Practical Issues With Intrusion Detection
Practical Issues withIntrusion DetectionIntrusion Detection— How?SensorsSimple LoggingLog FilesFindingCompromised HostsPractical Issues with IntrusionDetection1 / 42
Intrusion Detection — How?Practical Issues withIntrusion DetectionIntrusion Detection— How?SensorsSimple Logging Log Files FindingCompromised Hosts Where do sensors go?How do you put them there?Sensor issuesOther techniquesEthical and legal issues2 / 42
Practical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion DetectionSensorsSimple LoggingLog FilesFindingCompromised Hosts3 / 42
LocationsPractical Issues withIntrusion Detection SensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection Outside the firewall?We know there are bad guys there; what’s thepoint?Just inside? What’s the threat model?On sensitive internal nets?In front of each sensitive host?In “dark space”?Simple LoggingLog FilesFindingCompromised Hosts4 / 42
What’s Dark Space?Practical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection A block of address space not used by realmachines and not pointed to by DNS entriesThere is no legitimate reason to send packetsto such addressesTherefore, any host sending to such addressesis up to no goodCommonly used to detect scanning wormsSimple LoggingLog FilesFindingCompromised Hosts5 / 42
What’s the Purpose?Practical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection Unless you’re a researcher, you care about realthreats to your own machinesInside the firewall? Detect data exfiltrationSensitive internal nets: detect threats aimed atthemWatching each host? Detect attacks on insidehosts from other hosts on the same LANDark space? Detect scanning worms (andattackers)Simple LoggingLog FilesFindingCompromised Hosts6 / 42
Auto-QuarantinePractical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection Many organizations implement“auto-quarantine”This is especially common for universityresidence hall networksMachines that do too much scanning (and inparticular attempt to probe dark space) areassumed to be virus-infectedThey’re moved to a separate net; the only sitesthey can contact are Windows Update,anti-virus companies, and the likeSimple LoggingLog FilesFindingCompromised Hosts7 / 42
Honeypots and HoneynetsPractical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection Special-purpose host or network designed to beattackedEquipped with copious monitoringLure the attacker in deeperWaste the attacker’s time; study the attacker’stechniqueNote well: keeping honeypot (and dark space)addresses secret is vitalSimple LoggingLog FilesFindingCompromised Hosts8 / 42
Host- or Net-Resident?Practical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection Suppose you want to monitor each host.Where does the monitor live?Dedicated in-line hardware: good, butexpensiveOn the host: cheap, but subvertibleSimple LoggingLog FilesFindingCompromised Hosts9 / 42
Net-Resident: ParallelPractical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion DetectionSimple LoggingHostIDSNetwork Log FilesFindingCompromised HostsNetwork Very unobtrusiveBut — need special hardware to tap anEthernetNeed some network connection to the IDS10 / 42
Tapping an EthernetPractical Issues withIntrusion Detection SensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection Cannot simply wire IDS to jackBest solution: one-way tap gearNote: unidirectional only; may need a pair ofthemSome switches have a monitoring port (AKAspanning port, mirroring port, etc) — canreceive copies of data from any other portFor 10BaseT nets, use a hub instead of aswitchSimple LoggingLog FilesFindingCompromised Hosts11 / 42
Net-Resident: SerialPractical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion DetectionHost IDSNetworkCan’t miss packetsBut — if it crashes, the host is unreachableMore detectable, via timingCan the IDS box be hacked?Simple LoggingLog FilesFindingCompromised Hosts12 / 42
Host-Resident MonitorPractical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion DetectionSimple LoggingLog FilesHost IDSNetworkNo special hardware neededIDS sees exactly what host seesBut — subvertibleUseful precaution: immediately transmit IDSdata elsewhereFindingCompromised Hosts13 / 42
