Defenders desperate to prevent attacks have begun taking measures to fight back against attackers

John H. Sawyer, Contributing Writer, Dark Reading

August 4, 2012

6 Min Read

Last month's Black Hat featured numerous defensive-focused talks -- a change from the usual zero-day dropping, "there's nowhere to hide" types of discussions from prior years. From talks specifically on defense to talks that discussed attacks but included specific mitigations, there was a definite upswing in speakers looking to help enterprises better protect themselves.

Why the change? According to John Strand, co-host of the Pauldotcom podcast and owner of Black Hills Information Security, there has been a shift in defensive mindset due to the ineffective security products vendors are selling now. "They are designed to fight threats that are three to five years old and simply aren't cutting it," Strand said in an interview. "Security pros that have moved into management in recent years know this -- they're looking for more effective alternatives."

So what should defenders be doing to protect their networks and corporate data? In the Black Hat talk "Sexy Defense: Maximizing the home-filed advantage," independent security consultant Iftach Ian Amit stated that most companies already have the tools and products they need in place -- but don't know it. His presentation focused on processes (what to do), and not what to buy, to enhance defense. Some of those recommendations included mapping information and security assets, correlating logs from all systems, setting up honeypots, and counterintelligence. For more information, read Dark Reading's previous article on Amit's talk.

Beyond changing current practices and leveraging existing tools, another defensive movement has focused on "offensive countermeasures." Offensive countermeasures focus on trying to annoy (or confuse) the attacker, identify the attacker, and exploit the attacker's tools, rendering them ineffective. The goal is to make it more difficult for the attacker to be successful while providing the defender with time to act appropriately.

That goal, in particular, fits into the OODA approach that Strand and Pauldotcom podcast co-host Paul Asadoorian, taught during their "Offensive Countermeasures" training course. Originally developed for fighter pilots, the concept of Observe, Orient, Decide, and Act (OODA) basically means that those who do those things the fastest will survive, according to Asadoorian. By disorienting attackers through offensive countermeasures, defenders have a better opportunity to identify the attack and react before the attacker realizes he has been tricked.

Strand and Asadoorian taught several ways for annoying and confusing attackers based on knowledge of common attacker methods for identifying and exploiting vulnerabilities. Web-based attacks often begin with spidering, where a tool is used to crawl the entire contents of a website's contents looking for vulnerable pages. Or the tool will look for specific files and directories (e.g., /admin, /private, /CFIDE/administrator/index.cfm). Tools such as WebLabyrinth can create bogus directories to confuse and trap Web scanners, while PHPIDS can automatically respond to attacks by logging the attack, sending admins email, force redirects, and kill the active Web session.

Next Page: Where's the BeEF? Meanwhile, at Def Con 20, Dan Petro presented "Network Anti-Reconnaissance: Messing with Nmap Through Smoke and Mirrors," during which he discussed his Network Obfuscation and Virtualized Anti-Reconnaissance (Nova) project. Nova can be used to deploy a large number of honeypots that look similar to the legitimate hosts on the network. By doing this, Petro said identifying the real systems essentially becomes the same as trying to find a needle in a haystack. When an attacker scans the network and encounters the decoys, Nova alerts network administrators so they can act.

So often, companies are attacked and don't know why or who is responsible. The attribution component of Strand and Asadoorian's course offered ideas on how defenders can include JavaScript from the Browser Exploitation Framework (BeEF) project to unmask attackers. For example, a fake admin page could be created that uses BeEF to automatically find the attacker's local IP, remote IP, visited URLs, and other information.

Similarly, "Web bugs" can be placed in Microsoft Word documents that cause a URL to be requested when the document is opened. Files named to look like they contain confidential information could be placed on a site or file share. After the attacker downloads the file and then opens it, the defender would get a log entry on his Web server for the URL specific to that file. Of course, the attacker could be at a different location than the IP found in the logs, but it gives the defender a place to start.

And then there's the topic of "hacking back." Strand warns that doing anything to attack the attackers needs to be done extremely carefully and with cooperation from corporate legal counsel. With the right steps taken, he says it is possible to exploit an attacker's system using the Java payload from the Social Engineering Toolkit (SET) or an exploit against the attacker's scanning tool.

Just like end users must agree to acceptable use policies to use the network, confirm they read warning banners prior to logging in, and submit to running code to check their systems' security posture, attackers can be subject to the same, provided the right system banners and warning are in place.

When defenders hack back blindly without prior authorization, it can easily end up backfiring. Tom Liston, senior security consultant at InGuardians, Inc., ran a few honeypots in an effort to learn more about attack methods and tools being seen in the wild. During a penetration test, Liston's client's IT staff noticed he was in one of their systems and decided to attack his IP address.

"That was a big mistake," said Liston, because the client didn't realize that any unsolicited traffic to his IP was automatically directed to one of his honeypots. The client's IT staff member logged into the honeypot with the same username and password as the common penetration testing Linux distribution Backtrack. What the IT staff didn't know was that was one account out of thousands that would have allowed him to log in.

After poking around for a while, he realized something wasn't quite right and decided to contact his supervisor. Liston said he received a personal phone call from the client's IT staff member apologizing for his actions, along with a guarantee from the client that any such actions would not happen again.

Defenders are cautioned that hacking back may seem fun during the heat of the moment, but doing so can land them in jail or without jobs. Offensive countermeasures, however, can provide that defensive edge needed to observe, orient, decide, and react faster than the attacker, and keep the network secure for another day.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

Black Hat News

About the Author(s)

John H. Sawyer

Contributing Writer, Dark Reading

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights