Efforts to identify the still-at-large attackers that stole personal information from Sony’s PlayStation network raise questions about how the companies that fall victim to cyber crime can track down these hackers -- and whether they can overcome the roadblocks the perpetrators know to put in place.
These cyberattackers leave no fingerprints, footprints, or clothing fibers. They enter silently and stealthily, frequently using a network of computers located all over the world and digital weaponry culled from for-hire hackers. They can delete evidence, erase their tracks, weaken a system’s defenses with an army of computers at their command and route their attacks through countries where U.S. law enforcement has no reach.
Sony has hired a team of outside investigators working with the Federal Bureau of Investigation to track down the people that stole names, addresses and potentially credit card numbers from 100 million users. The company has fingered Anonymous, an activist hacker group, in the breach, though the organization has repeatedly denied any involvement. Sony acknowledged in a letter to Congress that three weeks after the attack, the perpetrators had not yet been identified.
“The truth is that retracing the steps of experienced cyber attackers is a highly complex process that takes time to carry out effectively,” wrote Sony’s Kazuo Hirai, chairman of the board of directors.
Though Sony has offered few specifics on how attackers were able to steal data from their servers or how they’ve attempted to find them, security experts described in broad strokes how digital forensics experts might solve a “whodunit” of the sort Sony faces.
The time-intensive process of tracking down online attackers is fraught with technical and legal challenges, these experts say, while noting that savvy criminals wield a vast arsenal of tools both online and off to escape detection.
Once a company discovers its network has been breached, investigators will usually first comb the server’s log files, which record all traffic to and from the server including attempts to access the network or extract information from it. Reviewing these records -- the digital equivalent of watching security camera footage -- offers a look at any suspicious communication with a company’s network and where it may have originated.
These data logs “allow you to reconstruct the attack,” said Roel Schouwenberg, a senior malware analyst with Kaspersky Lab, an antivirus software provider. “Looking through the logs you can find some anomalies. There is generally a difference in the log between a regular user surfing a site and somebody who tries to push certain information onto a web server.”
The logs may reveal that a computer has planted a file on the server -- Sony said it found a file labeled “Anonymous” on its network -- transferred data from the network, attempted to access the database without authorization or made a number of other unusual requests. The server records can then identify what computer carried out those commands by calling up its IP address, a kind of DNA for devices that identifies each and every gadget connecting to a computer network with a unique number.
But this IP address is frequently akin to a stolen driver’s license a thief intentionally leaves at a crime scene to mislead police.
Anticipating that cyber detectives will track down this information in the log data, hackers often cover their tracks by assuming a false identity when they breach the network: they will route an attack through a series of machines and servers that are connected in ways that make it difficult, if not impossible, to track one to the next.
For example, the IP address of the machine that breached Sony’s servers could have belonged to a "middleman" acting as an intermediary between Sony’s network and another computer. And in turn, that computer might have been an unsuspecting teen’s MacBook that hackers controlled remotely from a cybercafe located states, countries, or continents away.
Each node in this link of computers could be a dead end. Hackers may rent out computers from companies that provide servers and promise not to store potentially incriminating log data, or they illicitly gain access to personal computers.
“What we’ve seen is that the IP address [involved in the attack] is very commonly a machine provided by a legitimate hosting service that rents or sells such machines, but the identity associated with the purchase is either stolen or false,” said Matthew Geiger, a forensics expert with Carnegie Mellon’s Software Engineering Institute. “Another possibility is that it belongs to another compromised system: somewhere upstream of the victim is another victim. It could be a home system like yours or mine.”
Cyber criminals also frequently attempt to delay or derail a probe by using machines in countries where the FBI has no jurisdiction and would be unable to tap into records about Internet activity. The records maintained by Internet service providers can sometimes shed light on large data transfers that connect a criminal to her crime -- but the information may be off limits without the proper legal permissions.
Geiger noted that hackers also know they can “delay substantially -- and in some cases impeded irreparably -- an investigation by requiring lot of cooperation between different jurisdictions, some of which might not be friendly to each other.”
Security experts say server log files can also serve up key clues about the technical tools used to execute the attack. Just as a bullet can reveal the murder weapon and potentially even the person who pulled the trigger, any evidence of attackers’ digital weaponry could be linked to previous crimes, the underground online markets where the services are sold and particular hacker communities around the world.
“There’s a possibility that based on what you can recover from attackers’ tool kits and the tools left behind on the victim’s network, you might be able to find specific and relatively unique identifying components you can correlate with other crimes or even with known groups,” said Geiger. “Maybe somebody has noticed the tools for sale in particular place and can correlate them with the seller. There are commercial groups that follow underground forums used by cyber criminals to either sell their booty or to equip themselves with components for an attack.”
Even if investigators track an attack back to a particular computer through log files, IP addresses and a slew of other evidence, there often remains a gaping hole in their case: identifying who it was sitting at the keyboard orchestrating the attack.
“The most difficult challenge for law enforcement is putting a human being at the keyboard behind the attack,” said Adam Palmer, a cybersecurity advisor at Norton, a division of the security software firm Symantec. “It’s not enough to trace the attack back to a server. The server didn’t commit the crime. Technology is good, but these tools are being abused by human beings.”