Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/9/2010
01:13 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Ways To Slow An Attacker

The inevitability of failure in security has been up for discussion a lot during the past couple of years. It's a mentality that a lot of security professionals have subscribed to because of various reasons: proliferation of malware, user behavior, advanced persistent threat (APT), or simply Murphy's Law.

The inevitability of failure in security has been up for discussion a lot during the past couple of years. It's a mentality that a lot of security professionals have subscribed to because of various reasons: proliferation of malware, user behavior, advanced persistent threat (APT), or simply Murphy's Law.So if you're doomed to failure, then you need to have plans ready for eradication and recovery, right? Burning everything down and rebuilding might be fine for a small business or a small department of users. It might even be OK to bring some laptops for users to work temporarily while their workstations are being rebuilt. But that won't fly with mission-critical servers, an Active Directory domain that's been rooted, and an enterprise that must allow remote users to connect in.

Last week, I was listening to a presenter discussing the problem of eradicating the compromise while maintaining a "business as usual" posture. Sitting there, I wondered what it would be like to be dealing with a large compromise where you know the attackers have access, but you cannot simply disconnect from the Internet. Talk about an impossible-feeling conundrum.

One of speaker's suggestions was trying to slow the attacker so he was less likely to be able to exfiltrate data. For example, as the attacker is trying to transfer files, start "flipping bits" in the files so they end up corrupted once the attacker has them. The speaker didn't say how it was done, but the first thing to pop into my mind was to use Snort Inline and the "replace" keyword.

For example, you could write a Snort rule looking for the header of a particular file the intruder has been transferring, like a compressed file containing your data. Since files pretty much all have a standard header, and sometimes footers, a Snort rule could be written to replace the header (and footer) with something else entirely so the attacker won't be able to view the files easily.

Another possibility would be to modify the network quality of service or inject TCP Resets and small TCP window sizes into the attackers traffic to slow transfers down to a crawl.

There's a lot of "fun" to be had during a not-so-fun time, and I hope that you never have to experience anything of that sort. Something to keep in mind is that you need to be careful doing something like this as you could end up angering the attacker so they end up retaliating. It doesn't hurt to test these things out and know your capabilities if the need ever should arise.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...