Catcher in the Rye

Information Security goes on the Offensive

By S. Russell Dyer BS(MIS) CISSP CRISC

Prologue

It is well documented that the man who shot John Lennon, JFK’s assassin,  and the guy who shot Ronald Reagan all had a copy of the book “Cather in the Rye”.

What if we could identify malicious hackers  by their common access to a single file, or group of files?

Information Security is a constant game of cat and mouse. Unfortunately,  the good guys are frequently one step behind the bad guys.  Hackers discover a security flaw in a particular software and begin exploiting it and eventually Security practitioners detect and classify the activity as malicious. Then with the help of developers either patch the flaw or apply new methods or tools to mitigate the security issue. Then the cycle repeats in a never-ending circle.

Perhaps we can shift this paradigm in favour of the good guys. Or even turn it upside down entirely where the hackers are the ones trying to catch up and figure out what is safe for them to touch and what is not?

Background

Firstly, we must understand the typical process a hack follows and match this process to the attacker’s high level goals.

For a hacker to be successful he, or she, will undertake the following tasks.

1. Exploit a software or configuration flaw to gain access to a host system.
2. Make changes to ensure access survives a reboot of the system.
3. Hide any traces of activity to enable longevity of access.

Once these three objectives are accomplished, the hacker can start poking around and looking for valuable information. Also, using this compromised system as a pivot point to move deeper into the network and compromises more valuable hosts.

Flipping the Paradigm

While we endeavor to have all our network assets and infrastructure patched and secured, there will always be one or two systems which slip through the cracks. Whether it’s a server running an older operating system that’s due to be replaced in the near future, or an application running on a server which isn’t quite on the latest patched version. There will be cracks and these will be exploited in an attack.

Honeypots have been around for a while and are an ok system to use in an attempt to entice and detect hacking activity; they rely on the hacker focusing on the honeypot,  and activity on that honey pot server being used and an indicator that there has been a security breach. But there is no way to guarantee that an attacker will target the honeypot and not a different, more important system.

I propose a new take on the honeypot, the Honey file.

Honey files can be placed on each system and monitored at a heightened level to serve as an alarm and strong indication that the system has been compromised by an attack.

The honey file is a specially created file which meets the following criteria.

1. Not accessed or used by the host hardware, operating system or any installed applications on the system on which is resides. (Thus any accesses or changes to the file can be assumed to be either accidental maintenance related or malicious hacker activity)
2. Must not contain any information that would be of actual value to an attacker.
3. Any alterations, additions or event complete removal of this file must in no way affect the host system or application in any way.
4. This file may contain authentic looking but fake information useful for tracking follow on malicious activity.
5. Taylor the honey file to the host system so as to project an air of authenticity and criticality. This increases the chance it will be accessed by a hacker.  Also don’t put obvious windows server type files on a unix server or vice versa.

The time and effort invested in creating the honey files will directly impact the effectiveness of the files when in use.

Think of scenarios where developers or server admins might have “accidently” left valuable information on a server prior to it going live and then forgotten to remove it later on.

It is recommended that several types of honey file be employed to increase overall effectives.

1. Fake Database honey file. A database that contains bogus information and can be monitored strictly. Databases are high priority targets for hackers
2. Fake Procedure documents with embedded fake login information. Any access attempt by credentials listed in these documents can be considered malicious hacker activity and show a hacker has file system access on the system.
3. Fake configuration text files. Specific Unused IP addresses can be listed in these files and monitored to alert on attacks.

So what is the logic behind this ?

The goal is to seed juicy files throughout your environment and configure a high level of alerts and monitoring on these files.  These files will be the tripwire which set off the alarm bells and represents a strong indication of malicious activity.

Most systems have minimal logging enabled due to issues with load and resource utilization.  By using distributed honey files we alleviate the need to turn up logging on the majority of systems and have a more targeted and accurate indication of malicious activity with a vastly reduced number of false positives when compared to the traditional Intrusion Detections systems. 

Notes

Honeyfiles: Deceptive Files for Intrusion Detection  -

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA484922