Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/12/2017
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Active Intrusion Detection Can Seek and Block Attacks

Researchers at Black Hat USA will demonstrate how active intrusion detection strategies can help administrators detect hackers who are overly reliant on popular attack tools and techniques.

Penetration testers as well as bad-guy hackers typically rely on several common attack tools to break into business networks. 

Enterprises defending their networks can flip the equation on attackers by using active intrusion detection strategies to create situations where attackers overly reliant on these tools inadvertently expose themselves to detection and other complications, says John Ventura, practice manager for applied research at Optiv. It's a trap that even pen testers can fall into while running their tools, he says.

Ventura will this detail a more active approach to intrusion prevention - where defenders can use basic network software applications to look for threats and stop attacks - later this month in his Black Hat USA talk entitled "They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention." 

The field of intrusion detection and prevention systems has been "relatively stagnant" for the past 15 to 20 years, Ventura says. Passive intrusion detection systems can be computationally intensive and their responses rarely go far.

"If your company is using intrusion detection and prevention systems, and dealing with those alerts responsibly, you are doing great relative to the rest of the industry," he notes.

Ventura at Black Hat will take hacking tools popular among attackers and pen testers such as Metasploit, and show how design flaws in those tools can be exploited for intrusion prevention.

"There are common hacking tools that a lot of people use, and if you target those tools, you can make it harder to break into computers," he explains.

Ventura plans to demonstrate methodologies for finding and disrupting common attacks; organizations can integrate these into their IDS/IPS products to make the software better. Software written over the course of this research can be used on lightweight hardware to defend against real-world attacks. It's an effective swap for more expensive "magic box" solutions.

One of the examples he plans to discuss involves man-in-the-middle (MitM) attacks. The goal is to target the communications channel while it's being established, he says. The attacker introduces his or her software onto a compromised host, and that software initiates communication with the attacker's computer. The goal is to disrupt that "handshake," Ventura says. Attackers need to maintain control over the target machine once they break in, but it's hard to communicate during a MitM attack.

"It is really hard to get two computers to talk to each other in a secure fashion if they have never communicated before," Ventura continues. "Even with a head start, they'll still have vulnerabilities that pop up from time to time."

Though they have decades of experience, developers and researchers working on these problems still find themselves facing serious vulnerabilities in their tools, he notes.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Ventura will demonstrate IDS/IPS software that uses the Metasploit Framework's Meterpreter control channel to take control over a machine that has been compromised and breaks its communication channel, replacing it with one of the user's choosing. Traffic still goes to where you might expect it; however, the attacker has a broken TCP connection, so the person running the software has control over a machine that the initial attacker compromised, he explains.

The topic is relevant to both offensive and defensive security professionals. Blue team defenders can become more proactive by manipulating their network traffic to detect and complicate common attacks, targeting attackers, and exploiting vulnerabilities in their software.

Red teamers who break into computers need to understand how their tools work, says Ventura. Those who don't understand the functionality of their tools may heighten the risk for detection and exploitation.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-16
NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43.
CVE-2019-10100
PUBLISHED: 2019-07-16
BigTree-CMS commit b2eff67e45b90ca26a62e971e8f0d5d0d70f23e6 and earlier is affected by: Improper Neutralization of Script-Related HTML Tags in a Web Page. The impact is: Any Javascript code can be executed. The component is: users management page. The attack vector is: Insert payload into users' pro...
CVE-2019-10100
PUBLISHED: 2019-07-16
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871...
CVE-2019-13612
PUBLISHED: 2019-07-16
MDaemon Email Server 19 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes. This might interfere with risk management for malicious e-mail, if a cu...
CVE-2019-10100
PUBLISHED: 2019-07-16
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.