[BreachExchange] 6 Ways to Anger Attackers on Your Network

Destry Winant destry at riskbasedsecurity.com
Thu Dec 27 08:36:44 EST 2018


https://www.darkreading.com/perimeter/6-ways-to-anger-attackers-on-your-network/d/d-id/1333550

When you see an attacker on your network, it's understandable to want
to give them a taste of their own medicine. But how can you
effectively anger intruders when "hacking back" is illegal?

In fact, the biggest legal risks are violations of the Computer Fraud
and Abuse Act (CFAA), says Jason Straight, senior vice president and
chief privacy officer at UnitedLex. And while businesses are dabbling
in illegal activity, he advises against it.

"Make no mistake: It is happening. Companies are hacking back," he
explains, and much of their activity is arguably in violation of the
CFAA. That said, he isn't aware of any prosecutions under CFAA against
organizations engaged in what is often called "active defense
activities."

Legal trouble aside, getting into a back-and-forth with attackers is
dangerous, Straight cautions. "Even if you're really, really good and
know what you're doing, the best in the business … will tell you it's
very hard to avoid causing collateral damage," he explains. Chances
are good your adversaries will see your "hack back" and launch a more
dangerous attack in response.

The worst thing you can do is go after the wrong party, the wrong
network, or the wrong machines, he continues. Most hackers aren't
using their own equipment when they attack.

"There are times when I have really wanted to strike back, but you
can't and you don't," says Gene Fredriksen, chief information security
strategy for PCSU. You can shut them off, blacklist their IP
addresses, and do things to slow them down if your team uses a SIEM
system. There are several steps you can take to anger attackers
without actively targeting them in response.

The idea is to get the bad guy to think twice, he explains, and let
them know you're serious.

Here, security experts cite the most effective ways they've found to
frustrate, deceive, and annoy attackers without risking legal
consequences. If you have a tactic they didn't list, please share it
in the comments.

Security 101

Robert Portvliet, technical fellow at Cylance, thinks about what has
frustrated him most as a pen tester: companies that do their homework
and expose minimal attack surface, "[making] it difficult for an
attacker each step of the way," he explains.

Some techniques, he says, are as simple as properly hardening systems:
Prevent PowerShell execution, for example, and don't give adversaries
the ability to install new packages. Don't give people more privileges
than they really need. Use architecture such as Microsoft Red Forest,
which protects the transfer of credentials so attacks like LLMNR
poisoning aren't as effective.

Proper network segmentation also helps. "You can't attack what you
can't reach," Portvliet explains. For example, if two departments
aren't required to communicate, segment their networks and disallow
interaction. "It's about removing that easy win," he says.

He recommends companies approach their environments from an attacker's
perspective. Assume each compromise point, come in from the outside,
and phish a workstation. If someone can get into your network, he
shouldn't be able to become a local admin. Go through the process of a
potential compromise and ensure the right defenses are in place for
each step.

What you want to do is break multiple parts of the attacker kill
chain. "What I've found in pen testing is if you do the basic stuff
and you do it well, it makes the pen test much more difficult,"
Portvliet says. "All the tried-and-true methods no longer bear fruit."

Honeypots

Companies used to make more use of honeypots, PCSU's Fredriksen says,
but their popularity has since dropped off. "For quite a while, I had
numerous honeypots out there that were interesting looking, and it was
a way of frustrating attackers," he explains.

While adversaries are "going down the rabbit hole" and infiltrating
the organization, honeypots let you collect information on who they
are and what they're looking for. If they're seeking to do a "low and
slow attack," he explains, or hiding themselves so it's six months
before you find them on your network, it takes work, dedication,
sharing, and discussion to track and monitor them. A honeypot lets
security pros learn more about attackers while they operate.

However, they require time to build and monitor, and companies often
don't have the resources they need to do that, he adds. Cylance's
Portvliet says he rarely sees companies use honeypots in the wild.
"From my perspective, it's not a widely used technique for defense,"
he adds.

