Welcome to the deep dive. Today. We're looking at things a bit differently cybersecurity wise, moving beyond the usual stuff like patching in firewalls.
Yeah, we're diving into something called offensive countermeasures exactly.
The author of our source material uses this analogy shepherds versus sheep and wolves, suggesting we should maybe be more active like Shepherd's right.
We've got this pdf from John Strand, offensive Countermeasures the Art of Active Defense, and the plan is to pull out the really interesting, maybe surprising ideas about actively defending yourself.
We want those aha moments, I guess, without getting totally bogged down in the weeds.
That's the goal. Find the insights that make you look at security in a new way.
And right off the bat you get a feel for the author. There's a dedication to family and someone called DC from the miss R. It feels well personal, it does.
And it's worth remembering who John Strand is Black Hill's Information Security Sans Institute. This isn't just theory, it's grounded in like actual expers.
He even gives a shout out to his team at bhis for doing the heavy lifting.
Yeah, it's a team effort, practical stuff.
Okay, so the big idea is shifting gears right from just reacting to well considering more active steps. But there's a huge caveat, isn't there?
Oh? Absolutely, He hammers this home. Do not be evil. This is definitely not about becoming some kind of digital vigilante.
So it's not just hack the hackers back.
No, not at all. Strand wants to open up the conversation about what responsible active defense could look like. He lays out options, a whole range, really.
And he mentions that you know, even the basic security advice often doesn't get fully implemented.
Right, So jumping straight to active measures is a big step. And there's that asymmetry thing. He talks about how hacking back is generally seen as well wrong.
But he wants to explore the legal ways this might actually improve security. So okay, where does he start navigating this minefield?
Logically, he starts with the law you absolutely have to this is foundational, and he warns straight away don't just jump to hacking the attackers. He uses a few court cases to show where the lines are currently drawn and crucially, where defenders can easily step over them.
Okay, first case us versus heck and camp. What's the key point there?
Well, the interesting thing is what the court decided was okay versus what wasn't In that case, just logging a MS address that unique hardware ID wasn't seen as a privacy violation.
Okay, so log into hardware ID. Fine. But then there's the other case Susan Clemens Jeffrey versus Absolute.
Software exactly, and that one went the other way. It involved tracking a stolen laptop, sure, but also recording keystrokes, chat messages, even webcam photos, very personal stuff.
Ah, so that crossed the line a big one.
The lesson is clear, tracking hardware location might be okay, but intercepting communications that hits federal wiretapping laws. Like the judge said, finding hardware versus eavesdropping fundamentally different. It really drives home that do not be evil point, good intentions, don't exp use illegal interception.
Got it? Then he brings up E Hippie versus the WTO That sounds specific.
It was an odd one. An ISP basically reflected denial of service attack back at the source, the e Hippie site. What was really strange was that people had actually signed up to DDOSS. The wto Wow.
So volunteers for a cyber attack.
Yeah, it just highlights how messy it gets with distributed attacks and what responsibility intermediaries have.
And then the Microsoft boughtnet takedowns waladac Russ doc Keilly hose those are huge. What's the legal takeaway for the average company?
That's the critical point. Microsoft went through legal channels, got restraining orders, used art CEO statutes, powerful stuff, but in doing so, they essentially took control of systems belonging to thousands of individuals. The owners of those infected bought computers without their direct consent.
So even with court orders, it's controversial, very.
And Strand's point is Microsoft has resources and legal clout most organizations can only dream of trying to replicate. That is legally perilous and probably impractical for almost everyone else. It's not a playbook for the rest of us.
He also looks ahead, mentioning potential laws that might allow him attacking back, but he's worried.
Yeah, his big concern is protecting the innocent bystanders, those intermediary victim machines, the bots. If laws allow broad hackback authority, how do you ensure those systems aren't just collateral damage.
So it all comes back to restraint.
Absolutely, do not be evil, tread very very carefully.
Okay, so the legal side is definitely complex. Let's move on to some of the actual countermeasures he discusses. First up, protecting IP and security through obscurity. Isn't that usually frowned upon?
It often is. Yeah, people tend to dismiss it, saying changing a port or server banner doesn't really stop anyone serious. But Strand offers a different perspective, framing it using the Odie loop observe, orient, decide act. That's kind of the attacker's decision cycle.
Okay, Odie loop. How does obscurity fit in?
Well? The idea is that even simple obscurity tricks can mess with the attackers observe and orient phases. If your system doesn't look like what they expect, they have to spend more time figuring it out.
So it slows them down buys.
You time exactly that extra effort, that delay could be enough time for your detection systems to catch something. He uses that great example of iBuyer changing their server banner to look like a Commodore sixty four.
A Commodore sixty four.
Serious.
Yeah, it sounds silly, but it could easily trip up an automated scanner looking for say Apache or ICEE. The scanner might just give up and move on. It's not about being unhackable, it's about increasing their work.
Factor, making it harder for them to get oriented. I see. He also mentions user agent strings. That seems pretty basic.
It is, but it's another layer. You look at the user agent strings in your weblogs. That's how browsers identify themselves. You can spot known bad tools or you know, less sophisticated attackers who don't bother changing.
The defaults so you can fil ter osso noise that way.
Right, A skilled attacker can spoof it easily. Short, but it catches the low hanging fruit, and it's something you can easily show management, which is sometimes helpful.
Okay, Moving into more active stuff, deception and misdirection setting traps. Basically pretty much, he talks about annoyance techniques, things like c Symmetria Maze Runner. These tools help you deploy Honeypot's decoy systems, but also create fake breadcrumbs to lure attackers towards them.
Because just setting up a honeypot doesn't mean anyone will find.
It, right exactly. You need to make it discoverable, but only by the people you want to discover it.
And then there's the uh, mister Clippy, show us the way tactic that sounds amusing it is.
It uses php IDs, an intrusion detection system for web apps, but instead of just blocking an attack, it responds with the old Microsoft paper clip character Clippy offering a helpful link to o WASP security resources.
Huh so it mocked the attacker a bit.
Yeah, it's a bit of psychological disruption. Maybe makes them question if they're dealing with something unexpected. Did messes with their ODA loop again?
He also suggests a random URL generator. How does that help?
That's aimed at automated website scanners. If your site starts generating tons of plausible looking but non existent URLs, the scanner can get completely bogged down.
He just keeps chasing fake pages. Right.
It takes forever to crawl, generates masses of useless data and might just exhaust the scanner's resources or time limits. It obscures your real site structure.
Okay, now we get to honeypots and honeypots these sound like core concepts. Let's start with honeypots, right.
Honeypots are decoy systems or services. They look real, maybe even valuable. The key is no legitimate user should ever interact with a honeypot.
So any traffic hitting it is automatically suspicious.
Highly suspicious. Yes, it's great for detection, especially for attackers already inside your network, and you can learn a lot by watching what they do in the honeypot, what tools they use, what data they're after. Are they just looking for storage or are they after your critical data?
That makes sense? He mentions the Modern Honeypot Network MHN.
Yeah. MHN is a framework that makes deploying different kinds of honeypots like SSAH honeypots, Web honeypots much much easier. It automates a lot of the setup.
So it lowers the barrier to entry for using.
Honeypots, definitely makes it more accessible.
Then there's libre Atarpit sounds sticky.
It is. It's designed to slow down automated scanning, especially things like malware spreading. Internally, if something tries to connect to an IP address or port that Librea is watching.
It responds really slowly.
Exactly, it just drags out the connection process. Tying up the scanner's resources makes a scanning incredibly inefficient and might trigger alerts because the connections stay open for so long.
Okay, now, honeyports, how are they different?
Honeyports are more targeted than full honeypots. Instead of a whole fake system, it's just a single specific unused network port on a real system like port.
