So your network monitoring systems all seem to be working. You are receiving alerts of malicious activity on your network. Incidents are caught, responded to, and remediated. However, the miscreant who initiated the attack is still out there and just moves his attack elsewhere. Can we determine who is at the end of this attack? How do we go about doing so? And is it really worth our time tracking back hackers? Each of these items will be addressed in this talk, in which I will cover a year-long investigation working with the FBI to track back a hacker from the point of initial contact until apprehension and trial.
James J. Barlow is the Head of Security Operations and Incident Response at the National Center for Supercomputing Applications (NCSA). Jim has been at NCSA for over 16 years; he has been involved in system administration and security, and has been doing security full-time for over 10 years. The security operations team that he leads is responsible for all the network and host-based security monitoring done on the NCSA network. He is involved in the XSEDE security working group (www.xsede.org) and for two years was a member of the Open Science Grid (OSG) security team (www.opensciencegrid.org).