Part 2 Explanations

Video Activity

This lesson opens with an definition of Active Defenses. Essentially, active defenses apply decoys, attacker time wasters and honeypot-related activities to code and not 'hacking back." These defenses can actually warn and trigger alarms which allow an incident response team to actually see who is trying to access their information and possibly thw...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

This lesson opens with an definition of Active Defenses. Essentially, active defenses apply decoys, attacker time wasters and honeypot-related activities to code and not 'hacking back." These defenses can actually warn and trigger alarms which allow an incident response team to actually see who is trying to access their information and possibly thwart an attack. Actives defenses need to be an integral part of organizations which are advanced and security mature. Participants also receive a small sample of the following tools: HoneyBadger JAR Combiner Web_bug.doc Spidertrap Design: Honeytable

Video Transcription
00:04
Hello and welcome to the secure coding course. My name miss anywhere, and this module is on active defenses Now. What exactly are active defenses?
00:16
Well, active defenses are a way of applying decoys or
00:22
attacker aggravators or time wasters, as well as honey pot related tactics to your application code bundle.
00:32
Now you might be wondering, why in the world would you put forth the effort of doing this?
00:39
Well, what's interesting about these active defenses is they can actually send alerts to your SIM loggers a cZ well as trigger alarms in order to have your blue team or
00:58
incident response team
01:00
actually be able to take a look at who is rummaging around in your network or in your application code.
01:07
Now, a lot of these tactics use various types of techniques for identifying who these potential Attackers are, including some geo location techniques that are available
01:25
now. One of the things I want to
01:27
clear the air about is when I speak of active defenses, I'm not talking about hacking back. I'm actually talking about
01:38
a way to defend, to defend your network, to defend your application code in a much better way by having some sort of alarm system to let you know that something unusual, some sort of unusual activity is occurring.
01:57
Now who exactly should implement active defenses?
02:00
The warning here is that your organization needs to be advanced and very mature in their security posture before actually engaging in deployment of active defenses. This means your house needs to be in order first.
02:19
If you're still struggling with having default passwords in community strings,
02:24
then active defenses is not gonna be a good fit for you.
02:29
So if you do feel like it's ah, it's sad that your organization is at a level that could handle this,
02:36
then these tools might be something to consider. Now the reference that I'm going to give you is from the offensive countermeasures book, The Art of Active Defense. The book is by John Strand and Powerful Acid Dorian.
02:52
It's an excellent book, and it talks about
02:54
the tools as well as gives you step by step instructions on how to use them.
03:00
They've even created a VM image of the tools that you can download from Source forge. So if this is an area of interest to you, I definitely recommend that you take the time to
03:12
look a by the book as well as download the VM image. I just wanted to go through a small sample of some of the tools available. Specifically, I wanted to look at the ones that could be applied for application code, since that is the basis of our subject here.
03:30
And so the 1st 1 is called the Honey Badger.
03:34
So Honey Badger uses geo location techniques such as browser, location sharing, WiFi access points as well as I, P or Mac addresses that are triangulated using these techniques to identify the physical location of
03:53
a Web user
03:54
or possibly the attacker themselves
03:58
now realize that sometimes I P addresses or Mac addresses that are reported may not necessarily be the attacker if someone is actually being used as a proxy by the attacker.
04:15
However, the point here is that
04:18
this tool can
04:20
basically performed these geo location techniques for you, an addition to storing the information within its own internal database, and this allows for search, searching capabilities and reporting.
04:35
So the next tool we want to look at is called jar combine. Er, this is what we take to app. Lets and we actually combine them together. Now one of the apple it's is legitimate, but the other apple, it is actually running our honey badgers software that we just spoke about.
04:53
So what happens is the moment that the attacker actually starts to run the apple it. Then they're caught in the traps of the honey. Badger will notify the SIM logging agent,
05:06
and the information will be captured in the database.
05:11
Now the placement for this jar Combine ER or your apple it with the
05:15
with the honey badger behind it.
05:17
It could be within your virtual network computing or firewall location,
05:24
someplace where it's generally found that there might be some nosing around of intruders.
05:31
Now the next tool is called Web Bug Got Doc.
05:34
This allows you to bug documents of any type. Could be word documents, any type of document that you may be using
05:44
Now. What happens is you can basically place the bug as, ah, one pixel image. Or you can use it as a linked object inside of an existing document. And upon opening the document, this bug will actually phone home
06:02
identifying the location of the user,
06:05
using the same geo location techniques that we've already spoken up.
06:10
Now the next tool is called Spider Trap.
06:13
As we know, Attackers will brute force directories and file names on Web servers or application servers
06:20
for purposes of information disclosure.
06:25
And what this tool does is it basically anticipates that indexing to be done by an attacker
06:34
and what it will do is actually randomly generate links
06:40
that end up going nowhere
06:42
for the attacker to click through.
06:45
Uh, in essence, frustrating the attacker.
06:49
And in addition to this, if the attacker decides to do a W, get by downloading the entire website, it will actually consume. The resource is of the attacker
07:02
almost to exhaustion unless they quit unless they actually quit the command.
07:10
And of course, in this in this, in the process of doing all of this, the geolocation information is also grabbed and logged
07:19
into the internal database of Honey Badger. And then the last tool that we're going to look at is actually in the area of design. It's known as a honey table.
07:31
Now, Honey Table is a very attractively luring database table name something like
07:39
a underscore credit cards or Social Security numbers, or something like that.
07:45
The actual contents of the table is fake data made up data, but what happens is
07:53
should there be some sort of sequel injection To retrieve this information, it will automatically set off the intrusion detection System or SIM logger triggers in order to notify the incident response team in order to respond to that event.
Up Next
Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By