Have you ever wondered how long Information Security has been a challenge for companies? In a hyper-connected world, protection is a constant concern. And this has been true for many, many years, since the time when most security professionals alive today were not even born.

Information security doesn't have an anniversary date. It's difficult to establish a starting point, where it all began. What makes it up is a vast array of concepts, with solutions that have been created and gradually incorporated into the definition we know today.

But there is a concept within Information Security that, I would venture to say, may have a well-defined beginning: the SOC (Security Operation Center).

A range of common tools for monitoring and detecting threats, recording and responding to incidents, discovering and correcting vulnerabilities, had its first rudimentary but functional implementation in 1986. The protagonist of this story? Clifford Stoll. The aim of this article? To show that many people today are still suffering, unnecessarily, from the same pains as Dr. Cliff more than 30 years ago.

This story begins at the Lawrence Berkeley National Laboratory, in the days when Queen Elizabeth had already sent her first e-mail on the newly formed Internet. Dr. Cliff was an astronomer and researcher at Berkeley, one of the few universities with a "big" computer, a VAX 780. Today, it would look like nothing more than an old Telecom closet. But at the time, it was so expensive that its processing cost of $300 per hour was over-controlled, with a program written just to charge CPU time to users in each department.

Berkeley also had another rare piece of technology at the time, a Cisco router that connected his lab to the Internet. One day, the VAX usage accounting program reached the end of the month and couldn't find the user responsible for 9 seconds of processing time, which at the time was equivalent to US$0.75.

The team decided to look at the logs to find out which user had not been accounted for. But where had the logs ended up? Well, the user who nobody knew who he was had deleted his traces from the logs, which were in a standard directory to which everyone had access.

Okay, so the strategy was to examine the lab terminal by terminal to try to find out who it was. But what about the pool of 50 telephone lines that had just been installed in the lab so that the researchers could access the VAX remotely? What about the new router? Where was the connection coming from?

Back then, there were no network visibility tools like we have today. There was no port mirroring to be done or anything like that. It was simply a novelty and what, at first glance, seemed like a simple rounding error in the ticketing software, was actually an unauthorized user working on the VAX.

Dr. Cliff decided to find the source of the connection by making 50 jumpers on the modem lines, connecting them in parallel to 50 serial printers, called Teleprinters.

Dr. Cliff's idea was to print out all the characters that were passing through the serial lines so that he could identify the user in question and find out what the unauthorized visitor was doing on the VAX. Dr. Cliff could have done this via software, but as the user had already deleted the logs once, he was concerned to do something that was transparent from the point of view of the connection, so that, whatever the source, there would be no way for anyone to identify the monitoring.

This is how the concept of network visibility, which we have in modern SOCs, was implemented in 1986.

The following weekend, the mysterious user connected to one of the phone lines and, as planned, all the characters that passed through the connection were printed on the continuous form.

It took the Berkeley team a while to understand the commands executed on that connection. They were not common commands and some made no sense. Studying the traffic from that session, the team realized that it was an exploitation of vulnerabilities for privilege escalation. Something that is also the scope of a modern SOC: "reading" the captured traffic to extract the attacker's intelligence from it.

What they discovered was that once connected, and as root, the attacker used the Berkeley VAX as a bridge to another network, ARPANET, which in turn served as a bridge to access MILNET, the American military network at the time. By this time, the NSA, CIA, FBI and other agencies were already interested in the subject. Although none of them knew how to respond to the incident, which is another task of a modern SOC.

But how could the characters printed on 50 different printers be monitored 24 hours a day? It wouldn't be feasible. If this were the case today, it would be as if the team had to assign a person to watch all the traffic passing through the Internet perimeter. It's humanly impossible to do this without automation.

There had to be a way of generating specific alerts about malicious activity. Dr. Cliff decided to add serial interface analyzers to the solution. Each modem now had two jumpers, one for the printer and one for the serial analyzer.

With that, Dr. Cliff's network visibility system had its first breakthrough.

Using the intelligence gained from monitoring the attacker, it was possible to learn about the hacking methods he used and thus create rules that would detect attacks.

The next step was to configure the analyzers so that when they detected a certain set of characters, they would alert Dr. Cliff's pager indicating which modem the attacker had connected to.

It was the first IDS (Intrusion Prevention System) in history, in which malicious traffic triggers an alert for incident response. With this, it would no longer be necessary to monitor 50 printers non-stop and read what was being printed in real time. Dr. Cliff and the Berkeley team could go home and return to the lab only in the event of an attack.

But they didn't want to simply drop the connection, as this would alert the attacker that he had been discovered. What they did was actively respond to the incident only if the attacker started downloading secret documents from some American military base.

What was that answer like?

Dr. Cliff moved a magnetic key closer to the modem cable, simulating interference with the connection to prevent or delay the download of sensitive data. In this way, the data thief would continue with the download attempts, believing that the problem was one of connectivity. And we have perhaps the first IPS (Intrusion Prevention System) on record. Preventing an attack from succeeding is another task of a SOC.

At this point in the story, months had passed. And what was known was that the origin of the connection was in Europe. But tracing a transoceanic connection was too complicated in those days. There was no software or anything automatic, everything was manual. So what did the team do? Call the local operator and ask for someone to look up the origin of the connection. Then to the next operator, with the same request to check the origin of the connection. The process was repeated until they managed to get to the perpetrator of the attacks.

The problem was how to keep the attacker connected and buy enough time to be able to trace the end-to-end connection. The solution: create a fake military operation called "ShowerHead".

The team and Dr. Cliff invented various documents and trades, created the SDI NET "Strategic Defense Initiative Network", designed topologies and descriptions of this network. They also cloned the Berkeley database, replacing "student" with "lieutenant", "professor" with "colonel", and so on. To make it look real, they made up a network of fake servers and hid it inside the Berkeley network, so that the attacker would see the new network when he was looking for new targets. And they waited.

It's certainly another example of the experts of yesteryear putting into practice another feature that is still used in an SOC today. The simulation was the first Honey Pot ever made.

When the hacker connected and finally found the secret network, he immediately started downloading all the documents. Given the volume of supposedly confidential information, the attacker believed he had found something great. And he stayed connected for several hours.

This gave the American agencies time to trace the connection and alert the authorities in Hanover, the city where Marcus Hess, the attacker who had been pursued for so long, was located. Marcus sold secret documents he obtained to the Soviet KGB.

A summary of what Dr. Cliff recorded with the tools he developed:

• The hacking of 450 Milnet computers, including the US Army Optimis Data Base (Pentagon). The Pentagon's Google, so to speak;
• Download hundreds of secret documents;
• Theft of access credentials / Establishment of new credentials;
• Mapping the topology of the target networks;
• Closing processes and changing data;
• Deletion of processes and audit files;
• Password and Encryption cracking using dictionary methods;
• Theft of credentials through file tracking (emails and notes that users themselves wrote down their passwords);
• Trojan Horses;
• Exploitation of vulnerabilities for elevation of privilege;

And what do we see looking in the rearview mirror? In the late 1980s, Berkeley was the first documented case of APT (Advanced Persistent Threat) in history. All the classic stages of a modern APT are present.

The lessons learned back then are the foundation of some of what we do today.

Having unraveled the mystery of the $0.75, Dr. Cliff was already talking about access control policies, privilege review, patching to fix vulnerabilities, server hardening, police action in cases of cybersecurity (a term that didn't even exist yet), security incident response procedures, network segmentation, password policies, good auditing practices, and various other initiatives such as rudimentary DLPs. All disciplines present within a SOC.

In other words, the framework, the skeleton, the basis of much of what we consider mandatory for any organization today, has been known for 30 years. Despite this, many companies continue to suffer because they fail to observe the lessons learned.

I'll close with one more question: what chance does an organization today, without a SOC equipped with the processes, tools and skilled workforce, have against an APT?

If you want to know more about Dr. Cliff's story, read "The Cuckoo's Egg", published in 1989.

By Leonardo Camata