Foiled! 15 tricks to hold off the hackers

To root out persistent hackers, sometimes you have to get a little creative

Malicious hackers have outsize reputations. They are über-geniuses who can guess any password in seconds, hack any system, and cause widespread havoc across multiple, unrelated networks with a single keystroke—or so Hollywood says. Those of us who fight hackers every day know the good guys are usually far smarter. Hackers simply have to be persistent.

Each year, a few hackers do something truly new. But for the most part, hackers repeat the tried and true. It doesn’t take a supergenius to check for missing patches or craft a social engineering attack. Hacking by and large is tradework: Once you learn a few tricks and tools, the rest becomes routine. The truly inspired work is that of security defenders, those who successfully hack the hackers.

Following are some of the most clever tricks in use today by computer security defenders in foiling hackers. Some of the traps are so good, hackers have a hard time not falling into them. When you hear of a big takedown, more than likely the defenders didn’t implement many of these tricks and got burned because of it.

Do it with data

Data-driven defense has been around for years. But the concept of using data to better detect, define, and remediate threats has exploded in the past few years, with nearly every computer security vendor jumping on the bandwagon. Here, the cloud has certainly helped, making it relatively easy to collect and analyze large amounts of data. But the major improvement has been a new focus on the data we create.

Companies such as Crowdstrike, FireEye, CounterTack, and ThreatMetrix offer products that analyze your network data streams, noting any outbound connections to known bad networks or any advanced persistent threat (APT) families you may have in your environment. Vendor products, such as Microsoft’s Advanced Threat Analytics, can ascertain whether a hacker is trying to steal your logon credential database and, if so, how long they’ve been in your environment. There are firms that can quickly detect spam, phishing attempts, and malware simply by watching activity on their tens of thousands of managed nodes across the world. They can see regional and global patterns that one company can’t detect. If you’re not incorporating data into your security practices, it’s time to get mining.

Reel in hackers with red-herring data

Litter your internal company systems with a little bit of fake data, and let the hackers take the bait. That’s the idea behind red-herring data. After all, it’s very hard to stop every data leak and equally hard to search for all data in a way that doesn’t result in too many false positives. Instead, monitor your internal networks, using data leak prevention (DLP) software, and external sites for leaks of your fake data and you have your hackers nabbed.

One of my favorite fake data themes was undertaken by a hospital, which created fake patients named after members of the rock group Kiss, but with slightly different spellings and fake middle initials. Only key members of the IT team and management knew Ace J. Freelee, Gene H. Symmons, Petre L. Chriss, and Paulie S. Stanlee weren’t real patients.

Seed your network with honeypots

Honeypots take red-herring data to the nth degree. They are fake assets placed in production, where every bit of data is faked. Servers, clients, network devices—a honeypot can be anything. Once set up, anyone who touches your honeypot should be investigated for maliciousness. The exact opposite of nearly every traditional computer security defense, honeypots are high value and low noise.

Companies such as Cymmetria and KFSensor offer commercial honeypots, and dozens of open source alternatives exist. Or you can simply use an old asset you would otherwise retire. These will look the most realistic to hackers, simply because you’ve declared them nonproduction without taking them out of production.

Follow hacker posting sites

To keep one step ahead of hackers, it’s worth knowing what they’re up to. By following popular hacker posting sites such as Pastebin or sites on the dark web, you will gain insights on new exploits and even see stolen information from break-ins. If hacker data deposits include your red-herring data, you’ll know your company has been pwnd. This is a great detection strategy that will give you time to close holes, track attackers, and prepare management for any resulting public announcements. Companies such as Hold Security will even monitor hacker sites for you for a fee.

This isn’t only reactive. You can use posted hacker data proactively, even if your organization hasn’t been hacked. For example, many hacker postings include tens of thousands of logon names and passwords, often to social media and other popular consumer sites. It can be worth sifting through the data to find employee email accounts or logon names, then testing those found passwords against those used on your company network. If they match, tell the employee to change his or her password and remind them not to reuse company passwords on unaffiliated websites. Again, there are companies that will do this for a fee.

