Attacks/Breaches
11/2/2012
12:42 PM
Connect Directly
RSS
E-Mail
50%
50%

9 Facts: Play Offense Against Security Breaches

Striking back by hacking hackers is a legal and corporate no-no. But IT and security managers can shore up defenses and trick attackers into revealing their identities.

4. Leave enticing -- but fake -- pages unsecured.

Legally speaking, when it comes to defending corporate networks, what is allowed? One of Asadoorian's recommendations is to create a fake administrator page on a website and use it as part of an early-warning alert system. "We'll set up a fake administration page on someone's website and do things to lure attackers to that site. Since we know that no one should be going to that site except an attacker, it's almost like a honey pot," he said.

5. Socially engineer attackers into using Java.

For a twist, leverage attackers' curiosity by noting that Java must be enabled to access all administrator panel features, perhaps suggesting that the panel can then be used to access network-connected video cameras or switches. If attackers do enable Java, execute JavaScript on their system to gather information and see if the PC is operating behind network proxies. For example, the Metasploit Decloaking Engine demonstrates how Java and Flash can be used to gather information on someone visiting a website.

While such tools may be good for gathering information, they also have limits. "That works well in a scenario where there are one or two attackers targeting your network -- dare I say APT?" said Asadoorian. "But when you have all these different attackers targeting you and you may get back to machines in Russia, you have to be careful."

6. Scuttle port scanners with infinite loops.

Another useful defensive measure is to guard against attackers using port-scanning tools that try and identify known vulnerabilities on a business network. One technique, developed by Ben Jackson of Mayhemic Labs, involves seeding corporate websites with numerous link-filled pages to send port-scanning tools into an infinite loop.

Similarly, Asadoorian said he's helped develop Unix and Windows scripts -- one for OS X is on the way -- that create firewall rules to block IP addresses from which scans are being launched. "The scanner has to be making a full connection, and once is does that, we're able to block their IP address based on their connection attempt," he said.

7. Security 101: Start with a good network.

Building better countermeasures might sound sexy, but such enhancements must rest on a firm foundation. "You need to have a very well-defined network before you can start monitoring it, and you need to be monitoring the events and logs from your systems before you can go putting these types of things in place," said Asadoorian. "If you have no firewall, patch management, or log management, I'm not going to recommend that you start putting scripts in place to add firewall rules."

8. Keep Legal in the loop.

When considering avant-garde defensive measures, start by liaising with in-house counsel and technology managers. "Discuss it. Make sure this isn't something that you do in the dark of night, [without letting] your CIOs or CFOs know," said John Strand in a presentation on offensive security at Derbycon 2011. Also, document the plan and everything that's been discussed and agreed upon -- not least to protect yourself. Ensure that information security policies and warnings are updated to reflect the fact that technologies could be used to scan and "forcibly identify" any system that attempts to connect to the corporate network or that is acting suspiciously.

9. Reach out to law enforcement agencies.

Beyond blocking attacks in a timely fashion and amassing potential intelligence on the attackers themselves, is there anything else that information security professionals can do fight back?

Not directly, but do consider handing off the information to authorities in case they can follow through and positively identify and prosecute the people behind the attack. "If you gain access to an attacker's machine, and legally you're able to look around and see that they've compromised a number of other machines, that's certainly useful information, and working with law enforcement is where a lot of this would lead to," said Asadoorian.

Notably, the FBI this week announced plans to expand its cybercrime division. In particular, the bureau wants to get better at attributing attacks to specific hackers.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Titaninfosec
50%
50%
Titaninfosec,
User Rank: Apprentice
11/5/2012 | 6:53:28 PM
re: 9 Facts: Play Offense Against Security Breaches
Matthew, it is nice to say hackback is illegal, and for the most part it is, but this is the knee-jerk reaction that prevents companies from adequately defending themselves. As you quoted from me and my lecture at Hacker Halted there are avenues of approach companies can pursue that go beyond standard defensive techniques. This is needed because we are losing the war and being decimated. If law enforcement can help I am all for it. But if not, unique and out of the box options must be explored and there are a lot more legal options that companies are missing by falling prey to the fear that it is all illegal. Thanks for the great article.
Dave
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.