You Can Identify Hackers Before they Attack

Ntrepid Chief Scientist Lance Cottrell discusses techniques businesses can implement to identify the attackers among their other visitors by using their own tools against them

Businesses expend tremendous effort on preventing and detecting attacks while allowing legitimate activities to continue unimpeded. This leads to a number of brittle solutions, which don’t provide the ability to detect most attacks before they penetrate the network.

But what if you could identify which visitors are likely attackers before hostile actions occur? You would have a Minority Report-style situation, where you could respond to attacks that haven’t happened yet. You could design your networks to automatically tighten security against just those people, while allowing everyone else free access to your services.

While there’s no way to actually gauge the intentions of people accessing your servers, there are some fairly reliable indicators. You might monitor for the early reconnaissance phases of an attack to identify the perpetrator, but they are likely to switch tools and servers between casing your network and actually launching the attack. The best approach is to use some cyber-jujitsu, leveraging the attacker’s own tools to discover him.

While unsophisticated attackers use basic attacks, and deploy simplistic defenses, sophisticated attackers leverage more advanced techniques to avoid detection by anti-malware. As a result, they slip past firewalls and other passive defenses. The sophisticated attacker also takes precautions against being identified. If he comes in from his own computer he is likely to be blocked, analyzed, counter-attacked, arrested, or worse.

However, it’s exactly this use of identity-hiding tools that serve as a weapon to identify hackers. While I would never encourage anyone to completely block all anonymous visitors, there is no logical reason for a person to be anonymous when logging into their bank account or work VPN. Yet sophisticated attackers will always be using these tools, and you can identify which visitors are using them to keep them out in the first place.

Start by looking for overt use of identity-hiding tools. Services like Tor, Hide My Ass, or Anonymizer (my own product) are all easy to recognize because they make no effort to hide what they are. Anyone can sign up for these services and automatically record all the IP addresses they use. 

Additionally, many IP-to-location services already have databases of the IP addresses used by all the big anonymity providers. While the vast majority of the users of these tools are legitimate, they are also widely employed by attackers. Any connection attempt from these addresses should be considered risky.

Covert identity-hiding tools are not so easily recognized. They are not available to the general public and may be set up by the attacker just for a single use, then abandoned afterwards.

Most often, attackers use bitcoin, prepaid credit cards, or stolen credit cards to pay for servers somewhere in the world. They then often relay their traffic through that server to buy another server. These chains can be as long as the paranoia of the attacker requires. The key here is that the attacker’s traffic will be coming from an IP address in a data center or cloud provider, not from a home or mobile user.

The vast majority of consumers in any country have IP addresses belonging to only a small number of ISPs. It is easy to create a blacklist of the IP address blocks belonging to all the biggest data centers and cloud providers, and a whitelist of all the biggest consumer ISPs. Any visitor from the blacklist should be considered risky, while the whitelist visitors would be safer. Visitors on neither list carry intermediate risk, but those blocks can be quickly identified and categorized if they appear frequently.

“Businesses need to adopt a risk-scoring approach, rather than looking at any one observable as absolutely black or white”

The final type of identity-hiding is the most difficult because it leverages real user IP addresses, either shared networks like libraries or coffee shops, or compromised personal computers in botnets. These kinds of IP addresses can be flagged based on behavior, like port scans and other reconnaissance or attack activities. Additionally the user profile (operating system, browser, history, cookies, plugins) may stand out. Attackers often use specialized platforms for their attacks, which have dramatically different fingerprints than typical people.

Of course, these techniques only allow us to identify visitors as more or less likely to be attackers. Businesses need to adopt a risk-scoring approach, rather than looking at any one observable as absolutely black or white. The use of non-attribution technologies is just one indicator that should contribute to the overall risk score.

That score can then be used to adjust the level of scrutiny and access for that visitor. It might be fine to allow the anonymous visitor to access the general information on your website, but you might not want to allow them to log in. Or you could allow logins, but restrict any transactions that could do damage. Certainly event logs for those visitors should be scrutinized more closely and any follow-on alerts given increased weight.

About the Author

Lance Cottrell is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. Anonymizer’s technologies form the core of Ntrepid’s internet misattribution and security products. As chief scientist at Ntrepid, Cottrell continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats.

What’s Hot on Infosecurity Magazine?