TCP NormalizationPractical Issues withIntrusion DetectionSensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection s Simple LoggingLog FilesFindingCompromised HostsAttackers can play games with TCP/IP toconfuse network-resident IDSExample: overlapping fragments: unrooromtWhich fragment is honored?TTL games: give some packets a TTL justhigh enough to reach the IDS, but not highenough to reach the destination hostSolution: TCP normalizer, to fix these14 / 42
The Big Advantages of Host IDSPractical Issues withIntrusion Detection SensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection More timeMore contextEverything is reassembledLook at entire item, not streamsExample: it’s all but impossible to do emailvirus scanning in the networkSimple LoggingLog FilesFindingCompromised Hosts15 / 42
Extrusion DetectionPractical Issues withIntrusion Detection SensorsLocationsWhat’s Dark Space?What’s the Purpose?Auto-QuarantineHoneypots andHoneynetsHost- orNet-Resident?Net-Resident:ParallelTapping an EthernetNet-Resident: SerialHost-ResidentMonitorTCP NormalizationThe Big Advantagesof Host IDSExtrusion Detection Detect bad things leaving your networkDetect sensitive things leaving your networkFinds theft of inside information, either byattacker or by rogue insiderCan be done in the network or in applicationgatewaysSimple LoggingLog FilesFindingCompromised Hosts16 / 42
Practical Issues withIntrusion DetectionSensorsSimple LoggingSimple LoggingSome ResultsThe Most ProbedPortsWhat Did TheProbers Want?Broader DataBad NeighborhoodsSimple LoggingLog FilesFindingCompromised Hosts17 / 42
Simple LoggingPractical Issues withIntrusion Detection I ran this command for a while, on two hosts:SensorsSimple LoggingSimple LoggingSome ResultsThe Most ProbedPortsWhat Did TheProbers Want?Broader DataBad NeighborhoodsLog FilesFindingCompromised Hoststcpdump -p -l "tcp[13] 0x2 and dst us" What does it do?Logs all TCP SYN-only packets addressed tous (tcp[13] is the flags byte in the TCPheader; 0x2 is SYN)18 / 42
Some ResultsPractical Issues withIntrusion Detection Sensors Simple LoggingSimple LoggingSome ResultsThe Most ProbedPortsWhat Did TheProbers Want?Broader DataBad Neighborhoods Log Files FindingCompromised Hosts About 85 probes apiece, during a 30-hour run63 different ports scannedSome obvious: http, ssh, Windows file-sharing,SMTP, web proxySome strange: 49400–49402, 8081–8090,81–86Some ominous: terabase, radmin-portMost probers looked at one port; one lookedat 46 ports19 / 42
The Most Probed PortsPractical Issues withIntrusion DetectionSensorsSimple LoggingSimple LoggingSome ResultsThe Most ProbedPortsWhat Did TheProbers Want?Broader DataBad NeighborhoodsLog FilesFindingCompromised ltms-sql-sradmin-portBackupExecsmtpWebProxyhttp20 / 42
What Did The Probers Want?Practical Issues withIntrusion Detection SensorsSimple LoggingSimple LoggingSome ResultsThe Most ProbedPortsWhat Did TheProbers Want?Broader DataBad Neighborhoods WebProxy and SMTP are probably for spamemail and connection-launderingThe others look like probes for knownvulnerabilitieshttp could have been a “spider” or it could belooking for known holesLog FilesFindingCompromised Hosts21 / 42
Broader DataPractical Issues withIntrusion Detection SensorsSimple LoggingSimple LoggingSome ResultsThe Most ProbedPortsWhat Did TheProbers Want?Broader DataBad Neighborhoods Log FilesFindingCompromised Hosts PortNameUseful source:http://www.dshield —15281.org1026win-rpcIts current Top 10eDonkey2000 4662list shown at right4672eMuleClearly, the probers1027icqare interested 6servers. . .25smtpSome ports aremicrosoft-dsmysterious44522 / 42
Bad NeighborhoodsPractical Issues withIntrusion Detection Sensors Simple LoggingSimple LoggingSome ResultsThe Most ProbedPortsWhat Did TheProbers Want?Broader DataBad NeighborhoodsLog FilesFindingCompromised Hosts I see more probes here than elsewhere. Why?There are different “neighborhoods” — rangesof IP addresses — in cyberspaceUniversity networks are good hunting — fewfirewalls, good bandwidth, manypoorly-administered machinesNewly-allocated network blocks have fewhosts, and aren’t scanned as much23 / 42
