SAN FRANCISCO – Hacking back is a legal and ethical quandary for legislators, policy makers and the military. While there have been a few high-profile court-approved takedowns of botnets and infiltrations into cybercrime online infrastructures, these are few and far between, and are often met with a fair share of judicial challenges.
Apparently, though, it doesn’t have to be that way. Two penetration testers speaking at RSA Conference 2012 Thursday offered some technical solutions that companies can use to frustrate attackers attempting to penetrate systems, gather information about the attacks, and softly hack back.
Hacking back is bad, but we want to flip hacking back on its head.
Tenable Network Systems
“The best defense is to have a good offense. We thought, what if we could take offensive measures that we’ve been using successfully in pen tests and employ them defensively,” said Paul Asadoorian, product evangelist with Tenable Network Systems and host of the popular PaulDotCom podcast. “Hacking back is bad, but we want to flip hacking back on its head.”
Asadoorian and co-presenter John Strand, both of whom are instructors with the SANS Institute, advised that even this type of hacking back cannot be a one-off project.
“Discuss this within your organizations, and not just in the basement of the IT department,” Strand said. “Discuss it openly, and document it, and plan it out. And finally, don’t be evil. Once you get access to an attacker’s system, don’t look at files or take down their Web history. This can get you in trouble.”
The pair suggested seeding sensitive webpages or VPN and other network entry points with warning pages that explain that, in order to connect to the network in question, visitors would be subject to NAC-like security checks. The warnings should spell out to anyone logging in that everything from machine information to IP and MAC address location data would be collected.
“It’s illegal to set up lethal traps,” Strand said. “But you should warn them of the [security] checks.”
Asadoorian said of the three components to their hack back strategy -- annoyance, attribution and attack -- annoyance is meant merely to stress out and frustrate an attacker. Using tools such as honeyports, SpiderTrap and WebLabyrinth, security pros can send attackers into endless scanning loops of false ports, services and directories.
“Attacks often don’t start until Web spider crawls are done looking for particular directories and pages,” Asadoorian said. “These crawls never finish.”
There are also tools that network admins can use for attack attribution. Word Web-Bugs, for example, takes advantage of Microsoft Word’s built-in browsing capabilities where an iFrame can be embedded in Word metadata that calls back to you once a sensitive document is downloaded. Another tool is the Metasploit Decloaking Engine found in the Metasploit framework, which unmasks the real IP address behind an attack.
As for attacking another system, Asadoorian and Strand were careful to stress that using techniques such as a Java Applet Attack are meant to extend your annoyance and attribution capabilities -- thus the reason for the extensive warning banners. The two demonstrated a Java payload attack found in Metasploit that enabled them to get geolocation data about an attacker.
“We got a shell, but we don’t want persistent long-term access,” Strand said. “We are just getting longitude and latitude information.”
View all of our RSA 2012 Conference coverage.