Stalking the Stalker
When using programs such as ping, and some of the scanning tools, keep in mind that their use may easily tip off even a novice computer crook that he or she is under investigation. In the online world of spy versus spy, you often use the same tools to track an intruder that an intruder uses. Clever attackers are like careful scouts. Those who suspect that they are being tracked will try to cover their tracks (see Chapter 10), and they also sometimes will backtrack to see if someone is following them. Skillful hackers carefully monitor systems they've compromised for signs of unwelcome attention. If your goal is to track and catch your prey, you don't want to be blasting away at the suspect's boxespecially from machines that easily resolve back to your company's name. To use the SONAR analogy, there are both passive and active surveillance techniques. ping and traceroute are active and cannot be hidden from the object of the scan. While pings cannot be hidden from the object of the ping, it is easy enough to perform the scans from a system that isn't obviously associated with your organization. You can maintain a few accounts with a dial-up ISP for just this purpose. When it's time to start investigating, unplug the workstation, set it for DHCP, dial your ISP, and you're off the company network. The intruder who has been breaking into CorpNet does not suddenly see CorpNet probing back.