Valleywag (the Silicon Valley Gossip site recently upgraded by means of well-known tech business reporter Owen Thomas becoming the valleywag), posted a detailed log event by log event account of the investigation by Drew Curtis, Fark’s founder, who figured out that a would-be hacker was a Fox news reporter.
The basic correlation technique is one I first heard of several years ago from an online banking hosting company’s security team – basically you figure out that the same IP address is logging into multiple accounts and probably controls both of them. The specifics are a little different but the problem is basically the same.
The trick is that email or web server logs have the IP address that hit you, with session IDs or timestamps you need to correlate to other app logs that have the user accounts.
In the Fark case this correlation showed that the account that was responsible for the bad action was the same person as an account that was identifiably that of the Fox news guy.
In the online banking case it was a way to detect phishing rings – if one Ukrainian Internet cafe’s IP hits 10 accounts at an American regional bank in an hour… probably not legit.
The online banking guys turned this logic into a proactive alerting rule, which became a key competitive weapon for them. In the Fark case it was more about the after the fact investigation.
Anyway, the Valleywag story is interesting for anyone into security log analysis.
But there’s a telling quote from Drew: “I am still collecting three or four sets of different logs together into one cohesive set. ”
You could have all those logs in one place already and have clicked your way through all the links in that chain, Drew! (hint: download Splunk!)