Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/11/2013
11:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Free 'Active Defense' Tools Emerge

Ammunition for fighting back against cyberattackers in subtle yet disruptive ways is becoming available in open source

A wave of open-source tools for turning the tables on cyberattackers are becoming available in the public domain for organizations looking for alternatives to traditional security methods.

It's not technically "hacking back," the tools' creators say: It's more about frustrating, identifying, and, in some cases, physically locating the bad guys behind the keyboard. This so-called "active defense" model is slowly catching fire despite initial concerns that it would cross the line into hard-core offense. The concept is evolving commercially as well, with vendors such as CrowdStrike and Juniper Networks.

Active defense methods include everything from honeypot-like tools to lure and study attackers, to decoys to disrupt the attacker's activities. Experts say running interference with an attacker while also gathering some intel on him or his motives ultimately can help shore up defenses, even if he's never actually caught.

[How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard .]

Security services firm CrowdStrike plans to release a free tool for monitoring attackers through Tor, as well as a tool for analyzing and decoding polymorphic malware, says Dmitri Alperovitch, co-founder and CTO at CrowdStrike.

And security experts John Strand, Paul Asadoorian, Ethan Robish, and Benjamin Donnelly offer a Linux distro set of tools called Active Defense Harbinger Distribution (ADHD). Strand and Asadoorian, who produce the weekly security broadcast PaulDotCom Security Weekly, also recently published an e-book called "Offensive Countermeasures: The Art of Active Defense."

"We want to turn the tables without tripping into the realm of hacking back," Strand says. And it's not about revenge against the bad guys, either: It's about "annoying" the attackers, interfering with their reconnaissance activity, and even pinpointing their physical location by surreptitiously tracking their geolocation.

Strand says he and his colleagues often get questions about the legality of the tools. "[People] ask, 'Is it legal?' As near as we can tell, it is," he says, noting that the development of their tools and their training on the topic have both been vetted by legal experts.

"We cannot go through the steps of getting on their computer or browsing their files even though they are bad guys or criminals. They have a right to privacy, and we try not to cross that line," he says.

The freebie active defense tools offered by Strand, Asadoorian, Robish, and Donnelly have names like Artillery; BearTrap, which opens "trigger" ports on a host that an attacker would connect to and automatically get spotted and blacklisted; Decloak, which IDs the real IP address of a Web user, even one behind a proxy; and Honey Badger, which employs geolocation and a browser's share function, for example, to pinpoint the physical location of a Web user.

Another tool, Nova, detects network-based recon and feeds the attacker phony information on the numbers and types of systems on the targeted network using a network of virtualized decoys. The Spidertrap tool traps Web crawlers "in an infinite set of dynamically generated" Web pages, according to the tool's profile, and Web Bug Server does just what it says: embeds a Web bug inside a word processing document that can be used to hide HTML code that ultimately reveals IP address and other information on the attacker.

"What you do is make the bad guys take more steps to breach the environment," Strand says.

CrowdStrike's Alperovitch says active defense encompasses real-time detection, attribution of the threat actors; deception, containment, and other disruption; and intelligence dissemination.

"Pure defensive techniques ... cannot work when you're dealing with an adversary that's [advanced] and determined to get in; it will find a way in. So you need to find other ways to deter them. That's the premise behind active defense," Alperovitch says.

But seasoned attackers are adept at hiding behind layers of anonymity and IP addresses, so it's still relatively rare to catch the actual bad guy in the act. Strand contends that there are ways to catch some hackers: "We're giving the attackers way too much credit. In the past two years, we have worked with customers to identify the location of the bad guys and helped them," he says.

In one case, a student in India was trying to hack one of Strand and his team's demos, so they acquired the latitude and longitude on his dorm and contacted the college, he says.

Another European client was being blackmailed by an attacker. Strand and his team were able to peg the geolocation of the perpetrator, who was later arrested, Strand says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.