Methods for the prevention, detection, and removal of ghosts in digital networks
We often find that clients are so focused on preventing attacks from malicious living humans that they completely neglect the threat posed by ghosts. With that in mind, today’s post focuses on defensive measures that can be implemented to (1) prevent ghost infestations; (2) detect paranormal activity on a network and, (3) exorcise ghosts once they’re detected. These are general tips that run the gamut from technical controls to physical controls to user awareness, so hopefully organizations of all types and sizes can find something of value.
Please note that this post deals with defense against the restless spirits of humans (and to a lesser extent other mammals) as opposed to Thetans, which are known to have different ectoplasmic properties.
Prevention
As with other threats to the confidentiality, integrity, and accessibility of your data, the best way to deal with ghosts in your network is to prevent them from entering in the first place.
1. Use Ghost-resistant Media
Though the electromagnetic properties of ghosts are not fully understood, we do know that ghosts can use electric current and conductive materials as both a means of communication and transportation. Therefore, the more coaxial cable and twisted pair wiring in a facility, the more opportunity ghosts have to move from room to room or causes electrical disturbances. Conversely, ghosts can neither affect optical pulses nor use them as a method of conveyance, meaning that fiber optic cable limits the ability of ghosts to traverse your network or affect its traffic. Radio frequency communications are also useless to ghosts, but since wireless signals are both inherently less secure and susceptible to interference, they are not recommended as a serious alternative.
Fiber is even more important as a backbone or for site-to-site connectivity. This is not only because of its superior bandwidth, but also because it won’t provide a method of ingress for unwanted ghosts. Whereas most organizations would never build their facilities on any type of burial ground, they often overlook (or have little insight into) the routes that their power and communication lines take before terminating in their facility. The chance that these lines might run through a burial ground, cemetery, or other haunted area means they may be basically acting as an open spigot spewing ghosts into your internal network. Using fiber negates this frightening possibility.
2. Include appropriate ACLs and URL filtering
Whereas implementation of the previous control occurs at the physical layer, these reside at the network and/or application layer. Access control lists are a fundamental way for organizations to control the flow of data into and out of their networks (as well as segment them internally), but few organizations take full advantage of this capability. Moreover, very few organizations include ghost-defeating rules within their ACLs despite their simplicity. Take the following example based on a Cisco ACL:
access list 666 deny ghosts any any
This control simply examines the traffic on the interface to determine whether or not it should be forwarded. If the traffic is a ghost, it will be dropped right then and there, and not forwarded deeper into the network. Note that not all network infrastructure devices are able to detect ghosts, though support for this capability is growing, and some manufacturers provide additional modules or support packages that can add this feature. It’s also worth noting that this measure isn’t foolproof – if the ghost is encapsulated within a different protocol or encrypted, the device may not be able to detect it.
As a complement to this network-level control, organizations should consider blocking haunted websites and URLs. Though many organizations make use of some sort of URL filtering or black/white listing to block material deemed inappropriate for the workplace, many fail to filter out haunted websites until it’s too late. A quick internet search lists many of the most haunted websites which should be blacklisted. Since these sites change frequently, the blacklist should be monitored and updated on a regular basis.
3. Remove bodies from the workplace
It’s a well-known fact that ghosts come from dead people. Therefore, it’s important to remove dead people from the work place as soon as possible. The sooner a corpse is removed, the less time its spirit has to become restless and begin haunting the area. A general best practice recommendation is to perform at least weekly office-wide sweeps for dead people. This responsibility shouldn’t fall on the IT or security teams alone – all company personnel should be encouraged to check on their coworkers regularly, and report any that appear to be dead. If an organization institutes weekly checks and finds that they are resulting in the discovery of dead people on a regular basis, it may want to consider investigating the cause of death. In addition to preventing hauntings, removing dead people from the workplace has added benefits for health and morale, and in many cases is required by local laws and statutes.
Detection
Preventing a network from becoming haunted is obviously ideal, but preventive measures often fail. In those cases it’s important to know the signs of a haunted network and have procedures in place to look for them.
1. Frequent User Lockout
All too often IT personnel assume users are to blame for locking themselves out. However, the horrible truth is that when users are frequently locked out of their accounts, it may be the work of a ghost. Whether or not this is intentional poltergeist-like behavior or simply electrical disturbances caused by the ghost as it glides across the keyboard is unknown, but if a user approaches IT and says he or she has been locked out but they “don’t know how it happened,” strap on that proton pack, because the ghosts may be a-hauntin’.
2. User Awareness and Reporting
Like the previous, this method of detection relies on user reporting. Users are the boots-on-the-ground eyes and ears of IT and security, who can’t be everywhere at once. Realizing this, mature organizations will utilize their user base to provide early warning of possible paranormal activity. However, this is only as effective as the users are educated. If a user sees, for example, the shadowy eyeless apparition of a child in 18th century clothing disappear as it walks into a wall, how are they to know it isn’t simply a malfunctioning hologram? Even if they do suspect it’s a ghost, they’d probably only report it to IT if they knew it may cause them to lose all unsaved data on their open spreadsheet. Users need to be trained on identifying ghosts and proper reporting procedures to follow upon identification.
