you say, we "must " have at least 3 data centres to host or our Exchange server..... HOW MUCH......

      1. LDS Silver badge

        Just people are usually good at computing people and equipment costs, never at estimating risks and their real cost...

  5. Sir Runcible Spoon Silver badge

    Time for accountants

    to wake up to the cost of doing business on the internet.

  6. Doctor_Wibble


    A simple enough 'canary' logging (yes also goes to another box) rule in your firewall/gateway tells you who's looking, how often etc and frequently also ties up with spammer 'probing proxies' or 'completely legitimate business enterprises' like one featured in a certain paper yesterday (not mine!) as 'google for hackers' and will probably appreciate the free advertising.

    As for the 'everyone leaves a trace', this is well known but it only seems like there is a super unseen elite because webmail providers ignore attempts to communicate clumps of relay attempts, ISPs ignore notifications of streams of login attempts, universities have officially sanctioned 'research' scans, and cloud providers hide behind the 'customers are not our problem, even breaches of the Computer Misuse Act or whatever it is called in your juris-my-diction'. No names because people always get scarily defensive about their chosen provider (for meanings of 'their' and 'chosen' and probably also 'provider').

    Companies don't care and puny individuals can go whistle. So all we can do is lock stuff down as hard as possible and hope for the best. Or unplug everything.

    1. Anonymous Coward
      Anonymous Coward

      Re: Canaries!

      I like your thinking however as they are aware of the when/how/where of sys logs it wouldn't be that difficult to fake said logs even if they were on another machine as once you own the machine sending the logs it's pretty simple.

      Fear the invisible mighty super hackers that may or may not exist, nobody would ever know.

      1. Doctor_Wibble

        Re: Canaries!

        > as they are aware of the when/how/where of sys logs it wouldn't be that difficult to fake said logs

        An entirely correct point - so that's something else to watch out for when trying to figure out WTF the logs mean once they have been filled with all that chaff and sorting out the actual start point depending on how clever they have or have not been.

        Also important is to ensure the logging machine only ever accepts logging messages and no other connections etc etc I realise I'm preaching to the choir now... perhaps syslog boxes should boot from a self-destructing USB stick and record everything to WORM drives or is that just standard practice now...?

  7. NanoMeter

    Super hackers might leave entries in logs

    but don't expect the IP adress to be correct.

    1. Doctor_Wibble

      Re: Super hackers might leave entries in logs

      Of course it's real you backtrace it and spike them, I've seen this done in so many documentaries by people who are completely not stereotypes in any way whatsoever. Some of them even had skateboards.

      1. Anonymous Coward
        Anonymous Coward

        Re: Super hackers might leave entries in logs

        I saw that as well, didn't it have a fat kid playing wow?

        Edit: in his mothers basement eating pizza...

      2. Old Handle

        Re: Super hackers might leave entries in logs

        But don't the super hackers have a nifty trace tracker utility that lets them log off just in time before you find their location?

    2. Crazy Operations Guy Silver badge

      Re: Super hackers might leave entries in logs

      Or just not bother disguising the IP. It's trivial for an attacker to just proxy their connections through a rented botnet, so even knowing the correct IP would be pointless (what are you going to do, call up some random schmuck in Brazil / China / India and ask them to send you their computer so you can trace the attack?).

  8. Rick Giles

    Two words...

    Air Gap.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020