Critical inquiry

released 10.07.08

By Kathleen Ricker

While some NCSA collaborators are tracking paths made by molecules and honeybees, others are tracing the digital footsteps of ID thieves and black hat hackers.

"I told you, I don't know why my boss doesn't trust me!"

Vincent Vargus's face reddened, and his voice rose defensively. The system administrator's foot tapped the floor nervously as five FBI agents grilled him about who had access to his company's servers—and corporate account information stored there—and who might possibly have been motivated to frame him for the thousands of dollars worth of computer equipment that had been charged in his name.

Was the credit card theft an inside job? Or was it an outsider who'd exploited some security vulnerability to get into company systems? Who had done it, and how? On the case were 28 members of the Regional Cyber Action Team (RCAT), a group of FBI Special Agents who specialize in the investigation of digital intrusions and other types of cybercrime. They were participants in RCAT 2008, a mid-April workshop organized by NCSA's Cybersecurity Directorate (CSD) and sponsored by the FBI, to hone their skills in a number of areas crucial to effective digital investigation.

During the workshop, CSD staff gave talks and worked RCAT agents through custom hands-on labs devoted to topics such as the tricky business of collecting volatile information from a compromised Windows system, the locating of rogue wireless access points, the uses of Web proxies (for committing crimes as well as detecting them), the detection of rootkits (malware that provides intruders with concealed backdoors into systems), and the ways in which the domain name system (DNS), which transforms alphanumeric URLs into the IP addresses needed to transmit information across a network, can be abused for profit.

Afterward, the agents had a case to solve, or, in FBI parlance, were set a new lead: figure out who stole the credit card information from the corporate server administered by Vincent Vargus. Five teams of agents were provided with access to a simulated corporate network and a "compromised" workstation to examine. Workshop staff were also available for questioning, both as human sources of information and, of course, as suspects.

"As far as the interview went," says Nick Buraglio, who played Vargus, "they were spot on. All their questions were really relevant, they really knew what to look for."

Expert collaboration

In 2007, the FBI ranked fighting cybercrime among its top three priorities (just after terrorism and espionage). RCAT agents, who are based all over the United States, are directed to respond to significant computer intrusions which threaten critical national infrastructure, and to provide expertise and resources to help FBI field offices with cybercrime-related cases, both domestic and international.

"Increasingly, every crime and nation threat has an online component. Agents who are part of the RCAT, who have expertise in digital investigation, are going to become increasingly critical to protecting American consumers, the economy, and our national security," says Supervisory Special Agent Matt Fine, who oversees RCAT.

RCAT training workshops are held once or twice a year around the country at universities, national laboratories, and other institutions with strong cybersecurity expertise. As a production supercomputing facility and a major TeraGrid resource provider, NCSA has had long experience in providing security for its tens of thousands of users while simultaneously keeping its high-end computing and storage systems accessible and usable.

And while RCAT 2008 was the first conference of this kind NCSA has hosted, it's not the first time NCSA staff collaborated with FBI agents on the subject of digital crimes investigation. On several occasions since NCSA's inception in 1986, NCSA security staff worked with FBI Special Agents to bring cyber criminals to justice.