Once all users have achieved a baseline competency in ghost recognition, consider automating ghost alerting by building it into your ticketing system. This makes it easier for the user to report ghost sightings (meaning it’s more likely they’ll follow through), while also ensuring that the alerts reach the right resources.
3. Egress Filtering
Since methods of prevention and detection often focus on the perimeter, many organizations overlook the importance of egress filtering as an additional means to detect paranormal activity within their network. Since ghosts can enter a network in many ways (haunted zip drives, online Ouija boards, employees playing “Stairway to Heaven” .mp3s backwards) it’s important not to rely 100% on perimeter defenses.
By examining traffic as it flows out of your network you can look for signs of ghosts that may have slipped past your perimeter defenses or entered the network by another route. Things to look for include attempted outbound connections to known haunted IPs or websites, or DNS queries that suggest ghosts may be attempting to use your network to “cross over.” (Consider specifically allowing some of these queries if it will permit a restless spirit to leave your network peacefully). Examining packet captures is a good way to establish a baseline for network traffic content and volume which you can use to create egress filtering rules. While examining these packet captures, if you notice packets that are ill-defined and translucent, or if some packets seem to appear and disappear from sight, this may be an indication that ghosts are already active in your network.
Removal
Once a ghost is detected in your network, the next step is obviously removal. Depending on the scope of the haunting, this could be anywhere from a straightforward router deghosting to a full-blown data center exorcism. But as with other infections, the first step in removing ghosts from your network is to isolate and quarantine the affected systems.
1. Identify and Isolate the haunted system(s)
In an organization with up-to-date diagrams, thorough documentation, and properly mapped ports, isolation is generally not an issue. Sadly, many organizations do not have this level of awareness regarding their internal topology. Fortunately, the nature of ghosts means that even in a poorly documented network, detection and isolation is possible, but it may take a little extra work and imagination.
It’s likely that your first method of isolation may be based on the method of detection – for instance, if you detect ghosts via egress filtering (e.g. outbound connections to a known haunted IP), you may begin by looking for systems on the internal network responsible for those outbound connections. However, don’t overlook other reliable methods of isolating the haunted systems. The best approach to identification is one that incorporates technical monitoring with physical detection. Try walking through the office at night and looking for computers that may be glowing blue, shaking violently, or emitting a disembodied howl (but keep in mind that this is normal behavior for some operating systems, such as Windows XP).
2. Switch or Router Deghosting
If you’re able to trace the ghost or ghosts to specific devices within your network, then you may be able to get by with simply replacing or deghosting those devices. Detailed instructions on deghosting are beyond the scope of this article and may vary depending on the device and its manufacturer, but in its simplest form deghosting simply consists of disconnecting the network device and tipping it over in order to pour out the ghosts. Though the general principal is no different than pouring a glass of milk, proper deghosting still takes planning and preparation.
For instance, if an organization does not have redundancy built into its network, then disconnecting a router, switch, or other piece of infrastructure will result in downtime. Naturally, the organization would want to do this after peak business hours. The issue here is that “after peak business hours” often means late into the evening, when ghosts are at their strongest and most viscous. To stick with our milk analogy, trying to deghost a device at midnight is like trying to pour a glass of milk – when the milk is frozen.
Likewise, you’ll need a receptacle to pour the ghost into, otherwise you’ll just be haunting the room. It’s best to have a supply of ghost-resistant bags on hand for these occasions. Finally, before conducting the deghosting, arrange for pickup and disposal with the city or a private collector. There’s no sense in conducting a deghosting if the ghost is just going to sit in a bag in the corner and seep back into the room.
3. Data Center Exorcism
This is the last-resort for when an organization finds that ghosts are causing significant disruption, but removal is beyond the organization’s organic capabilities. Very few organizations have internal resources capable of performing exorcisms, preferring instead to outsource this task to qualified experts. That being said, its best to have an exorcist on retainer, especially if an organization operates within an area prone to haunting. Companies should not wait until an exorcism is required to begin researching and reaching out to exorcists. Ideally, they should research potential exorcists, know their background and specialties (for example, exorcising spirits from Cisco devices is different than from Juniper devices), and set a clear threshold for when they’ll resort to enlisting their help. Though an organization may rely on a third-party exorcist, they can shorten response time by having a supply of holy water (make sure to re-bless it annually), crosses, and the previously mentioned ghost-resistant bags on-hand.
Hopefully, these tips can help prevent your network from being haunted. In the worst case, we hope they significantly reduce the length and severity of any haunting you do experience. In any event, we appreciate your visit and hope you enjoyed the read.