One twentive if nothing normally uses it.
Right, And the really clever part Strand talks about is using them for dynamic blacklisting.
Dynamic blacklisting so blocking attackers automatically based on them hitting the honeypot, Yes.
But with a specific trigger. Typically it only blocks the IP address if the attacker completes a full TCP connection to the honeypot.
Why the full connection? Why not just any packet?
Because just sending a single packet like in a basic syn scan is really easy to spoof. An attacker could send packets pretending to be from a legitimate IP address and trick your system into blocking someone innocent requiring a full connection. The whole three way hunt take makes that much harder. It shows more deliberate intent.
Ah Okay, that makes it more reliable. He mentions, IP kung Fu and deny hosts here right.
Ipkung Fu has scripts for hardening Linux firewalls, ipptables, and deny hosts. Specifically, watches for repeated failed logins like SSH, brute force attempts and blocks those ips their related concepts.
And he actually gives examples of setting up a basic honeyport. Let's walk through the Linux one briefly. How does that work?
It's surprisingly simple. You use a tool called netcat and entry to listen on an unused port, say twenty twenty five. Okay, Then you'd tell netcat that when someone successfully connects makes that full TCP connection, it should run.
A little script and the script does what.
The example script basically grabs the connecting IP address and then uses the iptable's command the Linux firewall to instantly add a rule that blocks all further TCP traffic from that attacker's IP to your system.
So one connection to the honeyport and they're blocked from everything else.
Pretty much.
Yeah.
He shows how a simple syn scam won't trigger it, but a tool trying to make a full connection gets immediately firewalled off.
And there's a similar method for Windows using PowerShell. In his firewall.
Yep, same principle. Listen on a port and if a full connection happens, run a PowerShell command to add a block rule to the Windows firewall. It's very practical.
He does mention a limitation, though, about spoofed connections.
If an attacker is sophisticated enough to fully spoof the TCP handshake, potentially predicting sequence numbers and so on, they might be able to trigger the block while hiding their real IP, but he notes this is generally much harder to do effectively, especially against a live system.
Well, it's not foolproof against really advanced attackers, but good for most exactly.
And you could add to other layers, like monitoring those firewall rules for weird patterns.
Okay, let's shift to web traps like fake websites to catch scanners.
That's the idea. Tools like spider trap or web Labyrinth. Spider Trap can generate a maze of random fake links, making a website look infinitely.
Deep, so a scanner just goes on forever.
Or it can use a word list, maybe one commonly used by attackers to create fake directories that look interesting but are just traps. It swamps the scanner with junk data.
You can even point to it in your robots dot txt.
Yeah, legitimate search engines will ignore it, but an attacker might see admin backup trap in robots dot txt and think ooh interesting and walk right in web labyrinth.
Similar idea.
Similar but phke based, so easy to deploy. It can also log crawler activity to a database, which is great for analysis. Plus, it can return random HTTP status codes, not just four or fours, making it harder for scanners to tell what's real and what's fake. It can even throw in fake email addresses as bait clever.
He also mentions creating infinitely recursive directories.
Yeah, that's a neat trick. You create a symbolic link inside a directory that points back to the directory itself. If a tool tries to recursively list files in there, like metasplit's.
Materpreter might get stuck in a loop.
Exactly. It can freeze the tool, eat up resources, and make the malicious process really obvious to defenders. Simple but effective against certain tools.
What about trip wirelike defenses? Sounds like file integrity monitoring it is.
He talks about crypto locked and crypto locked in. They work by placing special hidden trip files in critical locations.
Files that should never be touched.
Right. If anything accesses or modifies these trip files, it triggers an alert logging maybe even shuts down the offending process. Using the hunter module and crypto locting, it's like a silent alarm on your crown jewels.
Any access is a red flash.
Very strong indicator.
Yes, okay. Detecting human interaction this seems different.
