Reverse Deception: Organized Cyber Threat Counter-Exploitation (85 page)

Disabling
There is the risk of attackers disabling honeynet functionality. Attackers may want to not only detect a honeynet’s identity, but also disable its data control or data capture capabilities, potentially without the honeynet administrator knowing that functionality has been disabled. For example, an attacker may gain access to a honeypot within the honeynet, and then disable data capture functionality on the honeypot. The attacker could then feed the honeypot with bogus activity, making administrators think data capture is still functioning and recording activity when it is not. Having multiple layers of data control and data capture helps mitigate this risk, as there is no single point of failure.

Violation
This is the catchall of the remaining risks. Attackers may attempt criminal activity from your compromised honeynet without actually attacking anyone outside your honeynet. An example is an attacker using a honeypot to upload and then distribute contraband or illegal material, such as illegal copies of movies, music, stolen credit cards, or child pornography. Remember that these individuals break into your system on their own initiative. You are not dealing with the most law-abiding cyber citizens. If detected, this illegal activity would be attributed (at least initially) to you by way of it being on your system. You may then need to prove that it was not you who was responsible for this activity.

There are several measures you can take to mitigate these risks beyond what we have discussed so far. Two measures are human monitoring and customization.

With human monitoring, a trained professional is analyzing your honeynet in real time. This gives you the ability to detect a failure in your system—a failure that automated mechanisms may fail to detect or react to. By having a human analyzing honeynet activity, instead of just depending on automated techniques, you help protect yourself against new or unknown attacks or honeynet countermeasures.

Customizing your honeynet can also help mitigate risks. This book and all honeynet technologies, including the Honeywall CD-ROM, are open source and publicly available. This means that anyone has access to this information, including members of the black hat community (who we assume are reading this book and developing counterattack methods). To help reduce risk, you want to modify your honeynet from any default settings or normal behavior. The more your honeynet differs from standard or default configurations, the more difficult it will be for others to detect or attack it. However, understand that no matter what measures you take, risk is not eliminated, but only mitigated.

Check Yourself Before You’re Wrecked

You can improve the security posture of your network by proactively monitoring your network and systems. It is critical to apply various tools that block, filter, and monitor traffic, but you must also think and act like those who wish to do your business harm. Discover what they use to find holes in your network, and use them yourself to test your defenses. Check yourself, discover the weaknesses, and then fix them.

There are complete books that are dedicated to this subject. Here, we’ll touch on some of the higher-level areas that should be checked. The tools mentioned in this section are just a small sampling of those that can be used to take proactive measures to keep you and your network safe.

What’s the Status of Your Physical Security?

An extraordinary number of measures can be applied to your computer systems to lock them down. Antivirus programs, firewalls, file-system security, disk encryption, policies, strong passwords, and so on are great (and necessary) for the overall health of your network, but do you know that they can all be bypassed with the touch of one keyboard button during the boot sequence?

The base state of your system’s security begins at the lowest level of your computer, moving up into the operating system, and then into the applications installed on the system. There are a few easy things you can do to shore up your security at this level, yielding a large return on the time investment.

What Are You Looking For?

Check the following:

Do you have passwords set to enter the computer’s Basic Input/Output System (BIOS)?

        
You can set a user password, which requires the user to enter a password to successfully boot into the operating system.

        
You can require a supervisor password to ensure that only the appropriate personnel can make changes to some of the basic boot items.

Have you disabled the ability to boot from anything other than the hard drive?

        
Allowing your users, or someone who may gain access to your user’s laptop, to boot from a USB thumb drive or a CD could render your security mechanisms useless.

Do you allow the operating system to automatically mount and run the default application on a CD or USB thumb drive?

        
Were you aware that one of the worst malware infections experienced by the DoD was caused by this simple configuration setting, costing millions of dollars to triage?