Practical Issues withIntrusion DetectionSensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of CorrelationLog FilesFindingCompromised Hosts24 / 42
Shadow HawkPractical Issues withIntrusion DetectionSensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of CorrelationShadow Hawk Busted AgainAs many of you know, Shadow Hawk (a/k/aShadow Hawk 1) had his home searched by agentsof the FBI. . .When he was tagged by the feds, he had beendownloading software (in the form of C sources)from various AT&T systems. According toreports, these included the Bell Labs installationsat Naperville, Illinois and Murray Hill, New Jersey.—Phrack Issue 16, File 11, November 1987FindingCompromised Hosts25 / 42
How was Shadow Hawk Detected?Practical Issues withIntrusion Detection Sensors Simple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation He had broken into some Bell Labs machinesHe tried to use uucp — a dial-up filetransfer/email system that came with Unix —to grab /etc/passwd files from othermachinesUucp logged all file transfer requestsSeveral people at Murray Hill had automatedjobs that scanned the log files for anythingsuspiciousFindingCompromised Hosts26 / 42
Stalking the Wily HackerPractical Issues withIntrusion Detection SensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation An accounting file didn’t balance — ausername had been added without the properbookkeeping entriesCliff Stoll noticed and tried to figure out whatwas going onUltimately, it led to a KGB-controlledoperation aimed at military secrets. . .FindingCompromised Hosts27 / 42
What was the Common Thread?Practical Issues withIntrusion Detection Sensors Simple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation Log files of various sorts“Extraneous” informationLog files can prevent problems, help you figureout how the system was penetrated, what wasaffected, and — if you’re lucky and persistent— who did itFindingCompromised Hosts28 / 42
Where Do Log Files Come From?Practical Issues withIntrusion Detection SensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation Many different system components canproduce logsOften, these aren’t enabled by defaultShould they be?FindingCompromised Hosts29 / 42
Detecting Problems Via LogfilesPractical Issues withIntrusion DetectionSensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of CorrelationFindingCompromised HostsThe ”Code Red” worm activity can be identifiedon a machine by the presence of the followingstring in a web server log u9090%u8190%u00cb%u53ff%u0078%u0000%u00 l30 / 42
An Attempted Intrusion?Practical Issues withIntrusion DetectionSensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation[SunFile[SunFileNov 20 23:17:18does not exist:Nov 20 23:17:28does not exist:2005] [error] [client www.xxx.y/usr/pkg/share/httpd/htdocs/xml2005] [error] [client www.xxx.y/usr/pkg/share/httpd/htdocs/php(There were many more attempts from that IPaddress.) Both of these represent services withknown security holesFindingCompromised Hosts31 / 42
Problems with Log FilesPractical Issues withIntrusion Detection Sensors Simple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation How did I spot those probes?Manual search through error logNot very scalable. . .FindingCompromised Hosts32 / 42
Log File ScannersPractical Issues withIntrusion Detection Sensors Simple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation Need to automate scansPick out “interesting” eventsHmm — what’s interesting?FindingCompromised Hosts33 / 42
Log Files and Intrusion DetectionPractical Issues withIntrusion Detection SensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation Analyzing log files like that is a form ofintrusion detectionCan look for specific signatures, such asexamples aboveOr — can look for anomalous patterns, suchas too many misses or too-long URLsFindingCompromised Hosts34 / 42
