While every corporate general counsel, CIO and anyone with a CISSP will tell you that hacking back against adversaries is illegal and generally a bad thing to do, there are alternatives that companies can use to gain insight into who is behind attacks, collect forensic evidence and generally confound hackers, perhaps to the point where they veer away from your network.

This is what’s driving the whole notion of active defense, which isn’t to be confounded with hacking back. Active defense means setting up hurdles, loops and roadblocks on your side of the firewall that are meant to frustrate attackers and ultimately drive up the cost of their operations against you.

“Driving up cost is key,” said Paul Asadoorian, a SANS instructor, pen-tester with Tenable Network Security and host of the Pauldotcom podcast. Asadoorian and fellow SANS instructor John Strand run classes teaching what they call offensive countermeasures. These techniques amount to a variety of honeypots, false directories, phony data and plenty more that act as collection points for the traces attackers leave on your systems.

“We apply it to defense and people get excited because they’re attacking in a defensive way,” Asadoorian said. “We talk about setting traps more so than going after attackers.”

Hacking back can lead to inordinate collateral damage. Organizations have to understand that hackers generally use compromised machines to attack networks, and those machines could be part of critical infrastructure, financial services organizations, medical institutions, or your neighbor’s network. Tracking and taking down the last machine in a DDoS attack against your network may quell the effects of the attack, but you might also be taking down a computer that controls whether the lights stay on in an operating room, for example.

“The idea behind active defense is death by a thousand cuts,” said Randy Sabett, counsel at ZwilGen, a Washington, D.C., law firm. “The level of interconnectivity businesses have with the Internet is leading to more attacks occurring. It’s a domino effect. We are more connected without emphasis on security. No authentication, either peer to peer or computer to computer, was built in from the start. I can ping your computer and it will tell me stuff without knowing me. It doesn’t care.”

CrowdStrike is a security company built on active defense. Though still considered in stealth mode, the company offers services that identify attackers and their tactics, and turn those tactics against attackers through a variety of means that includes tailored misinformation and lookalike systems that keep hackers in a monitored area of a network for the purpose of attribution and forensics.

Steve Chabinsky, CrowdStrike senior VP of legal affairs and chief risk officer, said companies can do what they want to slow down and monitor attackers on their networks. That also includes false data, digital rights management techniques, and Web beacons, that can help protect data or find it if it’s been stolen. That information can be shared with law enforcement, or be used to send cease-and-desist letters to hosting companies, said Chabinsky, former deputy assistant director of the FBI’s cyber division.

“Still, the legal community is debating the full extent of offensive actions a company can take when it involves intentionally accessing a third-party system without the owner’s permission. There are interpretations of federal law that doing so may be permissible if it’s just to delete your own data and no harm is done to the network,” he said. “Also, even if an action would technically violate the law if done for a criminal purpose, there is a lot of discussion about the legal defense of necessity.”

Chabinsky used the example of a victim holding down a thief until authorities arrive, a perfectly legal option in the real world.

“Unfortunately, until the government starts talking about the necessity framework, and does so across international borders, we are left with a digital society in which screams of ‘stop that man, he stole my wallet,’ are met mostly with inaction other than finger pointing at the victim to better hold on next time. That has to change,” he said.

Asadoorian and Strand, meanwhile, have developed a host of tactics that have been culled from hacker tricks that have tripped them up during penetration tests.

One, for example, is the use of a honeyport, a script that runs on Windows or Linux machines that listens on higher number random TCP ports for full connections. Once someone connects on Port 3333 for example, the script writes a firewall rule that blocks traffic through that port.

Another tactic meant to annoy attackers is the use of infinitely recursive directories, a trick he said has been around for a long time. Here, they create a junction directory that references itself, sending the attacker back to the same point over and over.

They’ve also employed much simpler things such as putting up a message when an attacker hits a certain page on their clients’ network that says the attacker’s IP address has been blacklisted and can only be restored with an email to a particular address. Asadoorian said the IP isn’t really blacklisted, he just wants attribution of the attack via email.

“Work with management and the legal team and tell them what you’re doing,” Asadoorian said. “If you’re going to set up traps and collect information on attackers, connect with legal and management first. If a lawsuit arises and legal doesn’t know this is going on in advance, it can cause a lot of trouble. It almost always ends badly.”

Active defense requires experience, resources and the cooperation of legal counsel. Basic blocking and tackling with network defenses, meanwhile, can help fend off attackers without the need for infinite recursive directories, said Michael J. Keith, a security associate and pen-tester with Stach & Liu.

“Our pen-tests last multiple weeks, more time than the attacker has,” Keith said. “Unless you know the reward is worth it, you’re not going to spend that much time on an attack. Most of the headline-type of attacks over the years are rarely because an attacker has been truly persistent or crafty. It’s usually something incompetent that was left open.

“If I was a professional hacker after credit card numbers, there’s no way I would devote as much time as I do to exploit holes in customer networks,” Keith said. “A real attacker wouldn’t do that.”

CrowdStrike’s Chabinsky, meanwhile, said the current lack of cooperation between law enforcement internationally is putting companies on its heels.

“The cost of an effective offensive operation is orders of magnitude cheaper than an effective defense to counter it.  In addition, most nation-state sponsored cyber-intruders operate with complete impunity knowing full well that they likely will never be brought to justice and can conduct repeated operations until they achieve success,” said Chabinsky. “Raising the cost to the adversary or, alternatively, denying them the benefits of the information they are consuming through the use of deception, is critical to addressing this imbalance.”

This is part two of a series on active defense and hacking back.

Categories: Hacks

Comments (2)

  1. Elgog Partynipple
    1

    I used to do Penetration Testing in the early 2000’s-2005.  My rule for firewalls was to close all ports on the firewall except the ones required for the business.  The ports were opened by TCP or UDP whichever was required.  I thought this was the practice of all firewall programming?  Your example of port 3333 being closed on access makes it seem that all ports are open until it poses a threat.  I thought all ports posed a threat and neede to be monitored.  I also recorded IP addresses and did port scans monthly against the external WAN port to make sure that only accepted ports were open. 

    The advice on this page seems very simplistic since Internet attacks have been going on for decades now.  Nothing better to recommend?

  2. Anonymous
    2

     

     

    I think the point of this strategy is to present a firewall ( or some other  network opportunity )that has ports available that an attacker will go after, if you truly employ what we call defense in depth than the role of that preliminary firewall/device is  really  collect info from the attack similar to the honeypot concept. As you stated DAPE is a fundamental concept that all Cyber security professionals are familiar with and have deployed on their respected networks. More than anything i think this is about gathering the info from attackers and using that info in subsequent efforts within the active defense in depth concept esp. if you find that you have persistent threats  from a particular Nation state or organization.

     

     

Comments are closed.