Have you ever wondered how long Information Security has been a challenge for businesses? In a hyper-connected world, the concern for protection is constant. And this has been true for many, many years, since the time when most security professionals alive today were not even born.

Information Security does not have an anniversary date. It is difficult to establish a starting point, where it all began. What makes it up is a wide range of concepts, with solutions that have been created and gradually incorporated into the definition we know today.

But there is a concept within Information Security that, I venture to say, may have a well-defined beginning: that of SOC (Security Operation Center).

A range of common tools to monitor and detect threats, log and respond to incidents, discover and fix vulnerabilities, had its first implementation, rudimentary but functional, in the year 1986. The protagonist of this story? Clifford Stoll. The objective of this article? To demonstrate that, today, many still suffer, unnecessarily, from the same pains as Dr. Cliff did more than 30 years ago.

This story begins at Lawrence Berkeley National Laboratory, in the days when Queen Elizabeth had already sent her first e-mail, on the newly formed Internet. Dr Cliff was an astronomer and researcher at Berkeley, one of the few universities that had a "big" computer, a VAX 780. Today, it would look like nothing more than an old Telecom cabinet. But back then, it was so expensive that the cost of its $300-an-hour processing was super-controlled, with a program written just to charge CPU time among users in each department.

Berkeley also had another rare technological item at the time, a Cisco router that connected its lab to the Internet. One fine day, the VAX usage accounting program came to the end of the month and could not find the user responsible for 9 seconds of processing, time which then equated to US$0.75.

The team decided to look at the logs to find out which user had not been accounted for. But where did the logs end up? Well, the user that nobody knew who was had deleted his traces of the logs, which were in a standard directory to which everyone had access.

Ok, so the strategy then was to examine the lab terminal by terminal to try to find out who it was. But what about the pool of 50 phone lines that had just been installed in the lab so the researchers could access the VAX remotely? What about the new router? Where was the connection coming from?

At that time there was no network visibility tool like we have today. There was no port mirror to be done or anything like that. It was simply a novelty and what, at first glance seemed like a simple rounding error in the billing software, was actually an unauthorized user working on the VAX.

Dr Cliff decided to trace the source of the connection by making 50 jumpers on the modem lines, connecting them in parallel to 50 serial printers, called Teleprinters.

Dr. Cliff's idea was to print out all the characters that were passing on the serial lines so that he could identify the user in question and find out what the unauthorized visitor was doing on the VAX. Dr. Cliff could have done this via software, but since the user had already deleted the logs once, he was concerned to do something that was transparent from a connection point of view, so that whatever the source, there was no way anyone could identify the monitoring.

This is how the concept of network visibility, which we have in modern SOCs, was implemented in 1986.

The following weekend, the mystery user connected through one of the phone lines and, as planned, all the characters that came through the connection were printed on the continuous form.

It took the Berkeley team a while to understand the commands executed on that connection. They were not common commands and some did not make sense. Studying the traffic of that session, the team understood that it was about exploiting vulnerabilities for privilege escalation. Something that is also the scope of a modern SOC: "read" the captured traffic to extract the attacker's intelligence from it.

What they discovered was that once connected, and as root, the attacker used the Berkeley VAX as a bridge to another network, ARPANET, which in turn served as a bridge to access MILNET, the then US military network. By this time, NSA, CIA, FBI and other agencies were already interested in the matter. Although none of them knew how to respond to the incident, which, by the way, is another attribution of a modern SOC.

But how to monitor 24 hours a day the characters printed on 50 different printers? It was unfeasible. If it were the case nowadays, it would be as if the team had to put a person to watch all the traffic passing through the Internet perimeter. It is humanly impossible to do that without automation.

There needed to be a way to generate specific alerts about malicious activity. Dr. Cliff decided to add to the solution, serial interface analyzers. Each modem now had two jumpers, one for the printer and one for the serial analyser.

With that, Dr Cliff's network visibility system had its first breakthrough.

Using the intelligence gained from monitoring the attacker, it was possible to learn about the invasion methods he used and thus create rules that would detect attacks.

