SAN FRANCISCO – Hacking back is a legal and ethical quandary for legislators, policy makers and
the military. While there have been a few high-profile court-approved takedowns of botnets and
infiltrations into cybercrime online infrastructures, these are few and far between, and are often
met with a fair share of judicial challenges.
Apparently, though, it doesn’t have to be that way. Two penetration testers speaking at RSA
Conference 2012 Thursday offered some technical solutions that companies can use to frustrate
attackers attempting to penetrate systems, gather information about the attacks, and softly hack
Hacking back is bad, but we want to flip hacking back on its head.
Tenable Network Systems
“The best defense is to have a good offense. We thought, what if we could take offensive
measures that we’ve been using successfully in pen tests and employ them defensively,” said Paul
Asadoorian, product evangelist with Tenable Network Systems and host of the popular PaulDotCom
podcast. “Hacking back is bad, but we want to flip hacking back on its head.”
Asadoorian and co-presenter John Strand, both of whom are instructors with the SANS Institute,
advised that even this type of hacking back cannot be a one-off project.
“Discuss this within your organizations, and not just in the basement of the IT department,”
Strand said. “Discuss it openly, and document it, and plan it out. And finally, don’t be evil. Once
you get access to an attacker’s system, don’t look at files or take down their Web history. This
can get you in trouble.”
The pair suggested seeding sensitive webpages or VPN and other network entry points with warning
pages that explain that, in order to connect to the network in question, visitors would be subject
to NAC-like security checks. The warnings should spell out to anyone logging in that everything
from machine information to IP and MAC address location data would be collected.
“It’s illegal to set up lethal traps,” Strand said. “But you should warn them of the [security]
Asadoorian said of the three components to their hack back strategy — annoyance, attribution
and attack — annoyance is meant merely to stress out and frustrate an attacker. Using tools such
as honeyports, SpiderTrap and WebLabyrinth,
security pros can send attackers into endless scanning loops of false ports, services and
“Attacks often don’t start until Web spider crawls are done looking for particular directories
and pages,” Asadoorian said. “These crawls never finish.”
There are also tools that network admins can use for attack attribution. Word Web-Bugs, for
example, takes advantage of Microsoft Word’s built-in browsing capabilities where an iFrame can be
embedded in Word metadata that calls back to you once a sensitive document is downloaded. Another
tool is the Metasploit Decloaking Engine found in the Metasploit
framework, which unmasks the real IP address behind an attack.
As for attacking another system, Asadoorian and Strand were careful to stress that using
techniques such as a Java Applet Attack are meant to extend your annoyance and attribution
capabilities — thus the reason for the extensive warning banners. The two demonstrated a Java
payload attack found in Metasploit that enabled them to get geolocation data about an attacker.
“We got a shell, but we don’t want persistent long-term access,” Strand said. “We are just
getting longitude and latitude information.”
View all of our RSA
2012 Conference coverage.
Category: Hacking Tools