Taking a more active approach
You may have seen my post on hacking back and how it’s a nightmare that screams inexperience when I hear it (don’t get me wrong there are very limited times when it might be useful from a national defence perspective/intelligence services but that isn’t really ‘hacking back’ in my book, they are already working that space so it’s not a retaliation) however I’ve been spurred on this morning by a tweet I saw from @1njection:
After tweeting a quick reply, I thought I had put together a quick blog on aggressive active defences! (not wordy much).
Let us start with understanding what passive and active defence is.
Passive Defence Measures would include items such as intrusion detection, security monitoring and system hardening. Active measures could include areas such as Web Application Firewalls, Intrusion Protection Systems (IPS), honeypots, canaries, and decoys.
So, what the hell is an aggressive defence?
Let us think for a minute about an attacker cycle:
To start with they recon and enumerate. This is such a key part of the iterative attacker method, both pre-initial access and post for lateral movement and privilege escalation information is the breadcrumbs that leads an attacker to explore a system to identify weaknesses and attempt to exploit vulnerabilities.
What would make an attacker’s life harder? Think about air combat (I cannot wait for Top Gun 2 by the way!) and how chaff and flares are used. We also can think about flying under the radar ceiling as another measure. But what is we were to spoof the radar and make our fleet look 10x the size? Or have phantom drones or holographic planes that the enemy starts chasing. This sounds like it could be fun right?
Now let us think about what fun we can have with systems to make an attacker’s life miserable! Oh, boy this is going to be fun right!
Some examples in the cyber defence world
I am not going to go into minute details but let us start a quick list of things we could do to make an attacker’s life miserable!
- Use honeypots
- Setup canaries (e.g., configure alerts if someone tries to logon as root to a system without a native account named root)
- Use decoys either as we described above with canaries or even deploy whole systems in totally segmented environments using hard to accidently touch DNS entries etc. if someone is really going for you, they will probably find these and start poking. Monitor and alert and use this intel to correlate to actual production services. We had this not so long ago where I use PwnDefend Labs honeypots and the awesome GreyNoise to give a steer if some chatter was real.
- You can start to have fun as well by using redirects and symbolic links in likely admin locations on webservices e.g., /public can “symbolic” link to itself and create an infinite loop. Burp will run this down to 16 levels, so you can scatter some other known folders in here too.
- Rabbit holes, you can create rabbit holes that lead nowhere. You can take attackers down paths that look real, hell you can even leave unique named breadcrumbs and monitor for these. I do this on covert honeypots. Think about if you have a WordPress site, and you use an alternative admin path but also have a fake admin portal on wp-admin that does nothing with the users input other than log the requests.
- Messing with return codes (who does not love an HTTP 500 when the resource is there) – this will fill tools up with false positives. You can also make fake vulnerability return response to fool scanners into registering lots of false positives.
- Falsify version numbers, it is great to show a server banner which says you are running on Windows 2000 right!
- Sending back large responses to unused functions and resources.
Deploying an aggressive defence capability
Once you have foundational defences deployed in an environment and you have covered the key elements of your security program that is when you can start to get really creative. I would suggest you need a well-documented and good known baseline before adding lots of these features into your active defences. You can clearly go wild in this space, the only thing I would say is mindful of the legality of what you put in place. My take would be “If in doubt do not deploy and seek legal advice”. I would not recommend people do this without a suitably strong baseline maturity level.
However, if you have a solid foundation, a skilled team and it aligns to your business risk appetite, the sensitivity of services you are protecting and you are doing so in a legal and safe manner, adding an aggressive defence component into your defensive arsenal is going to make an attacker’s life hell. Be cyber safe and may the force be with you.