Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/9/2010
01:13 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Ways To Slow An Attacker

The inevitability of failure in security has been up for discussion a lot during the past couple of years. It's a mentality that a lot of security professionals have subscribed to because of various reasons: proliferation of malware, user behavior, advanced persistent threat (APT), or simply Murphy's Law.

The inevitability of failure in security has been up for discussion a lot during the past couple of years. It's a mentality that a lot of security professionals have subscribed to because of various reasons: proliferation of malware, user behavior, advanced persistent threat (APT), or simply Murphy's Law.So if you're doomed to failure, then you need to have plans ready for eradication and recovery, right? Burning everything down and rebuilding might be fine for a small business or a small department of users. It might even be OK to bring some laptops for users to work temporarily while their workstations are being rebuilt. But that won't fly with mission-critical servers, an Active Directory domain that's been rooted, and an enterprise that must allow remote users to connect in.

Last week, I was listening to a presenter discussing the problem of eradicating the compromise while maintaining a "business as usual" posture. Sitting there, I wondered what it would be like to be dealing with a large compromise where you know the attackers have access, but you cannot simply disconnect from the Internet. Talk about an impossible-feeling conundrum.

One of speaker's suggestions was trying to slow the attacker so he was less likely to be able to exfiltrate data. For example, as the attacker is trying to transfer files, start "flipping bits" in the files so they end up corrupted once the attacker has them. The speaker didn't say how it was done, but the first thing to pop into my mind was to use Snort Inline and the "replace" keyword.

For example, you could write a Snort rule looking for the header of a particular file the intruder has been transferring, like a compressed file containing your data. Since files pretty much all have a standard header, and sometimes footers, a Snort rule could be written to replace the header (and footer) with something else entirely so the attacker won't be able to view the files easily.

Another possibility would be to modify the network quality of service or inject TCP Resets and small TCP window sizes into the attackers traffic to slow transfers down to a crawl.

There's a lot of "fun" to be had during a not-so-fun time, and I hope that you never have to experience anything of that sort. Something to keep in mind is that you need to be careful doing something like this as you could end up angering the attacker so they end up retaliating. It doesn't hurt to test these things out and know your capabilities if the need ever should arise.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.