SAN FRANCISCO â€" Hacking back is a legal and ethical quandary for legislators, policy makers and the army. While there were a couple of high-profile court-approved takedowns of botnets and infiltrations into cybercrime online infrastructures, these are few and much between, and are usually met with an even share of judicial challenges.
Apparently, though, it doesn't need to be that way. Two penetration testers speaking at RSA Conference 2012 Thursday offered some technical solutions that businesses can use to frustrate attackers trying to penetrate systems, gather details about the attacks, and softly hack back.
Hacking back is bad, but we wish to flip hacking back on its head.Paul Asadoorian
Product EvangelistÂ
Tenable Network Systems
“The best defense is to have a great offense. We thought, what if lets take offensive measures that we've been using successfully in pen tests and employ them defensively,†said Paul Asadoorian, product evangelist with Tenable Network Systems and host of the favored PaulDotCom podcast. “Hacking back is bad, but we wish to flip hacking back on its head.â€
Asadoorian and co-presenter John Strand, either one of whom are instructors with the SANS Institute, advised that even this kind of hacking back can't be a one-off project.
“Discuss this within your organizations, and never just within the basement of the IT department,†Strand said. “Discuss it openly, and document it, and plan it out. And at last, do not be evil. Once you get access to an attacker's system, don't look into files or take down their Web history. This can get you in trouble.â€
The pair suggested seeding sensitive webpages or VPN and other network entry points with warning pages that specify that, for you to hook up with the network in question, visitors can be subject to NAC-like security checks. The warnings should spell out to anyone logging in that everything from machine information to IP and MAC address location data can be collected.
“It's illegal to establish lethal traps,†Strand said. “But you need to warn them of the [security] checks.â€
Asadoorian said of the 3 components to their hack back strategy -- annoyance, attribution and attack -- annoyance is intended merely to fret out and frustrate an attacker. Using tools such as honeyports, SpiderTrap and WebLabyrinth, security pros can send attackers into endless scanning loops of false ports, services and directories.
“Attacks often don't start until Web spider crawls are done looking for particular directories and pages,†Asadoorian said. “These crawls never finish.â€
There are also tools that network admins can use for attack attribution. Word Web-Bugs, for example, takes advantage of Microsoft Word's built-in browsing capabilities where an iFrame can be embedded in Word metadata that calls back to you once a sensitive document is downloaded. Another tool is the Metasploit Decloaking Engine found in the Metasploit framework, which unmasks the real IP address behind an attack.
As for attacking another system, Asadoorian and Strand were careful to stress that using techniques which include a Java Applet Attack are meant to extend your annoyance and attribution capabilities -- thus the reason for the extensive warning banners. The two demonstrated a Java payload attack present in Metasploit that enabled them to get geolocation data about an attacker.
“We got a shell, but we do not want persistent long-term access,†Strand said. “We are only getting longitude and latitude information.â€
View all of our RSA 2012 Conference coverage.Â
Nessun commento:
Posta un commento
Comments links could be nofollow free