Last year I reported my experiences attending the 2003 International Symposium on Recent Advances in Intrusion Detection, also known as RAID. Many briefers complained that their security research suffered due to lack of good data. For example, intrusion detection analysts usually relied on the 1999 DARPA Intrusion Detection Evaluation data. Data like this may be sanitized for analysis by researchers but it pales in comparison to watching live traffic from production networks.
Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According to Carlos Ramos, assistant secretary at CDSS, the compromise "was discovered on Aug. 30 by Berkeley IT staff using intrusion detection software." I wonder if the IDS was Vern Paxson's Bro, developed in the International Computer Science Institute and featured in chapter 9 of The Tao of Network Security Monitoring? As I mention in the book, Vern previously used Bro to track intruders at UC Berkeley.
A second security powerhouse was just the victim of an intrusion. An intruder gained access to systems at Purdue's West Lafayette campus, according to published reports. The Center for Education and Research in Information Assurance and Security (CERIAS), where Gene Spafford is Executive Director, features Brian Carrier of Sleuthkit fame as a student. Might he be doing an incident response and forensic analysis on the affected systems?
Finally, while browsing Web site defacements at zone-h, I noticed a mirror for ournet.tamu.edu. Texas A&M University is the home of the famous Drawbridge bridging firewall. Might the researchers there be preparing to study the compromise of "OurNet, the TAMU Career Center Intranet"? It looks like intruders defaced the TAMU Web site by exploiting a PHP application, as the defacement mirror prominently features PHP-Nuke.
Keep an eye open for papers on "real world intrusions" from these and other academic sources suffering compromises.