It's more behavioral deny hosts, which we mentioned blocks ips after too many failed logins, but you must whiteless trusted ips first or you'll lock yourself out.
Good point.
Then there's human dot pie. This tries to spot if a human is using a service account. Service account should be automated, right usually yeah, So if human dot pie sees things like typos in commands entered via a bashshell on that account, it suggests a person might have compromised it and is using it interactively looking for.
Those human errors on accounts that shouldn't have them. Interesting. Now, stealthy blocking.
This is in visiport. It's like a honeyport, but instead of actively rejecting the connection until telling the attacker you're blocked, it just stops responding silently, adds them to a blacklist.
So the attackers scan just hangs. They don't necessarily know they've been blocked exactly.
They might think the host is just down or unreliable. The idea is they're less likely to immediately switch IP addresses if they don't get that explicit rejection message.
And you can configure it to make some ports still look open to them.
Yeah, to enhance the deception, make them waste more time probing ports that will never respond properly. He also quickly mentions Ausomelian for making your OS fingerprint harder to guess.
What about web server specific.
Traps phphttp Tarpit it confuses web scanners using log fuzzing, filling logs with junk, and spoofing errors. You hide a reference to it in your site and when a bot hits it, it gets tangled up.
And artillery that's.
A listener that monitors multiple ports. If someone connects, it can play a sound and alert for you, and it can also add a firewall rule to block the IP.
Moving into wireless active defense, that's a whole different playground, definitely.
He tells that funny story about ATVs connecting to his you get hacked Wi Fi shows how casual wireless probing can be.
Huh yeah.
For more active stuff, there's Claymore. If someone joins your fake Wi Fi network, Claymore automatically runs a full end map scan against their device. Quick recon.
Yeah, they're intel on anyone connecting to the Honeypop.
WiFi right, and he mentions deauthentication tools to kick unauthorized devices off your real network. The point is you need to know who's sniffing around your wireless even if many are just looking for free Internet.
Okay, lots of defensive techniques. Now attribution trying to figure out who the attackers are. Yeah, but not for revenge, she says.
No, definitely not. Attribution here means understanding the attacker, What are their goals, how skilled are they, what tools are they using. It's about gathering intelligence to improve your defense.
And response because static defenses just get bypassed eventually often.
Yeah, attackers adapt, so attribution needs active real time effort. During an attack.
He brings up ssh h like Cowori and Kippo. First, how do they help attribute?
These are great because they don't just log failed logins. If an attacker does get in to the honeypot. Remember, these tools record their entire interactive shell session.
You can see every command.
They type, exactly what files they look for, what tools they download, what they try to run. It's incredibly valuable insight into their methods and objectives. It's like watching over their shoulder in a safe environment.
What about attackers using things like tr or proxies to hide? Can active defense still work?
It's harder, obviously, but Strand points out that using those tools sometimes forces attackers to disable things like JavaScript for better anonymity, which.
Might break some exploits.
Right, so, you can create targets requiring things like JavaScript, Java or maybe word macros. If an attacker enables those to interact with your trap, you might get more information about their browser plugins, maybe even leak their real IP. If the tech is vulnerable, you're exploiting their need to interact.
He mentions dcloaks specifically for this.
Yeah, Deluk tries to uncover the real IP behind anonymizers, often by exploiting browser plug ins. He suggests putting it in places normal users won't go, like disallowed areas and robots dot txt, maybe with a warning.
Banner like a digital trip wire for anonymized attackers. He mentions the FBI using similar.
Things apparently, so yes.
What about tracking breaches via files?
Two main ideas here. One put fake but realistic looking bait files on servers if they get access to alarm bells ring okay to use web bugs. These are tiny, often invisible images embedded in documents or pages. When the dock is opened, it requests the image from your server, logging the opener's.
IP, so you can track when and where a skull and document is opened.
Potentially Yes. Tools like webbug server or slate bug server help manage this, and Deposa dot Pi specifically embeds them in modern dot docks files, which are harder to analyze for these things.
