Our friends at SearchSecurity.com did a great job of covering the RSA Conference 2012 in San Francisco and an interesting story just came to our attention. Michael Mimoso wrote an article in early March that detailed two penetration testers' efforts at protecting their own systems by baffling the sytems of would-be attackers.
Paul Asadoorian and John Strand were not the only ones presenting on the subject of using a good offense as a better defense, but their talk introduced a few innovative techniques and a few more ethical questions. Mimoso points out that, "Hacking back is a legal and ethical quandary for legislators, policy makers and the military," but apparently Asadoorian seems confident that they can "flip hacking back on its head."
Asadoorian and Strand's methods include three main branches – annoyance, attribution and attack. Speaking of annoyance, the pair explained that frustrating attackers early probes can foil some attacks before they begin. “Attacks often don’t start until Web spider crawls are done looking for particular directories and pages,” Asadoorian said. “These crawls never finish.”
Attribution is all about finding out who is really behind the attack. Where are they? What's the real IP address behind their proxy? Who can you attribute the attacks to?
But the attacking is really the interesting part, even though Strand and Asadoorian stressed that the counter hacks are only there to boost your ability to annoy and attribute. Mimoso concludes his article on security hacking back by writing:
[Strand and Asadoorian ] demonstrated a Java payload attack found in Metasploit that enabled them to get geolocation data about an attacker. “We got a shell, but we don’t want persistent long-term access,” Strand said. “We are just getting longitude and latitude information.”
What do you think? Are these techniques crossing an ethical boundary? Is it about time that ethical hackers started making malicious coders' lives miserable?