Correlating Log FilesPractical Issues withIntrusion Detection SensorsSimple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation Sometimes, the interesting information isspread among several log filesNeed accurate timestamps for correlationbetween machinesTimestamps should generally be in UTC,rather than the local timezoneFindingCompromised Hosts35 / 42
Types of CorrelationPractical Issues withIntrusion Detection Sensors Simple LoggingLog FilesShadow HawkHow was ShadowHawk Detected?Stalking the WilyHackerWhat was theCommon Thread?Where Do Log FilesCome From?Detecting ProblemsVia LogfilesAn AttemptedIntrusion?Problems with LogFilesLog File ScannersLog Files andIntrusion DetectionCorrelating Log FilesTypes of Correlation Intra-machine — different forms of logfileIntra-siteInter-siteWatch out for privacy issues!FindingCompromised Hosts36 / 42
Practical Issues withIntrusion DetectionSensorsSimple LoggingLog FilesFindingCompromised HostsFindingCompromised HostsDatabasesLayer 2 DataSwitch DataLocating an EvilWiFi LaptopFinding Compromised Hosts37 / 42
Finding Compromised HostsPractical Issues withIntrusion Detection SensorsSimple LoggingLog FilesFindingCompromised HostsFindingCompromised HostsDatabasesLayer 2 DataSwitch DataLocating an EvilWiFi Laptop Suppose you’ve identified a compromised host.Now what?Get data: IP address and (when feasible) MACaddressFind it38 / 42
DatabasesPractical Issues withIntrusion Detection Sensors Simple LoggingLog FilesFindingCompromised HostsFindingCompromised HostsDatabasesLayer 2 DataSwitch DataLocating an EvilWiFi Laptop Must be able to map IP address to locationMust be able to map IP address to personDifficult on this campus — wide-open netsPrimary reason for host registration in manyplaces39 / 42
Layer 2 DataPractical Issues withIntrusion Detection Sensors Simple LoggingLog FilesFindingCompromised HostsFindingCompromised HostsDatabasesLayer 2 DataSwitch DataLocating an EvilWiFi Laptop Enterprise-grade switches are “managed”They can map an IP address or a MAC addressto a physical portEspecially useful if the attacker is forgingaddresses. . .40 / 42
Switch DataPractical Issues withIntrusion DetectionSensorsSimple LoggingLog FilesFindingCompromised HostsFindingCompromised HostsDatabasesLayer 2 DataSwitch DataLocating an EvilWiFi LaptopNote that a single MAC address has shown up ontwo different switch ports, in different buildings.This is reasonable for a laptop, but not for aserver!41 / 42
Locating an Evil WiFi LaptopPractical Issues withIntrusion Detection Sensors Simple LoggingLog FilesFindingCompromised HostsFindingCompromised HostsDatabasesLayer 2 DataSwitch DataLocating an EvilWiFi Laptop Ask the switch what access point it’s nearPing-flood the machineWander around the room looking at thelights. . .42 / 42
Practical Issues with Intrusion Detection Practical Issues with Intrusion Detection Intrusion Detection — How? Sensors Simple Logging . Simple Logging Log Files Finding Compromised Hosts 2 / 42 . Can the IDS box be hacked? Host-Resident Monitor Practical Issues with
c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.
Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,
called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion
There exists a number of intrusion detection systems particularly those that are open-source. These intrusion detection systems have their strengths and weaknesses when it comes to intrusion detection. This work compared the performance of open-source intrusion detection systems namely Snort, Suricata and Bro.
Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210
threats to your security policies. And intrusion prevention is the process of per - forming intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.
This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are
Alex Rider had made his own choices. He should have been at school, but instead, for whatever reason, he had allowed the Special Operations Division of MI6 to recruit him. From schoolboy to spy. It was certainly unusual – but the truth was, he had been remarkably successful. Beginner’s luck, maybe, but he had brought an end to an operation that had been several years in the planning. He .
