Part 2 Explanations

Video Activity

This lesson opens with an definition of Active Defenses. Essentially, active defenses apply decoys, attacker time wasters and honeypot-related activities to code and not 'hacking back." These defenses can actually warn and trigger alarms which allow an incident response team to actually see who is trying to access their information and possibly thw...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

9 hours 31 minutes
Video Description

This lesson opens with an definition of Active Defenses. Essentially, active defenses apply decoys, attacker time wasters and honeypot-related activities to code and not 'hacking back." These defenses can actually warn and trigger alarms which allow an incident response team to actually see who is trying to access their information and possibly thwart an attack. Actives defenses need to be an integral part of organizations which are advanced and security mature. Participants also receive a small sample of the following tools: HoneyBadger JAR Combiner Web_bug.doc Spidertrap Design: Honeytable

Video Transcription
Hello and welcome to the secure coding course. My name miss anywhere, and this module is on active defenses Now. What exactly are active defenses?
Well, active defenses are a way of applying decoys or
attacker aggravators or time wasters, as well as honey pot related tactics to your application code bundle.
Now you might be wondering, why in the world would you put forth the effort of doing this?
Well, what's interesting about these active defenses is they can actually send alerts to your SIM loggers a cZ well as trigger alarms in order to have your blue team or
incident response team
actually be able to take a look at who is rummaging around in your network or in your application code.
Now, a lot of these tactics use various types of techniques for identifying who these potential Attackers are, including some geo location techniques that are available
now. One of the things I want to
clear the air about is when I speak of active defenses, I'm not talking about hacking back. I'm actually talking about
a way to defend, to defend your network, to defend your application code in a much better way by having some sort of alarm system to let you know that something unusual, some sort of unusual activity is occurring.
Now who exactly should implement active defenses?
The warning here is that your organization needs to be advanced and very mature in their security posture before actually engaging in deployment of active defenses. This means your house needs to be in order first.
If you're still struggling with having default passwords in community strings,
then active defenses is not gonna be a good fit for you.
So if you do feel like it's ah, it's sad that your organization is at a level that could handle this,
then these tools might be something to consider. Now the reference that I'm going to give you is from the offensive countermeasures book, The Art of Active Defense. The book is by John Strand and Powerful Acid Dorian.
It's an excellent book, and it talks about
the tools as well as gives you step by step instructions on how to use them.
They've even created a VM image of the tools that you can download from Source forge. So if this is an area of interest to you, I definitely recommend that you take the time to
look a by the book as well as download the VM image. I just wanted to go through a small sample of some of the tools available. Specifically, I wanted to look at the ones that could be applied for application code, since that is the basis of our subject here.
And so the 1st 1 is called the Honey Badger.
So Honey Badger uses geo location techniques such as browser, location sharing, WiFi access points as well as I, P or Mac addresses that are triangulated using these techniques to identify the physical location of
a Web user
or possibly the attacker themselves
now realize that sometimes I P addresses or Mac addresses that are reported may not necessarily be the attacker if someone is actually being used as a proxy by the attacker.
However, the point here is that
this tool can
basically performed these geo location techniques for you, an addition to storing the information within its own internal database, and this allows for search, searching capabilities and reporting.
So the next tool we want to look at is called jar combine. Er, this is what we take to app. Lets and we actually combine them together. Now one of the apple it's is legitimate, but the other apple, it is actually running our honey badgers software that we just spoke about.
So what happens is the moment that the attacker actually starts to run the apple it. Then they're caught in the traps of the honey. Badger will notify the SIM logging agent,
and the information will be captured in the database.
Now the placement for this jar Combine ER or your apple it with the
with the honey badger behind it.
It could be within your virtual network computing or firewall location,
someplace where it's generally found that there might be some nosing around of intruders.
Now the next tool is called Web Bug Got Doc.
This allows you to bug documents of any type. Could be word documents, any type of document that you may be using
Now. What happens is you can basically place the bug as, ah, one pixel image. Or you can use it as a linked object inside of an existing document. And upon opening the document, this bug will actually phone home
identifying the location of the user,
using the same geo location techniques that we've already spoken up.
Now the next tool is called Spider Trap.
As we know, Attackers will brute force directories and file names on Web servers or application servers
for purposes of information disclosure.
And what this tool does is it basically anticipates that indexing to be done by an attacker
and what it will do is actually randomly generate links
that end up going nowhere
for the attacker to click through.
Uh, in essence, frustrating the attacker.
And in addition to this, if the attacker decides to do a W, get by downloading the entire website, it will actually consume. The resource is of the attacker
almost to exhaustion unless they quit unless they actually quit the command.
And of course, in this in this, in the process of doing all of this, the geolocation information is also grabbed and logged
into the internal database of Honey Badger. And then the last tool that we're going to look at is actually in the area of design. It's known as a honey table.
Now, Honey Table is a very attractively luring database table name something like
a underscore credit cards or Social Security numbers, or something like that.
The actual contents of the table is fake data made up data, but what happens is
should there be some sort of sequel injection To retrieve this information, it will automatically set off the intrusion detection System or SIM logger triggers in order to notify the incident response team in order to respond to that event.
Up Next