Smoke and Mirrors

Or the art of active defense and enemy disorientation

“You can ensure the safety of your defense if you only hold positions that cannot be attacked. Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.” – Sun Tzu

It is impractical to cover everything on this topic in a single chapter – but what could help you in building good active defenses is reading the following book – “Aggressive Network Self-Defense”. What I am going to cover here is just some basic ideas of making the life of an attacker more difficult and the usefulness of their automated tools less effective.

For example, you could open certain ports on purpose and redirect all input from them to /dev/null – an effective measure which would keep an adversary entertained for quite some time trying to exploit that open port.

Honeypots and honeynets

Building a good honeynet is useful in 2 ways:

  1. It gives you intelligence on what the attackers are doing before they have a chance of doing the same on your production systems
  2. It wastes the adversary time and resources while wasting comparatively low resources on your side to run the honeynets/honeypots.

Having several honeynets and honeypots is not enough. Attackers look not only for ports and services, but for the story behind them – you will need to build a whole story around the honeynet/honeypot – fake personas, fake business applications, fake presentations indexed by Google, fake profiles on social networks, etc.

A lot of malware will simply stop running if there are VMWare tools (or specific registry entries which are present on VMWare/Virtualbox virtual machines). You could simply install VMWare tools (check the license terms first) on a non-virtualized machine.

User agent spoofing

In one of my favorite Chrome plugins – uMatrix, in the Privacy tab, you can see a very handy option: Spoof user agent every X minutes:

smoke and mirrors

This is one additional measure against exploit kits targeting specific browsers, as user agent is what most of them rely upon in order to deliver the right exploit.

User agent string rotation has one additional benefit. When a targeted attack is planned, the attackers will usually send a series of links to various employees, recording the user-agent strings in order to better plan their exploitation. With the tool above (and especially if you add more user-agent strings besides the default) you will significantly increase the complexity of preparing a targeted attack against the browsers/plugins employed in your organization.

Adding confusion everywhere you can will slow down adversaries and will completely thwart automated attack tools in some cases – spoof web server signatures, dns serve signatures, mail server welcome banners, ssh, etc.