Tech Insight: Offensive Countermeasures Help Defenders Fight Back

Defenders desperate to prevent attacks have begun taking measures to fight back against attackers

Last months Black Hat featured numerous defensive-focused talks -- a change from the usual zero-day dropping, theres nowhere to hide types of discussions from prior years. From talks specifically on defense to talks that discussed attacks but included specific mitigations, there was a definite upswing in speakers looking to help enterprises better protect themselves.
Why the change? According to John Strand, co-host of the
Pauldotcom podcast
and owner of Black Hills Information Security, there has been a shift in defensive mindset due to the ineffective security products vendors are selling now. They are designed to fight threats that are three to five years old and simply arent cutting it, Strand said in an interview. Security pros that have moved into management in recent years know this -- theyre looking for more effective alternatives.
So what should defenders be doing to protect their networks and corporate data? In the Black Hat talk Sexy Defense: Maximizing the home-filed advantage, independent security consultant Iftach Ian Amit stated that most companies already have the tools and products they need in place -- but dont know it. His presentation focused on processes (what to do), and not what to buy, to enhance defense. Some of those recommendations included mapping information and security assets, correlating logs from all systems, setting up honeypots, and counterintelligence. For more information, read Dark Readings
previous article on Amits talk
.
Beyond changing current practices and leveraging existing tools, another defensive movement has focused on offensive countermeasures. Offensive countermeasures focus on trying to annoy (or confuse) the attacker, identify the attacker, and exploit the attackers tools, rendering them ineffective. The goal is to make it more difficult for the attacker to be successful while providing the defender with time to act appropriately.
That goal, in particular, fits into the OODA approach that Strand and Pauldotcom podcast co-host Paul Asadoorian, taught during their Offensive Countermeasures training course. Originally developed for fighter pilots, the concept of Observe, Orient, Decide, and Act (OODA) basically means that those who do those things the fastest will survive, according to Asadoorian. By disorienting attackers through offensive countermeasures, defenders have a better opportunity to identify the attack and react before the attacker realizes he has been tricked.
Strand and Asadoorian taught several ways for annoying and confusing attackers based on knowledge of common attacker methods for identifying and exploiting vulnerabilities. Web-based attacks often begin with spidering, where a tool is used to crawl the entire contents of a websites contents looking for vulnerable pages. Or the tool will look for specific files and directories (e.g., /admin, /private, /CFIDE/administrator/index.cfm). Tools such as
WebLabyrinth
can create bogus directories to confuse and trap Web scanners, while
PHPIDS
can automatically respond to attacks by logging the attack, sending admins email, force redirects, and kill the active Web session.
Next Page: Wheres the BeEF?
Meanwhile, at Def Con 20, Dan Petro presented Network Anti-Reconnaissance: Messing with Nmap Through Smoke and Mirrors, during which he discussed his
Network Obfuscation and Virtualized Anti-Reconnaissance (Nova)
project. Nova can be used to deploy a large number of honeypots that look similar to the legitimate hosts on the network. By doing this, Petro said identifying the real systems essentially becomes the same as trying to find a needle in a haystack. When an attacker scans the network and encounters the decoys, Nova alerts network administrators so they can act.
So often, companies are attacked and dont know why or who is responsible. The attribution component of Strand and Asadoorians course offered ideas on how defenders can include JavaScript from the Browser Exploitation Framework (BeEF) project to unmask attackers. For example, a fake admin page could be created that uses BeEF to automatically find the attackers local IP, remote IP, visited URLs, and other information.
Similarly, Web bugs can be placed in Microsoft Word documents that cause a URL to be requested when the document is opened. Files named to look like they contain confidential information could be placed on a site or file share. After the attacker downloads the file and then opens it, the defender would get a log entry on his Web server for the URL specific to that file. Of course, the attacker could be at a different location than the IP found in the logs, but it gives the defender a place to start.
And then theres the topic of hacking back. Strand warns that doing anything to attack the attackers needs to be done extremely carefully and with cooperation from corporate legal counsel. With the right steps taken, he says it is possible to exploit an attackers system using the Java payload from the Social Engineering Toolkit (SET) or an exploit against the attackers scanning tool.
Just like end users must agree to acceptable use policies to use the network, confirm they read warning banners prior to logging in, and submit to running code to check their systems security posture, attackers can be subject to the same, provided the right system banners and warning are in place.
When defenders hack back blindly without prior authorization, it can easily end up backfiring. Tom Liston, senior security consultant at
InGuardians, Inc.
, ran a few honeypots in an effort to learn more about attack methods and tools being seen in the wild. During a penetration test, Listons clients IT staff noticed he was in one of their systems and decided to attack his IP address.
That was a big mistake, said Liston, because the client didnt realize that any unsolicited traffic to his IP was automatically directed to one of his honeypots. The clients IT staff member logged into the honeypot with the same username and password as the common penetration testing Linux distribution Backtrack. What the IT staff didnt know was that was one account out of thousands that would have allowed him to log in.
After poking around for a while, he realized something wasnt quite right and decided to contact his supervisor. Liston said he received a personal phone call from the clients IT staff member apologizing for his actions, along with a guarantee from the client that any such actions would not happen again.
Defenders are cautioned that hacking back may seem fun during the heat of the moment, but doing so can land them in jail or without jobs. Offensive countermeasures, however, can provide that defensive edge needed to observe, orient, decide, and react faster than the attacker, and keep the network secure for another day.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Tech Insight: Offensive Countermeasures Help Defenders Fight Back