Just finished taking SANS SEC504 (instructor: John Strand). Good class but more on that later. During class John brought up the concept of Offensive Countermeasures. He has created a site dedicated to the topic http://www.offensivecoutermeasures.com/ . He related to the class a frightening case he was involved in that had a positive outcome through the use of these measures. I will leave it to him to make the details public if he so chooses.
Avoiding the topic of "hacking back", I thought I would touch on another aspect of countermeasures. The idea of honey tokens is nothing new but here is one with a twist. Why not include several fake user accounts. Using statistical analysis or simply cracking, create a few accounts with passwords of varying degrees of difficulty. Include several that are slightly easier to crack than the real users. The theory being, the attacker will jump on the low hanging fruit. Any activity on the fake accounts should sound the warning alarm.
Another even more intriguing way to handle this is to create a large user base of fake accounts. Perhaps a 90% fake to 10% real ratio. In this case, we are creating white noise and increasing the chance the attacker grabs a land mine rather than a pot of gold. The second case will almost certainly require a method of tracking the real users to ensure inactive accounts are being deleted in a timely fashion. You don't want to be that guy who left an account active for a former bitter employee.
No comments:
Post a Comment