igor - Fotolia

Manage Learn to apply best practices and optimize your operations.

Offensive countermeasures: How they can slow down adversaries

Sometimes the best defense is a good offense. Expert Eric Cole explains the merits of offensive countermeasures in the enterprise.

Ever wonder why it seems like the adversary always has the upper hand? It's because they do. Being on the offensive...

is always easier than being on the defensive. The offense only has to find one exposure to exploit, while the defense has to find them all.

While we can't change this fact, we do not have to make it any easier for the adversaries. If you look at how most software is designed and built, it is almost as if we go out of our way to make it easier for them to break in. Software is very informative, behaves in a predictable manner and is typically configured the same way for all systems. It's time we stop making things easy for the adversary.

Instead of having systems and environments that are easy to break into, what if we put in a little thought and made things more difficult for them? The concept of offensive countermeasures has been around for a while, but it is only in recent years that it has become more of an accepted way to make intrusions more difficult. Here are a few of the many offensive countermeasures that can be deployed by enterprises.

Change default header information

Many applications, when directly connected to the port, display information and details about the system in a default header. For example, if you directly connect to port 80, it would tell you that it is running Apache with the specific version number. Traditional security taught us to remove that information, while offensive countermeasures teach us to change it to incorrect information. If the system is running Apache, we would change the banner to display IIS 7.5. Now an attacker would think it is a Windows system and waste a large amount of cycles trying to break into the wrong OS. With any offensive countermeasure, attackers will eventually figure out what is going on, but that additional time could slow them down enough to increase detection capabilities.

SYN-ACK all port scans

A typical adversary would port scan systems to see what ports are running. They would send a SYN (synchronization) packet to each port, and if it is open, send back a SYN-ACK (synchronization acknowledged); if it is closed, it would send back a RST (reset) packet. With offensive countermeasures, the system or inline device (such as next-generation firewalls) would send back a SYN-ACK for every SYN so the adversary wouldn't know which ports are open and which ports are closed. In addition, this technique could also work with host discovery.

Dynamic virtualized environments

The concept of offensive countermeasures has been around for a while, but it is only in recent years that it has become more of an accepted way to make things more difficult for an adversary to break in.

Spinning up virtual machines is fairly easy to do and most organizations have resources they are not using. With traditional environments, every server on the network is legitimate and most servers are pretty static. This makes it easy and simple for an adversary to map out a network. With offensive countermeasures, enterprises could spin up a large number of additional systems with extraneous servers and dynamically change the environment. In this case, it is much harder for the adversary, and since things are changing, it can cause more confusion and slow down the attack.

Jailed honeypots

Traditional preventive devices allow legitimate traffic and block adversary traffic. The problem with this methodology is that advanced attacks are persistent and will keep trying until they get in. In many cases, preventing an advanced attack is just postponing the inevitable. With offensive countermeasures, everyone gets in. Instead of just one legitimate Web or mail server, there are two. One is the legitimate system and the other one is a honeypot in a jailed environment. The inline device would be configured to allow, rather than block, the attacker into the honeypot so intelligence can be gathered. Once again, this will not fool every attacker, but even if it fools or slows down a certain percent, every little bit counts.

Pros and cons of offensive countermeasures

Offensive countermeasures can be an effective way to slow down an adversary and increase the amount of time it takes to detect an attack; however, there are two areas that are controversial. First, if an organization implements techniques that make it hard for an attacker, then it is also making it hard for the penetration testers. With offensive countermeasures, penetration tests will take longer, which could make them more time consuming for internal employees or costly for third-party pen testers. But in my opinion, that is a good thing; if things are difficult for the pen testers, it is difficult for the adversary, which is the ultimate objective.

Second, some offensive countermeasures are active in that they attack back or install tracking software on the adversary's system. Depending on the country or region, those techniques can be controversial or even illegal. Hence, it may be better to focus on the passive methods to slow down the attacker, rather than actively attacking back.

Next Steps

Find out why experts struggle to define offensive security and hacking back.

Learn more about the debate around the ethics of offensive hacking courses.

This was last published in May 2015

Dig Deeper on Information security policies, procedures and guidelines