Flag hackers by setting up fake email accounts

As with red-herring data, you can create fake email accounts that are not searchable from outside the company and are not included on any group lists. That way they can be reached only by internal sources and are not used by anyone or associated with any real account. Monitor for any instances of email sent to these accounts, especially from outside the company. It shouldn’t get any email, so anything sent to it is spam or indicates that someone has compromised your email system.

Push bad actors into black holes—and monitor their activity

Black holes have long-proven security pedigree. By creating a location where hacker activity is shunted once detected, you can ensure they do no harm. Along the way, you can slow them down by creating artificial limits to bring their activity to a crawl. You can create a black hole using DNS or IP address management services, and when a hacker (or malware) asks for a nonexistent DNS name or IP address, such as when scanning for an IP address range, your service will shunt the hacker over to a black hole configured with any number of negative performance tricks, such as severe latency, packet corruption, retransmission, and super packet fragmentation.

The black hole works like any other legitimate device or software, responding by waiting and asking three times for everything. By peppering your black holes with honeypots, you can learn more about your hacker’s intentions. Artificial slowness can also help you track the origin of the hacker or malware. But remember, black holes must be appropriately configured to ensure legitimate services that accidentally ask for nonexistent DNS names or IP addresses don’t end up being sent to a black hole.

Go on the offensive

An ethically gray area that is illegal in many countries, offensive hacking can be a defender’s best trick in thwarting malicious actors. Many of you have probably already gotten tired of withstanding attack after attack, especially from an especially dumb or persistent hacker. If asking them nicely to stop doesn’t work, some defenders believe it is not only ethical but necessary to take out a persistent hacker with a pre-emptive strike. Consider Stuxnet, the most visible and successful example of this, which took out multiple Iranian centrifuges. It may not be legal or seen as ethical, but it worked.

Offensive hacking happens all the time in smaller, private scenarios. There are even companies you can hire, tools you can use, and honeypots that automate offensive hacking capabilities. I’ve yet to see the hacker, when hacked by their intended target, that wasn’t jaw-droppingly surprised.

Set golden-ticket booby traps

In a move similar to offensive hacking and red-herring data, you can create a tasty-looking morsel that, when opened back at home, reveals the hacker’s true IP address and identity. You build these booby traps to contain hidden embedded code or images that, when opened, “dial home.” Unless the hacker opens the booby trap in a disconnected environment or has blocked all outbound traffic, which they never do, then the necessary information gets collected and sent back to you.

I’ve known more than a few good-guy hackers who grew tired of a hacker trying to hack them, so they let the bad guy “hack” the fake system and take home the supposed top prize. Instead, when opened, the booby trap goes off and reformats their hard drive or deletes all their files. It’s not pretty, but it’s effective.

Pull the wool over hacker’s eyes with patching tricks

If you’re responsible for sending out patches, you know how tricky it can be. You have to patch all critical vulnerabilities in a timely manner, but as soon as you release the patch, it is immediately reverse-engineered to locate the exploit. And because most companies sit on the latest patches, if they apply them at all, any patch becomes a hacker gateway into vulnerable systems.

If you provide patches to customers, you might want to consider the following trick. One of my employers once faced a hole so big it made virtually every application vulnerable. The damage to our ecosystem after we released the patch would be enormous, so we decided to release the patch “hidden” inside a few other patches distributed over the course of months. Any reverse-engineering hacker looking inside a patch would see what looked like unrelated “junk” bytes, and the entire picture would only come out after all the patches were distributed and applied (and even then would likely go unnoticed). This tactic has been used by many companies since.

Zip up your systems with zero admins

For decades, getting root, local admin, or domain admin has been the Holy Grail of hacking. But what if there were no root or admin accounts? You can’t steal something that isn’t there.