Then there's honey badger sounds tacous geolocation.
Yeah. It uses Java applets to try and identify nearby Wi Fi access points from the attacker's machine based on public Wi Fi location databases. It can sometimes get a pretty good estimate of their physical location.
Wow. And you feed that location into pushpin exactly.
Pushpin is part of the reconnting framework. You give it coordinates and it scours public sources social media showdown et cetera. For information related to that geographic area.
Trying to link the location to accounts.
Or devices, right connecting the dots using open source intelligence, you'll need apikeys for things like Twitter.
Though lastly for attribution jar combiner. This sounds of a dodgy.
It definitely could be misused. The idea is to take a legitimate Java applet and embed a malicious information gathering applet inside it, so.
The user sees the normal applet, but the hidden one fund's home.
That's the concept. Combine the JR files, sign it to look legit. It's advanced and ethically Murky needs extreme caution.
Okay, we've seen lots of tools. He then talks about frameworks, specifically tailos. What's the point of a framework here?
Callos aims to make active defense more accessible and consistent. Instead of learning dozens of separate tools, you use a common interface in tailos to load and run different active defense modules, so.
It standardizes things, makes it easier to train people and deploy defenses consistently.
That's the idea. It has help systems, let's you set variables script things. It even has trip codes. Events from one module can trigger actions in another.
Makes sense and Phantom. How does that fit with tailos.
Phantom is like a remote agent for tailos. You install fandom on other machines on your network, and then your central TAILIS instance can push modules and commands out to them over ssh, where you.
Can manage honeyports or other defenses on remote servers from one place.
Exactly similar to how metasploit uses materpreter agents extends the reach of tailos.
He also touches on some advanced concepts, even using tools like set and BEEF. Aren't those offensive tools.
They are, primarily, but configure carefully they can be used for attribution. Beef, the browser exploitation framework can hook an attackers browser if they visit a compromise page.
And tell you about their system.
Yeah os, browser plugins, network info, maybe even deliver other payloads, but again you must place the hook carefully somewhere off limits. May be flagged in robots dot txt with warnings so legitimate users don't get hooked.
Same idea for SET. Creating malicious Java applets or macros use them as bait.
Right if the attacker interacts it phones home. Extreme caution and careful placement are essential. He also details using a standalone Java applet attack tool, again stressing it should only be used in restricted, clearly marked areas.
Okay, so there's this constant theme of balancing attack or stelp with their need to actually do something.
Absolutely. His point is the more an attacker tries to hide using obfuscation, often the less effective their actual attack tools become. There's a trade off.
So active defenses force them to make choices, increase.
Their effort exactly. It complicates their ODI loop, makes them work harder, increases the chance they'll slip up or just give up. Raising the cost of attack is a key goal.
And he wraps up by emphasizing deterrence, not revenge.
Yes, very clearly, the goal isn't payback. It's making attackers think they're being watched, that they'll likely be detected. That's the deterrement.
Revenge hacking is pointless and illegal.
Pretty much adds no real security value and can land you in serious trouble. Remember the poison versus venom idea. You want to make attacking you unpleasant and risky for them, not necessarily strike back directly.
Okay, So wrapping up this deep dive on offensive countermeasures, Yeah, the big theme seems to be a shift in thinking, moving towards more proactive, thoughtful security.
Yeah, not just reacting, but actively using deception, detection, and attribution as defensive tools.
But always always within those legal and ethical lines that do not be evil. Message is crucial.
Couldn't agree more. It underpins everything. You have to know the boundaries and stay well within them.
So for you the listener, maybe think about this, How could these kinds of strategies, these less conventional defenses, change the way we approach security overall? What other ideas might come from this shift away from purely passive defense.
Maybe it'll make you want to check out that original pdf by John Strand or look into some of the tools we talked about. It's definitely fascinating area.
Definitely food for thought. Thanks for joining us for this deep dive.