The next step was to configure the parsers so that when they detected a particular set of characters, they would alert Dr Cliff's pager indicating which modem the attacker had connected to.

It was the first IDS (Intrusion Prevention System) in history, in which malicious traffic triggers an alert for incident response. With this, it would no longer be necessary to watch 50 printers non-stop and read in real time what was being printed. Dr Cliff and the Berkeley team could go home and return to the lab only in the event of an attack.

But they did not want to simply take down the connection, as that would alert the attacker that he had been discovered. What they did was to actively respond to the incident only if the attacker started downloading secret documents from some US military base.

What was that response like?

Dr. Cliff would attach a magnetic key to the modem cable, simulating connection interference to prevent or delay the download of sensitive data. In this way, the data thief would continue with download attempts, believing the problem was one of connectivity. And we have perhaps the first IPS (Intrusion Prevention System) on record. Preventing an attack from succeeding is another attribute of a SOC.

At this point in the story, months had already passed. And what was known was that the origin of the connection was in Europe. But tracing a transoceanic connection was too complicated in those days. There was no software or anything automatic, everything was manual. So what did the team do? They called the local operator, asking for someone to look at the origin of the connection. Then, to the next operator, with the same request to check the origin of the connection. The process was repeated until they could get to the author of the attacks.

The problem was how to keep the attacker connected and buy enough time to be able to trace the connection end-to-end. The solution: create a fake military operation called "ShowerHead".

The team and Dr. Cliff invented various documents and trades, created the SDI NET "Strategic Defense Initiative Network", designed topologies and descriptions of such a network. They also cloned the Berkeley database, replacing "student" with "lieutenant", "professor" with "colonel", and so on. To make it look real, they made a network of fake servers and hid it inside the Berkeley network, so the attacker would see the new network when he was looking for new targets. And they waited.

Without a doubt, it is yet another example of the experts of yesteryear putting into practice another feature that is still used in a SOC to this day. The simulation was the first Honey Pot ever made.

When the hacker logged on and finally found the secret network, he immediately started downloading all the documents. Given the volume of supposedly confidential information, the attacker believed he had found something great. And he stayed connected for several hours.

This gave US agencies time to trace the connection and trigger the authorities in Hanover, the city where Marcus Hess, the attacker who had been hunted for so long, was. Marcus was selling secret documents he obtained to the Soviet KGB.

A summary of what Dr Cliff has recorded with the tools he has developed:

• Breaking into 450 Milnet computers, including the US Army Optimis Data Base (Pentagon). The Pentagon's Google, so to speak;
• Download hundreds of secret documents;
• Theft of access credentials / Establishment of new credentials;
• Mapping of the topology of the target networks;
• Closing of processes and modification of data;
• Exclusion of processes and audit files;
• Password and Encryption cracking using dictionary methods;
• Credential theft through file tracking (emails and notes that users themselves wrote down their passwords);
• Trojan Horses;
• Exploitation of vulnerabilities for privilege elevation;

And what do we see looking in the rearview mirror? Berkeley was, in the late 1980s, the first documented case of APT (Advanced Persistent Threat) in history. All the classic stages of a modern APT are present.

The lessons learned back then are the foundation of some of what we practice today.

Once the US$ 0.75 mystery was unveiled, Dr. Cliff already spoke of access control policies, privilege reviews, patching to correct vulnerabilities, hardening of servers, police action in cases of cybersecurity (a term that did not even exist yet), security incident response procedures, network segmentation, password policies, good auditing practices, and several other initiatives such as rudimentary DLPs. All disciplines present within a SOC.

In other words, the framework, the skeleton, the basis of much of what we consider mandatory today for any organisation, has been known for 30 years. Despite this, many companies continue to suffer by not observing the lessons learned.

I close with one more question: what chance does an organisation today, without a SOC equipped with the processes, tools and skilled manpower, have against an APT?

If you want to know more details of Dr Cliff's story, read "The Cuckoo's Egg", published in 1989.

By Leonardo Camata