Tech Insight: Offensive Countermeasures Help Defenders Fight Back

Defenders desperate to prevent attacks have begun taking measures to fight back against attackers
Meanwhile, at Def Con 20, Dan Petro presented "Network Anti-Reconnaissance: Messing with Nmap Through Smoke and Mirrors," during which he discussed his Network Obfuscation and Virtualized Anti-Reconnaissance (Nova) project. Nova can be used to deploy a large number of honeypots that look similar to the legitimate hosts on the network. By doing this, Petro said identifying the real systems essentially becomes the same as trying to find a needle in a haystack. When an attacker scans the network and encounters the decoys, Nova alerts network administrators so they can act.

So often, companies are attacked and don't know why or who is responsible. The attribution component of Strand and Asadoorian's course offered ideas on how defenders can include JavaScript from the Browser Exploitation Framework (BeEF) project to unmask attackers. For example, a fake admin page could be created that uses BeEF to automatically find the attacker's local IP, remote IP, visited URLs, and other information.

Similarly, "Web bugs" can be placed in Microsoft Word documents that cause a URL to be requested when the document is opened. Files named to look like they contain confidential information could be placed on a site or file share. After the attacker downloads the file and then opens it, the defender would get a log entry on his Web server for the URL specific to that file. Of course, the attacker could be at a different location than the IP found in the logs, but it gives the defender a place to start.

And then there's the topic of "hacking back." Strand warns that doing anything to attack the attackers needs to be done extremely carefully and with cooperation from corporate legal counsel. With the right steps taken, he says it is possible to exploit an attacker's system using the Java payload from the Social Engineering Toolkit (SET) or an exploit against the attacker's scanning tool.

Just like end users must agree to acceptable use policies to use the network, confirm they read warning banners prior to logging in, and submit to running code to check their systems' security posture, attackers can be subject to the same, provided the right system banners and warning are in place.

When defenders hack back blindly without prior authorization, it can easily end up backfiring. Tom Liston, senior security consultant at InGuardians, Inc., ran a few honeypots in an effort to learn more about attack methods and tools being seen in the wild. During a penetration test, Liston's client's IT staff noticed he was in one of their systems and decided to attack his IP address.

"That was a big mistake," said Liston, because the client didn't realize that any unsolicited traffic to his IP was automatically directed to one of his honeypots. The client's IT staff member logged into the honeypot with the same username and password as the common penetration testing Linux distribution Backtrack. What the IT staff didn't know was that was one account out of thousands that would have allowed him to log in.

After poking around for a while, he realized something wasn't quite right and decided to contact his supervisor. Liston said he received a personal phone call from the client's IT staff member apologizing for his actions, along with a guarantee from the client that any such actions would not happen again.

Defenders are cautioned that hacking back may seem fun during the heat of the moment, but doing so can land them in jail or without jobs. Offensive countermeasures, however, can provide that defensive edge needed to observe, orient, decide, and react faster than the attacker, and keep the network secure for another day.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.