Results of The Forensic Challenge

Forensic Challenge

Results of the Forensic Challenge

Index

Summary

In all, we received 13 submissions from around the world to the Challenge. An "official" analysis by Dave Dittrich (with assistance from Wietse Venema) was done as well. All analyses (including the official one) were done without any data from the IDS, nor with any tools or techniques from other analyses. Many entrants (and some who contacted us who couldn't make the deadline) had no idea how much time this analysis would take, and it took a lot (as you will see.) Most finished when they ran out of time, not when they felt they were done.

Overall, the efforts put in by those submitting entries are very thorough and professional, a step above the incident reports you often see on mailing lists that gives the most basic "at first glance" facts and asks more questions than it answers. I anticipate that this will begin to change, as anyone in the security community can now take an art historian style view of 13 different paintings (14 if you count the Honeynet analysis) of the same landscape.

Each submission, even within the rules/guidelines for the Challenge, took a slightly different angle. Nearly every entrant found at least one thing that the others did not (me included, both in finding things and missing them.) We tried to comment as much as possible on each entry, but even the judges had time limitations and a deadline. We want to thank everyone who participated for contributing to the project, and hope they gain from it as well.

The average time spent in investigation turned out to be about 34 hours per person. That's a standard week's worth of work to clean up and deal with the mess left by an intruder in about a half an hour. That's about a 60:1 ratio! Using a standard upper-mid range annual salary figure of US$70,000 per investigator, that works out to be a cleanup cost of over US$2000 for a single incident. It is very likely one of dozens, if not hundreds, of intrusions just like it. As you will see when you read the analyses, this wasn't the first time this intruder did this.

"But all it takes to re-install Red Hat is 30 minutes. How do you come up with US$2000 damage?" Simple. For the same reasons cited in i.only.replaced.index.html.txt (and then some, since this is more than just a web page defacement.)

When a system is compromised, and the data on it and its network are compromised, it is not simple to determine the extent of the damage without a lot of work. We do not know if the blackhat stold peoples passwords, hacked other systems, has implemented sniffers, etc. This argues for strong prevention, defense in depth (including monitoring in depth), and trained responders. If all the administrator does is re-install the OS, they are doing a wholly inadequate job of responding to a security incident, as the extent of damage may be far greater then a single system.

Crackers commonly deride system administrators for shoddy security, so why do they then feel justified in claiming they did "no damage" by suggesting the system administrator should do a similarly shoddy job of incident response? Make no mistake. Computer system intrusions have a cost.

That is not to suggest that every intrusion warrants a complete forensic investigation, but in some circumstances it is entirely appropriate and needs to be done quickly (and correctly).

Consider if this were a military site, or a government contractor doing classified work (e.g., as occured recently with Sandia National Labs). Those responding to such an intrusion do so under the assumption that the intruder is a foreign intelligence or military attacker, not just some teenage kid in their bedroom. I wouldn't want them to respond any other way, in case it IS a military threat. The 104 hours spent by Teo's team would not be entirely unreasonable in that case (although I believe the cost of criminal investigation should be separated from that of incident response and cleanup, and "intellectual property" and other losses should only be allowed if such losses can actually be proven, unlike for example the Steve Jackson Games case where a 911 document which could be purchased for some US$30 was valued at US$79,449 for purposes of estimating damages.)

Time/Cost Analysis

Here are the time/cost breakdowns for this incident (see the "costs.txt" files for more detailed data):

Submitter Time spent Years security/sysadmin exp. Investigators
teo104 hours7/3/1/1 years4
david80 hours8/5/43
royans80 hours5 years1
brian-carrier64 hours6 years1
brian48 hours5 years1
peter48 hours3 years1
addam40 hours3 years1
marco40 hours8 years1
roessler37 hours8 years1
knut15 hours11 years1
andy10 hoursNot stated1
tye10 hoursNot stated1
johnNot stated.Not statedNA*
TOTAL576 hours17

(* John is not included in the cost analysis because he did not state time spent or experience.)

Average time spent per investigation (/12): 48.0 hours

Average time spent per investigator (/17): 33.9 hours

Average cost per investigation @ US$33.65/hr: US$2,067.46 +/- US$310.12

Minimum investigation cost: US$430.72 +/- US$64.61

Maximum investigation cost: US$4,479.50 +/- US$671.92

Assuming the incident was investigated by an independant consulting firm, charging US$300.00 per billable hour (benefit costs included in this rate), and using the five most extensive investigations for estimating the average (75.4 hours), the "damage" escalates significantly.

Average cost per investigation @ US$300.00/hr: US$22,620.00 +/- US$3,393.00

One thing is for certain. It is much harder and takes more skill to figure out what was damaged than to do the damage. Take a very close look at the top submissions and you'll see what I mean.

Rankings

Entries were judged by a panel that include Wietse Venema, Tan, Lance Spitzner, and Dave Dittrich, with assistance by Dan Farmer, Kevin Mandia, and T Elam. Judges operated under guidelines that used a point system for ranking each entry. The maximum score that an entry could receive was 45 points. The combined scores of all judge's were then averaged.

The Honeynet Project would like to thank all thirteen members who submitted a writeup. For many of these people, this was there first such attempt at a forensic analysis. Even though some of the individuals knew they would not place in the top three, they submitted their entries anyways to both improve themselves and the security community.

In gratitude for the hard work of all these individuals, every member will be awarded a 2nd Edition of "Hacking Exposed." In addition, the Top Three submissions will also be receiving a prestigious Honeynet Project team shirt. (You can see the submissions by following the link from the submitter's name. You can see the comments of the judges by following the link from the points.)

Submission Points
Thomas Roessler <roessler@does-not-exist.org> 43.8
Brian Carrier <carrier@cerias.purdue.edu> 42.5
Peter Kosinar <goober@ksp.sk> 39.8
Addam Schroll <addam@purdue.edu> 37.5
Marco Walther <marcow@jena.eng.sun.com> 37.5
Brian Coyle <brianc@magicnet.net> 36.8
Teo Hong Siang <thongsia@dso.org.sg> 34.8
Royans K Tharakan <rkt@pobox.com> 30.0
Andy Polyakov <appro@fy.chalmers.se> 30.0
David <d.perez@ieee.org> 29.0
Knut Eckstein <knut@acm.org> 28.0
Tye Stallard <stallard@anzuru.com> 25.0
John Francis Nguyen <jfnguyen@mail.arc.nasa.gov> 20.0

The End?

The Forensic Challenge judging is now over, but this sub-project is going to live on in several ways.

If you have any suggestions, questions, or comments on the Challenge, feel free to contact us at <challenge@honeynet.org>

Shouts and greetz

Thanks once again to everyone who has assisted or participated in the challenge, including all the submitters listed above, Lance Spitzner, Dan Farmer, Wietse Venema, Tan, Kevin Mandia, T Elam, Rik Farrow, Kevin Manson, Steve Schroeder, Floyd Short, Richard Murray, Ivan Orton, and Alisha Ritter (if I left anyone out, I apologize - blame it on lack of sleep.)

Dave Dittrich


The Honeynet Project