UnitedLex's Straight cautions companies as they explore honeypots: An
attacker could see them as a challenge, he says, and things could
escalate in a way they may otherwise not have.

Canaries

A canary is a tactic that's similar to honeypots but with lower
maintenance, UnitedLex's Straight explains. With a honeypot, you're
trying to get the adversary to break in and take something. Canaries
are intended to warn you somebody is poking around the network in
places he shouldn't.

With a canary, you set up something that looks like an attractive
target (fake credentials, for example) and put it on the network in a
place where an employee wouldn't go. If an account hits a fake file
director, you know somebody's poking around and can launch an
investigation.

It's different from a honeypot, Straight says, because it's not as
active in the way it traces an attacker out of the environment.
Canaries are less invasive and less passive, and it's less likely even
an advanced attacker will realize what happened.

"I think there's less risk in using canaries than using honeypots," he
explains. "There are more use cases for canaries." If all you want is
to know someone is on the network, they help detect activity so you
can block it.

Deception Technology

What commercial tools bring now is a level of easy deployment and
management that wasn't previously there in open source toolkits,
Cylance's Portvliet says. The capabilities of deception tools range
from deploying fake devices and workstations, to open shares, to
embedded systems.

Some provide the ability to implement different kinds of
high-interaction honeypots. They can mimic different types of devices
and different types of workstations, all intended to entice attackers
to go after their systems. When attackers touch any of the lures, you
know they're malicious because no legitimate user would access fake
workstations and files.

"You touch any of this stuff [and] the alarm bells go off," Portvliet
explains. It's all frustrating to attackers, he adds, who will fall
for the lure of fake tools and files that legitimate employees
wouldn't touch. "If you're doing it right, you're making the attacker
work harder, and the attacker gets louder and makes more mistakes," he
adds.

However, Portvliet says he hasn't encountered deception technology in
pen testing. Companies are using honeypots and honey tokens, fake
workstations, and fake accounts, but deception tools haven't caught on
as much yet.

If you do decide to install deception tech, do so only after hardening
the system, environment, practices, and policies. "In my opinion,
deception tech should be the icing on the cake," Portvliet says. "It
shouldn't be the first thing you do."

Share Strategies

When companies share best practices, attackers are put in a vulnerable
position. Usually they're the ones pooling their favorite tactics –
not the organizations they target, says PCSU's Fredriksen. If you have
an open port on your machine, for example, many people know you have a
weakness.

"One thing the bad guys excel at across the board is information
sharing," he continues. On the business side, we don't tend to do
that. Even people responsible for threat sharing don't exchange
information to the extent they should be, Fredriksen adds. He advises
sharing data on threats detected and where suspicious traffic is
coming from.

"That's a way to also frustrate and delay the bad guys because they
rely on the fact that we don't talk," he says. "If we're communicating
and constantly shutting their attack vectors down, they're going to
have to be more flexible."

'Non-Prosecutable Activity'

While he's not in favor of it, UnitedLex's Straight says there is a
zone between legal activity and illegal activity. It's called
"non-prosecutable activity," and it encompasses actions that are
frowned upon but likely will not result in legal consequences for the
company engaging in it.

"It is still technically illegal," he says. "There are just certain
kinds of things you know you'd never be prosecuted for."

As an example, Straight describes a time when his firm was assisting a
company that had suffered an intrusion and was actively compromised.
An analyst found an email address and password while investigating
files on a compromised server, then later figured out the attacker was
exfiltrating data from the victim company to that account. So he
entered the intruder's login information, accessed the account, and
discovered the company's stolen files.

"That's illegal – you can't do that," Straight says. But when he told
law enforcement, they didn't get him in trouble. After all, he adds,
they would be admitting they couldn't effectively do their jobs and
prosecuting the person who did it for them.


More information about the BreachExchange mailing list