'Prevention' Can Give Hackers a Shot in the Arm

Intrusion prevention systems may help attackers to evolve

2:37 PM -- "Penicillin against hackers." Who wouldn't want that? It suggests that you could inoculate yourself against those pesky miscreants and bring your IT security problems to a close. However, there's an unfortunate side effect to using penicillin that we, as security practitioners, should be keenly aware of.

What does penicillin do? It prevents bacterial infections. Unfortunately, some bacteria have become resistant to penicillin and other antibiotics due to rapid mutation. Okay, but how does that apply to IT security?

Let's talk about an intrusion protection device that blocks an IP address once a threat has been seen. What's the first thing newbies learn to do on Internet Relay Chat (IRC) to evade such bans? They change their names and their IP addresses and re-join. If an IPS bans them based on IP addresses, even newbies can now evade it through hacked hosts or proxies.

So what did the IPS ban achieve? Have we actually stopped the bad guys? Clearly, not in any global sense. Have we slowed them down? Yes, we could argue that. And how does that affect the bad guys? Well, they now know you have an IPS, which might scare them -- or it might encourage them, because they now know the method you are using to detect them.

The IPS doesn't actually stop attackers (in a global sense anyway), but it does make them aware that they are being seen on that individual target. That means that they are less likely to get caught -- they are getting a virtual slap on the wrist, which teaches them how to get better. Ultimately, then, our "penicillin" which was designed for prevention is now actually making a better, stronger group of bad guys.

So what's a security professional to do? Selective blocking isn't much of a long term deterrent, but there are options, such as random delayed/deferred blocking or erroneous error messages (delivering a 404 "not found" or 401 "authorization required" instead of a 500 "internal server error" status code).

In this situation, obscurity really is good security. The less legitimate information you give to the attacker the better.

– RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading