Compromise detection

by Anton Chuvakin

Related link:

Intrusion detection, attack detection, probe detection - all nice, but I want to know when the stuff is truly "0wned" - compromised, penetrated, infected, etc. This paper looks at the problem of reliably discovering compromised machines on corporate networks. I also received a peculiar comment about the claim quoted in the first section. The person provided some hints that the claim might indeed be true.


2004-11-03 11:11:12
The claim: "most of the Fortune 2000 companies have already been penetrated by hackers (and have been in that state for years!). Hackers move in and out at will through the backdoors and other covert channels without the security personnel knowing or even suspecting it."

As a long-time member (10+ years professional experience) of the security community, I don't see this as outrageous at all, I take it as a given. It's just a fact of life, most entities of any sort (corporate, government, network infrastructure) that have a significant Internet presence are probably deeply compromised by someone at the top of the hacker foodchain, possibly have been for years and have no idea about it. Only the most vigilant can keep them from establishing long-term access. You didn't know that? Really?