active defense team bam! scott amack, everett bloch, and maxine major
TRANSCRIPT
Active DefenseTeam BAM!
Scott Amack, Everett Bloch, and Maxine Major
Overview
Definition of “active defense”
Risks & legal issues
Active defense tools
Demo
Conclusions
What is Active Defense?
A.K.A.:
◦Passive defense
◦Hacking back
◦Striking back
◦Retributive counterstriking
◦Mitigative counterstriking
◦Active threat neutralization
What is Active Defense?
“synchronized, real time capability to discover, detect, analyze and mitigate threats and capabilities.” – DOD
“Active defenses consist of electronic countermeasures that attack an aggressive computer system, immobilizing that system and thus halting the cyber attack.” (jnslp.com)
“electronic counter-measures designed to strike attacking computer systems and shut down cyberattacks midstream.”
“to have true active defense, you’ve got to be able to meet the threat wherever it occurs.”
(off the record comment by a military official)
What is Active Defense?
Active defense includes:
local intelligence gathering
remote intelligence gathering
actively tracing the attacker
actively attacking the attacker.
What is Active Defense?
Active defense includes:
local intelligence gatheringLEGAL
remote intelligence gatheringCAUTION
actively tracing the attackerCAUTION
actively attacking the attacker.CAUTION
In the News
facebook vs. Koobface (2008 - 2012)(Also MySpace, hi5, Bebo, Friendster, Twitter, and Sophos vs. Koobface)
Koobface: malware spread via social networking (facebook), created a botnet.
Sophos found (and Facebook released) info on the creators of the Koobface botnet via publicly available information.
Full daily backup of Command & Control software found during Webalyzer search (last.tar.bz2)
PHP script to send texts to Russian phone numbers Phone numbers used to sell kittens & BMW Email used to register multiple domains including koobface Email prefix used as handle for multiple social networking
accounts.
Active Defense - International
Anonymity of attacks make them hard to prosecute.
A cyber attack can be considered comparable to a physical attack causing a similar effect.
Example: Shutting down a power grid vs. Bombing a power grid.
Active cyber defense can be considered comparable to active physical defense.
Active Defense - RISKS
Collateral damage. Actively defending against an unmapped system could accidentally affect innocent systems.
Trespassing. Actively accessing any computer in excess of authorization is illegal.
Note: The attacking system may not be owned by the criminal.
Active Defense – LESS RISKY
HoneypotsA trap set to detect and possibly prevent unauthorized access of computing systems, and legally collect information about attackers
BeaconsInformation captured by the attacker reports back to you
Disinformation CampaignsData obfuscation and disinformation:corrupt packets, decoy documents, fake intelligence, etc.
Theoretically, these are implemented on your own system, and are not “attacks.”…BUT there still may be legal implications
Active Defense - Honeypots
Types of Honey PotProduction:
◦ Placed on production systems to help protect the network.
◦ May bring unwanted attention to your network, and if not secured properly will create an attack vector.
Research:
◦ Typically setup in a standalone environment to research new malware.
◦ They are not setup on a critical network, so if compromised little damage can be done.
Active Defense - Honeypots
Project Honey PotDistributed network of websites with decoy webpages
to try and detect new malicious scanners and crawlers.
Requires a unique page installed on participants’ websites for testing purposes, and share information with all members about new threats.
Can sign up at www.projecthoneypot.org. It is free.
Active Defense - ShadowNet
Shadownet An infrastructure for insider cyber attack prevention A tiered server system that is able to dynamically redirect
dangerous/suspicious network traffic away from production servers
Active Defense - ShadowNet
How it works: Suspicious network traffic is redirected to a quarantined
clone server Clone creates the impression that the attacks performed
are successful Malicious activity on the quarantined server is not reflected
on the production server Existing connections, such as SSH, are not interrupted The redirection process is transparent to both the attacker
and normal users Actions performed on the quarantined server are recorded
Active Defense - ShadowNet
4 key parts:
◦ShadowNet Client
◦ShadowNet Server
◦ShadowNet Bridge
◦IDS Fusion System
ShadowNet Architecture
Active Defense - ShadowNet
ShadowNet Architecture
Active Defense - ShadowNet
Active Defense Demo
The Active Defense Harbinger Distribution
(ADHD)
Linux install with active defense tools http://sourceforge.net/projects/adhd/
We will demo the following tools: ◦ Artillery◦ WebLabyrinth
Active Defense Demo
Artillery
◦Honeypot:Blacklists port scans
◦File monitoring and integrity checking:if a file hash changes email alert
◦Brute force login prevention:More than 4 attempts blacklisted
Active Defense Demo
Weblabyrinth
◦A maze of web pages designed to delay and occupy malicious web scanners.
◦Displays a 404 error to legitimate web crawlers.
Active Defense Demo
Demonstration
Active Defense
The best “active defense”
1. Trace the IP
2. Report it
Debatably the most legal thing you can do.
Active Defense – Conclusions
The best “active defense”
“ Get a good lawyer.Get them involved early and often.” - Robert Clark, operations lawyer for U.S. Army Cyber Command
For More Information…
http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf
Active Defense
Parting Thoughts
"Not only do we put out the fire, but we also look for the arsonist“ - Shawn Henry, former head of cybercrime investigations at FBI
" Anything we do in active defense will automatically legitimize that technique for other regimes,“ - Michael Hayden, former director of NSA
Active Defense - Recap
Several definitions of “Active Defense”Legal & international implicationsTools
◦Honeypot◦ShadowNet◦ADHD
Artillery Weblabyrinth
Report (& stay legal)
Active Defense
Questions?
Active Defense - References
http://bgr.com/2012/06/18/anti-hacker-retaliation-new-policies/ http://cda.ornl.gov/publications_2012/Publication_30528.pdf http://ddanchev.blogspot.com/2012/01/whos-behind-koobface-botnet-osint.html http://en.wikipedia.org/wiki/Koobface http://energy.gov/sites/prod/files/cioprod/documents/ComputerFraud-AbuseAct.pdf http://jnslp.com/wp-content/uploads/2010/08/07_Graham.pdf http://jolt.law.harvard.edu/articles/pdf/v25/25HarvJLTech415.pdf http://sourceforge.net/projects/adhd/ http://svn.secmaniac.com/artillery http://threatpost.com/en_us/blogs/debate-over-active-defense-and-hacking-back-crops-rsa-022812 http://weblabyrinth.googlecode.com/files/weblabyrinth-0.3.2.tar.gz http://weblabyrinthserverip/labyrinth/index.php http://www.alston.com/Files/Publication/c638c36f-0293-45fa-ba20-ee50b12e00fe/Presentation/PublicationAttachment/4a6feb1e-
c091-4352-977c-d45bcd114d3c/Cyber-Alert-legal-issues-with-emerging-active-defense-security-technologies-1-11-13.pdf http://www.darkreading.com/risk-management/167901115/security/security-management/240012675/companies-should-think-
about-hacking-back-legally-attorney-says.html http://www.defense.gov/news/d20110714cyber.pdf http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attacks-has-high-risk/ http://www.hbgary.com/active-defense http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf http://www.lokisec.com/?p=164 www.projecthoneypot.org http://www.washingtonpost.com/blogs/checkpoint-washington/post/active-defense-at-center-of-debate-on-cyberattacks/2012/02/27/
gIQACFoKeR_blog.html http://www.webtorials.com/discussions/2012/07/tracking-hackers-down---then-striking-back.html