Instead of sticking with tradition, go “zero admin” by emptying all highly privileged groups of any permanent members. With this strategy, admins function as nonprivileged users, and when they need to perform an administrative task, they request a highly privileged account or session on the fly that has been time-limited, task-limited, or device-limited, requiring a new password every time. If an attacker steals it, it’s worthless.

These just-in-time credentials, with their bare-minimum rights and permissions (called “just enough admin”), are very effective. Because the credentials must be requested and justified, they can easily be audited. It may be difficult to get rid of all permanent ultra admins in your environment, but by having as close to zero as possible, you’ll be much more secure.

Secure your admin workstations

Secure administrative workstations, aka SAWs or PAWs, are another option to greatly reduce your risk of malicious attack. Make all your admins use supersecure computers (real or virtual) to conduct all admin tasks—computers that can’t connect to or receive connections from the internet, require two-factor authentication, and have a very limited set of whitelisted programs. By creating a highly secure place for admins to perform administrative tasks, hackers on regular compromised workstations are unlikely to get crown-jewel credentials.

Hack your own code

The best developers hack their own code, as well as ask trusted others and hire professionals to hack their code. You can do this manually or by using a code review tool. No matter how you do it, don’t let a malicious hacker be the first to attempt to crack your code. Many of the world’s biggest organizations are now on board with white-hat hacking and offer bug bounty programs, often with hundreds of thousands of dollars in cash prizes.

Hang out in secret hacker forums

Hackers used to meet on public websites to discuss and deal, but after a few arrests, they’ve realized that private, invitation-only forums are the way to go. The invitation requirement, from another trusted hacker, is meant to ensure that you’re a legit malicious hacker.

Unfortunately for these forums (but fortunately for us), law enforcement and other defenders are routinely part of their supposedly private forums. Sometimes membership is gained by turning a previously arrested hacker into an agent or by taking over their account; other times the hacker site can’t turn down the money offered by a new stranger. Either way, if you can work your way into a secret hacker forum, you can get the skinny on what the bad guys are up to and share that information with other defenders.

Track your hacker to expose their true identity

Unmasking a malicious hacker’s real identity is a great way to stop them. No one does it better than Brian Krebs. He uses DNS lookups, domain registrations, and a carefully linked list of a hacker’s various fake identities over time. At some point along the way the hacker will slip up and reveal his or her real name or an originating email or social media site they used before they went completely black hat. From that, Brian has been able to reveal a smiling picture of them on Facebook while at Disney World with their family.

Brian’s investigations and the often subsequent takedowns are some of the best true crime investigatory stories you’ll read. Give them a read, learn from the master, and start hunting.

Lure your hacker to a physical location for arrest

It’s never recommended to confront a hacker directly in person, but if you can get law enforcement involved, this can be a sure-fire strategy to solve your problem. Too may times, we know who our hacker is but can’t arrest them. Often it is because our warrants don’t work in the country in which our hacker resides. Security companies and vendors with outstanding warrants will sometimes wait for their targets to take a vacation or connect through a country that supports their warrants, and when the person shows up, they have them arrested.

But one of the best methods to lure a hacker into an arrest is to invite them to interview for a big (fake) job and, in the case of hackers outside your jurisdiction, at a location in a country that supports your warrant. Hackers, perhaps looking to go legit after years of crime, often show up, and you can cajole them into showing their elite skillz. In some instances, hackers’ secret encryption keys and passwords have been captured using this tactic. They get excited thinking they’ve nailed the job interview, and instead they’ve leaked their secrets and get nabbed in the process.

Part of me feels bad for these hackers. They were trying to go legit. Then again, who knows if they would have remained on the good side? Plus, when they get out of prison, if they’ve truly reformed, they can still get an awesome new job on the right side of the defender/hacker divide.

For more inspired computer security defense work, check out my latest book, “Hacking the Hacker,” where I profile 26 computer security defenders and luminaries around the world.

Related articles

Join the TechWorld newsletter!

Error: Please check your email address.

More about AdvancedAPTDLPFacebookFireEyeMicrosoft

Show Comments

Market Place

[]