From NCSA Security R&D - University of Illinois at Urbana-Champaign
[edit] Critical inquiry
Vincent Vargus's face reddened, and his voice rose defensively. The system administrator's foot tapped the floor nervously as five FBI agents grilled him about who had access to his company's servers--and corporate account information stored there--and who might possibly have been motivated to frame him for the thousands of dollars worth of computer equipment that had been charged in his name.
Was the credit card theft an inside job? Or was it an outsider who'd exploited some security vulnerability to get into company systems? Who had done it, and how? On the case were twenty-eight members of the Regional Cyber Action Team (RCAT), a group of FBI Special Agents who specialize in the investigation of digital intrusions and other types of cybercrime. They were participants in RCAT 2008, a workshop held at NCSA in mid-April organized by NCSA's Cybersecurity Directorate and sponsored by the FBI. They had come to NCSA to hone their skills in a number of areas crucial to effective digital investigation. During the workshop, CSD staff gave talks and worked RCAT agents through custom hands-on labs devoted to topics such as the tricky business of collecting volatile information from a compromised Windows system, the locating of rogue wireless access points, the uses of web proxies (for committing crimes as well as detecting them), the detection of rootkits (malware that provides intruders with concealed backdoors into systems), and the ways in which the Domain Name System (DNS), which transforms alphanumeric URLs into the IP addresses needed to transmit information across a network, can be abused for profit.
Afterwards, the agents had a case to solve--or, in FBI parlance, were set a new lead: figure out who stole the credit card information from the corporate server administered by Vincent Vargus. Five teams of agents were each provided with access to a simulated corporate network and a "compromised" workstation to examine. Workshop staff were also available for questioning, both as human sources of information and, of course, as suspects.
"As far as the interview went," says Nick Buraglio, who played Vargus, "they were spot on. All their questions were really relevant--they really knew what to look for." Buraglio, an expert on networking, also ran a lab on tools for detecting unauthorized wireless access points, which can be used for eavesdropping on users involved in confidential transactions or in hijacking a site's computing or network resources to distribute illegal content.
[edit] Expert collaboration
"Increasingly, every crime and nation threat has an online component. Agents who are part of the RCAT, who have expertise in digital investigation, are going to become increasingly critical to protecting American consumers, the economy, and our national security," says Supervisory Special Agent Matt Fine, who oversees RCAT. "These workshops are designed to help them improve their skill sets and keep them current on new and evolving threats and technologies they'll be likely to encounter." The agents' response to the workshop was, on the whole, very positive, says Fine. "The hands-on labs and the incident scenario were really useful, and the agents were impressed with the instructors' depth of knowledge and expertise." He adds that the RCAT trainings also provide team-building exercises, enabling agents from across the country to learn to work together on short notice in high-stress, time-critical situations.
"There are a lot of challenges to organizing a conference like this," says Von Welch, who co-leads the NCSA Cybersecurity Directorate with Randy Butler. "We know these guys are experienced, but we still anticipated a range of skills. Figuring out which areas to target--and what the optimum level of difficulty was--that was especially important. And, in the end, we learned a lot from them about the law enforcement side of a digital investigation." Welch and Butler, together with NCSA Security Operations lead Jim Barlow and Special Agent Brad Sheafe of the FBI, Springfield Division, led the collaboration with the FBI which culminated in RCAT 2008.
RCAT training workshops are held once or twice a year around the country at universities, national laboratories, and other institutions with strong cybersecurity expertise. As a production supercomputing facility and a major TeraGrid resource provider, NCSA has had long experience in providing security for its tens of thousands of users while simultaneously keeping its high-end computing and storage systems accessible and usable.
And while RCAT 2008 was the first conference of this kind NCSA has ever hosted, it's not the first time NCSA staff have collaborated with FBI agents on the subject of digital crimes investigation. On several occasions since NCSA’s inception in 1987, NCSA security staff have worked with FBI Special Agents to bring to justice cyber criminals who have attacked NCSA. In many ways, the University of Illinois and the FBI may seem worlds apart, but, as NCSA Director Thom Dunning said in his remarks at the workshop's beginning, "Scientists and FBI agents have something important in common: their expertise is in investigation. We see collaborations like this as a significant opportunity to provide a very critical user community with the resources they need to carry out their work, which affects all of us."
Matt Fine agrees. "Collaborative efforts between organizations, such as the FBI and NCSA, can prove fruitful in combating online, digital crimes which threaten US consumers and the national economy."
RCAT 2008 was sponsored by the Federal Bureau of Investigation.
Text by Kathleen Ricker (kricker@ncsa.uiuc.edu).
