Thursday, May 03, 2007

It Was All Him, That Bad Boy

As security people we are used to answering questions such as "Who attacked that system?" with a curt "Oh, it was" But is the IP address really a who? No, really, is it? I seriously doubt that an auditor, a judge or a lawyer will agree that "an IP address is a who."

Where am I going with this? I think the time when we start making broader use of identity traceback to link the faceless, inhuman :-) IP addresses to a nice (or nasty, as the case may be :-)) warm-blooded humans, who actually press the buttons and write programs.

In fact, PCI tells that that we already MUST. Requirement 10.1 says that the organization must "establish a process for linking all access to system components (especially access done with
administrative privileges such as root) to each individual user." At the same time, one of the DoJ papers on "Computer Records and the Federal Rules of Evidence" mentions this as well in the section on challenges to computer evidence integrity: "Although handwritten records may be penned in a distinctive handwriting style, computer-stored records consist of a long string of zeros and ones that do not necessarily identify their author."

So, making that IP to person connection is important, so how do we do that? Well, let's see who knows who you are:

  • a DHCP server does, somewhat: it can link a dynamic IP to a static Windows name (still not a person name, but for workstations it might sometimes be related)
  • an Active Directory server does, a bit more
  • a NIS or an LDAP server kinda does as well
  • Other sources of such info can be used as well (more on this in the future)

Thus, the identity traceback challenge is not really in the lack of info, but in coming up with ways to link the pieces together in an automated and reliable way.

As I mentioned in my RSA 2007 impressions, "identity" is a hot buzzword now; I expect people to start making more use of such identity info for identity traceback...

UPDATE: of course, I saw this (do you think I am asleep or what? :-))

UPDATE - 7/25/2007: here is another fun blurb on this very subject - "automatically associating learned user accounts with IP addresses. " It does it in a really cool way: "It accepts normalized logs from several dozen different authentication log sources, extracts the user name and originating IP address and then creates a log if the user identity is new, or if an existing "user to IP address" relationship has changed."

Dr Anton Chuvakin