Exodus security team's roots run deep

Despite a recent change of CEOs and a decision on Sept. 26 to seek protection under Chapter 11 bankruptcy laws, Web-hosting firm Exodus Communications Inc. has managed to attract top-notch Internet security talent.

The members of Exodus' Cyber Attack Tiger Team (CATT) have been at the forefront of some of the biggest hacker cases in history, including the investigation and prosecution of Kevin Mitnick (see story) and the Canadian teenage hacker known as "Mafiaboy" (see story).

CATT is a novel security offering for Exodus, which provides infrastructure services for some heavy-duty customers, including Wells Fargo Bank, Drugstore.com Inc., MSNBC, Yahoo Inc. and Motorola Inc. At a time when many companies and experts are complaining about the lack of security at third-party infrastructure service providers, CATT offers defense and response services to its clients, including cybercrime investigations, evidence collection and forensic analysis. Charles Neal, vice president of cyberterrorism and incident response at Exodus and chief of CATT, and his team of investigators are also backed up by engineers who offer penetration testing and vulnerability scanning.

The law enforcement experience of Neal and his staff has come in handy for the company, whose clients operate in complex, multinational legal environments. One of Exodus' clients is based in England but hosts all of its critical data in Los Angeles because of the better legal protections offered in the U.S., said Neal.

CATT brings a mix of federal law enforcement experience to the private sector.

"I came to the somewhat reluctant conclusion that if I really want to increase the security of the Internet, I could probably do it better from the outside than from the inside," said Neal. "The police and law enforcement are still that 'thin blue line.' But if this is going to be solved, it's going to be solved by industry."

Neal came to Santa Clara, Calif.-based Exodus in 1999 after 20 years at the FBI, where he managed computer investigations for the Los Angeles field office, the second-largest office in the bureau. Neal also played a pivotal role in the early days of federal cybercrime efforts, helping develop FBI computer crime investigative capabilities, specifically computer-intrusion investigations. He also taught computer security at the college level and worked in high-tech security for health care and banking firms.

However, Neal's biggest influence comes from his recruitment abilities. After joining Exodus, the company gave him the authority to hire whomever he needed to build a top-notch intrusion-detection and investigative team. He turned to two professionals with whom he had worked before: Jill Knesek and Bill Swallow.

Knesek is CATT's West Coast team leader for incident response. Prior to joining Exodus, she served with Neal as an FBI special agent. She always had an interest in law enforcement, she said, and during the salad days of the FBI's cybercrime program, she brought the right skills to the table. Before she joined the FBI, Knesek spent 10 years working in the computer field. She was a computer specialist for the Naval Satellite Operations Center and later was a systems manager at the U.S. Bankruptcy Court in Los Angeles. There, she was responsible for a 500-node network, all desktop hardware and software as well as the wide-area network that connected five separate locations and 21 judges.

Her breadth of computer experience, particularly her knowledge of multiple operating systems, prompted the FBI to assign her to mine the volumes of evidence collected during the Mitnick investigation. In essence, she became "Mitnick's counterpart in the FBI," she said, following and analyzing his movements across different systems.

Neal also recruited Swallow as CATT's director of Incident Response. In 1999, Swallow had been assigned to the FBI's Los Angeles field office from the Defense Department, where he was a special agent for the Army's Criminal Investigation Division. He led the 1999 effort to weed out Serbian and U.S. hackers who had attacked U.S. government Web sites in retaliation for the U.S.-led NATO bombing campaign in Kosovo. His intelligence-collection skills became critical to the FBI's ability to penetrate the hacker underground and led to a series of investigations and arrests.

Now that Neal has his former law enforcement team in place at Exodus, it's much easier to make a difference, he said. The nation's complex legal environment had significantly limited what cybersecurity experts could do as federal agents. As members of the private sector, however, they conduct investigations faster and more efficiently.

"Evidence disappears," said Neal. "Most of the information you get is too old. When it finally gets to the agency, and you get a chance to look at it, it's old. Even though we had increased awareness and were starting to get a flow of information coming in, it was very difficult because evidence was disappearing quickly."

However, CATT's members also face a different set of requirements from their private-sector customers, said Neal. Although companies are generally quick to throw the book at insider activity, the majority of customers don't want to prosecute outsiders, he said.

"They want us to kick the guy out of the yard, fix the hole in the fence and get them back to business."

Related stories:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon