Don't Trust Log Data! Lessons from the Cryptonomicon

In the legendary geek novel Cryptonomicon, sci-fi author Neal Stephenson describes a tense scene where one of the protagonists needs to erase evidence on his company's email server before it is physically taken by the police. The protagonist, Randy Waterhouse, is trying to set up a digital haven outside government oversight and the FBI wants to use legal means to shut the operation down, but they need some emails as evidence. The company that hosts Waterhouse's email server refuses to grant them access and has barricaded the building, which is also surrounded by a group who could be described as the military wing of the Electronic Frontier Foundation seeking to hinder the government raid.

The protagonist, Randy Waterhouse, is sitting atop a beat-up Acura across the street from the company where the server is hosted, observing the confrontation while setting up a remote connection. He patches in to the Internet through a packet radio network (Cryptonomicon was written in 1999) and uses encrypted and proxied communications—in other words, he's now anonymous like the dog from that New Yorker cartoon. In the meantime, the police are beginning to batter down a side door. He needs to erase those emails, pronto.

At the point when he reaches the log-on prompt for the email server, Randy hesitates. He cannot simply log on as a guest because he needs administrator-level access. Randy winces when typing in his name and password because he has, in Stephenson's swashbuckling prose, "just slapped big greasy fingerprints all over a weapon that the police are moments away from seizing as evidence."

After he logs on, the first thing Randy does is overwrite the system log data that recorded his log-on, effectively wiping clean those greasy, incriminating fingerprints. Now, he can delete the sought-after emails and there's no way the authorities can detect that he did so.

Empirical Digital Observation Is on the Wire

The above scene from Cryptonomicon is still very relevant for today, nearly 20 years after the novel was written. Investigators and security professionals still rely on log data to determine what happened and diligent hackers still modify or erase logs once they've gained control of a system.

When you need them the most, logs fail you.

On the other hand, IT professionals have long understood that empirical evidence can be derived from the wire. If a copy of all network traffic is constantly analyzed by an out-of-band appliance, there is no way for an attacker to turn it off or hide ... for that matter, they won't even know that their activity is being observed!

In the Cryptonomicon scene, Randy's log on would use a protocol such as Kerberos to transfer his credentials back and forth between his laptop and the authentication server. These communications would necessarily pass over the wire. There's no avoiding it.

The ExtraHop platform is purpose-built to passively observe all communications on the network and extract information such as the details contained in Kerberos requests, responses, and error messages—exactly the information needed to determine who did what, when. Besides Kerberos, the ExtraHop platform tracks more than 4,000 metrics for dozens of protocols so you can see all activity and behavior.

Log-based machine data has enjoyed a nice run in the security space and it is still a valuable data source, but faces several limitations, one of which is that they can be tampered with. What we're proposing is that InfoSec teams add wire data to their existing toolset, in addition to their logs. Wire data offers a superior data source that is not only tamper-proof, but also has a higher signal-to-noise ratio than log data, imposes no system overhead, and minimizes management requirements.

Want to learn more about what wire data can do for your InfoSec practice? Download our whitepaper: How to Get More Signal, Less Noise for Your SIEM: Just Add Wire Data