Prevention and Detection: Seeing the Hacker’s-Eye View

The suspected tapping of Angela Merkel’s phone by the NSA; reports of stolen personal data in the United States; a hacking attack on the German parliament: These incidents are indicative of an enormous need to increase awareness of IT security.

That’s why seminars at the Hasso Plattner Institute (HPI) are teaching tomorrow’s security experts how to repel cyberattacks effectively today.

Marian Gawron is familiar with the cat-and-mouse-style game that HPI students play to put the theory of what they’ve learned during an IT security seminar entitled “Cops & Robbers” into practise. Two groups of students face each other in a virtual network: one group’s mission is to defend the network; the other’s is to hack into it. A former student on the IT Systems Engineering program at the Hasso Plattner Institute in Potsdam, Germany, and now a program tutor himself, Gawron knows how to make a network as resilient to cyberthreats as it’s possible for it to be. He’s also familiar with all the tools, strategies, and tricks that hackers use to worm their way into computer systems.

Detection Rates Similar to Those for Bicycle Theft

Unfortunately, while the menace of cybercrime is growing all the time, many companies are still a long way from comprehending the dangers they face. Holger Münch, head of the German Federal Criminal Police Office (BKA), is not the only public figure to have spelled out the stark truth about the threats hanging over corporate IT. At the recent Congress on National Cybersecurity in Potsdam, he warned of “crime as a service,” of the general shift of criminal offences to the digital world, of negligent practices in the handling of large volumes of sensitive data, and of the accelerating globalization of criminal activity. He also criticized the fact that the detection rates for cybercrime are no better than for bicycle theft. Which is why the relevant government authorities are increasing staffing levels at their cyber defense centers. By contrast, most businesses have a long way to go before they arrive at this level of awareness.

Yet, as Christoph Meinel, head of the HPI in Potsdam, is at pains to point out, achieving a keener awareness of security issues is essential.

“Many companies don’t know what it is they want to protect,” says Meinel incredulously, “And that’s because they are completely oblivious to the potentially catastrophic consequences of cybercrime.”

To operate safely in cyberspace, he says, it is essential for businesses to take measures to protect digital identities, counter malware attacks, and encrypt communications via e-mail and the like.

Integrate Cybercrime in Study Programs

While the students at the HPI are well versed in many aspects of digital technology, the Cops & Robbers seminar represents their first attempt at protecting a network that hackers are doing their darndest to break into.

“This is where the students learn how hard it is to operate and secure a live network without also excluding people who are authorized to access it,” explains Gawron. “The aim of the seminar is to create awareness of how cyberattackers think.”

In the network the students use for their virtual battle, the security gap is located in a browser. The job of the network defenders is to plug the gap with patches or to thwart potential attackers by blocking their IP addresses.

Scanning for Anomalies

The most important jobs for the defenders are to keep a constant watch over the network and to identify which computer the attackers use to gain access to it.

“Constantly scanning a network enables you to detect unexpected activities,” says Gawron, who has been writing a doctorate on the security weak points in computers and networks for the past 18 months and is working to develop a system that offers administrators automated security solutions. The conventional approach is to deploy detection software that collects data from log files.

“But there is so much information buzzing around that critical data can easily go unnoticed in the general ‘noise’,” he says. Intelligent filters help by enabling companies to direct their attention to suspicious IPs. And intrusion detection systems (IDS) are effective in detecting security breaches.

But for many enterprises, even the mundane task of data collection is a bridge too far. “The sheer volume involved is one of many reasons why this important activity is often neglected,” says Gawron.

That’s why, as the Federal Office for Information Security (BSI) found, it takes an average of 243 days for targeted cyberspying, or advanced persistent threats (APTs), to come to light ‒ leaving hackers all the time in the world to trawl breached systems for valuable information.

Relationships are Better Than Network Logs

In the Cops & Robbers seminar, the students tend to take the approach of analyzing log files in real time, simply because there is a small volume of information to scan. But, in the reality of everyday business life, data volumes are much larger, and getting results quickly becomes much more of an issue.

“Many of the scanning practices used are very sound, but they don’t produce the necessary analysis results fast enough,” says Meinel, who therefore recommends using in-memory technology. “It’s not just that it’s 10,000 times faster than other database technologies: It’s also the basis for the HPI’s Real Time Analytics and Monitoring System (REAMS), which compares ongoing attacks with past patterns of attack in order to allow appropriate and rapid countermeasures.”

The results of this and other research work conducted at the HPI have been channeled into a new SAP product, SAP Enterprise Threat Detection, which helps uncover attacks according to the methods that Meinel predicts will be most effective in the future, that is, “finding relationships, rather than creating network logs.” A point that will surely not go unmentioned in Gawron’s doctoral thesis.

Image: Shutterstock