BreachExchange mailing list archives
6 Ways to Anger Attackers on Your Network
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 27 Dec 2018 08:36:44 -0500
https://www.darkreading.com/perimeter/6-ways-to-anger-attackers-on-your-network/d/d-id/1333550 When you see an attacker on your network, it's understandable to want to give them a taste of their own medicine. But how can you effectively anger intruders when "hacking back" is illegal? In fact, the biggest legal risks are violations of the Computer Fraud and Abuse Act (CFAA), says Jason Straight, senior vice president and chief privacy officer at UnitedLex. And while businesses are dabbling in illegal activity, he advises against it. "Make no mistake: It is happening. Companies are hacking back," he explains, and much of their activity is arguably in violation of the CFAA. That said, he isn't aware of any prosecutions under CFAA against organizations engaged in what is often called "active defense activities." Legal trouble aside, getting into a back-and-forth with attackers is dangerous, Straight cautions. "Even if you're really, really good and know what you're doing, the best in the business … will tell you it's very hard to avoid causing collateral damage," he explains. Chances are good your adversaries will see your "hack back" and launch a more dangerous attack in response. The worst thing you can do is go after the wrong party, the wrong network, or the wrong machines, he continues. Most hackers aren't using their own equipment when they attack. "There are times when I have really wanted to strike back, but you can't and you don't," says Gene Fredriksen, chief information security strategy for PCSU. You can shut them off, blacklist their IP addresses, and do things to slow them down if your team uses a SIEM system. There are several steps you can take to anger attackers without actively targeting them in response. The idea is to get the bad guy to think twice, he explains, and let them know you're serious. Here, security experts cite the most effective ways they've found to frustrate, deceive, and annoy attackers without risking legal consequences. If you have a tactic they didn't list, please share it in the comments. Security 101 Robert Portvliet, technical fellow at Cylance, thinks about what has frustrated him most as a pen tester: companies that do their homework and expose minimal attack surface, "[making] it difficult for an attacker each step of the way," he explains. Some techniques, he says, are as simple as properly hardening systems: Prevent PowerShell execution, for example, and don't give adversaries the ability to install new packages. Don't give people more privileges than they really need. Use architecture such as Microsoft Red Forest, which protects the transfer of credentials so attacks like LLMNR poisoning aren't as effective. Proper network segmentation also helps. "You can't attack what you can't reach," Portvliet explains. For example, if two departments aren't required to communicate, segment their networks and disallow interaction. "It's about removing that easy win," he says. He recommends companies approach their environments from an attacker's perspective. Assume each compromise point, come in from the outside, and phish a workstation. If someone can get into your network, he shouldn't be able to become a local admin. Go through the process of a potential compromise and ensure the right defenses are in place for each step. What you want to do is break multiple parts of the attacker kill chain. "What I've found in pen testing is if you do the basic stuff and you do it well, it makes the pen test much more difficult," Portvliet says. "All the tried-and-true methods no longer bear fruit." Honeypots Companies used to make more use of honeypots, PCSU's Fredriksen says, but their popularity has since dropped off. "For quite a while, I had numerous honeypots out there that were interesting looking, and it was a way of frustrating attackers," he explains. While adversaries are "going down the rabbit hole" and infiltrating the organization, honeypots let you collect information on who they are and what they're looking for. If they're seeking to do a "low and slow attack," he explains, or hiding themselves so it's six months before you find them on your network, it takes work, dedication, sharing, and discussion to track and monitor them. A honeypot lets security pros learn more about attackers while they operate. However, they require time to build and monitor, and companies often don't have the resources they need to do that, he adds. Cylance's Portvliet says he rarely sees companies use honeypots in the wild. "From my perspective, it's not a widely used technique for defense," he adds. UnitedLex's Straight cautions companies as they explore honeypots: An attacker could see them as a challenge, he says, and things could escalate in a way they may otherwise not have. Canaries A canary is a tactic that's similar to honeypots but with lower maintenance, UnitedLex's Straight explains. With a honeypot, you're trying to get the adversary to break in and take something. Canaries are intended to warn you somebody is poking around the network in places he shouldn't. With a canary, you set up something that looks like an attractive target (fake credentials, for example) and put it on the network in a place where an employee wouldn't go. If an account hits a fake file director, you know somebody's poking around and can launch an investigation. It's different from a honeypot, Straight says, because it's not as active in the way it traces an attacker out of the environment. Canaries are less invasive and less passive, and it's less likely even an advanced attacker will realize what happened. "I think there's less risk in using canaries than using honeypots," he explains. "There are more use cases for canaries." If all you want is to know someone is on the network, they help detect activity so you can block it. Deception Technology What commercial tools bring now is a level of easy deployment and management that wasn't previously there in open source toolkits, Cylance's Portvliet says. The capabilities of deception tools range from deploying fake devices and workstations, to open shares, to embedded systems. Some provide the ability to implement different kinds of high-interaction honeypots. They can mimic different types of devices and different types of workstations, all intended to entice attackers to go after their systems. When attackers touch any of the lures, you know they're malicious because no legitimate user would access fake workstations and files. "You touch any of this stuff [and] the alarm bells go off," Portvliet explains. It's all frustrating to attackers, he adds, who will fall for the lure of fake tools and files that legitimate employees wouldn't touch. "If you're doing it right, you're making the attacker work harder, and the attacker gets louder and makes more mistakes," he adds. However, Portvliet says he hasn't encountered deception technology in pen testing. Companies are using honeypots and honey tokens, fake workstations, and fake accounts, but deception tools haven't caught on as much yet. If you do decide to install deception tech, do so only after hardening the system, environment, practices, and policies. "In my opinion, deception tech should be the icing on the cake," Portvliet says. "It shouldn't be the first thing you do." Share Strategies When companies share best practices, attackers are put in a vulnerable position. Usually they're the ones pooling their favorite tactics – not the organizations they target, says PCSU's Fredriksen. If you have an open port on your machine, for example, many people know you have a weakness. "One thing the bad guys excel at across the board is information sharing," he continues. On the business side, we don't tend to do that. Even people responsible for threat sharing don't exchange information to the extent they should be, Fredriksen adds. He advises sharing data on threats detected and where suspicious traffic is coming from. "That's a way to also frustrate and delay the bad guys because they rely on the fact that we don't talk," he says. "If we're communicating and constantly shutting their attack vectors down, they're going to have to be more flexible." 'Non-Prosecutable Activity' While he's not in favor of it, UnitedLex's Straight says there is a zone between legal activity and illegal activity. It's called "non-prosecutable activity," and it encompasses actions that are frowned upon but likely will not result in legal consequences for the company engaging in it. "It is still technically illegal," he says. "There are just certain kinds of things you know you'd never be prosecuted for." As an example, Straight describes a time when his firm was assisting a company that had suffered an intrusion and was actively compromised. An analyst found an email address and password while investigating files on a compromised server, then later figured out the attacker was exfiltrating data from the victim company to that account. So he entered the intruder's login information, accessed the account, and discovered the company's stolen files. "That's illegal – you can't do that," Straight says. But when he told law enforcement, they didn't get him in trouble. After all, he adds, they would be admitting they couldn't effectively do their jobs and prosecuting the person who did it for them. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- 6 Ways to Anger Attackers on Your Network Destry Winant (Dec 27)