Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: active defense

{Book Review} Offensive Countermeasures: The Art of Active Defense

A few months back at Blackhat, John and Paul were nice enough to give me a copy of their book “Offensive Countermeasures: The Art of Active Defense” to read. It’s been a whirlwind few months since then, but the quiet of Christmas has given me a chance to really sit down and soak up the contents.


Active Defense has been getting a bit of a bashing after all the “hack back” bullsh*t that people have been throwing around. John and Paul make a good effort to put some of this to rest by really discussing the things that an enterprise really can achieve without getting into the revenge of hacking the hackers business. Some of people’s main concerns in active defense have been the lack of information on what you can and can’t do in the eyes of the law. The first section of the book puts a spotlight on a few court cases that deal with differing degrees of hacking back or active defense… and not all successful ones. This section helps to put the books content in focus and aims to really explain the whys and whatfors to come in the sections that follow.

The main section of the book is split up into the 3 A’s. Annoyance, Attribution and Attack. Each section goes into depth on some of the options enterprises have to more actively defend their networks. Each section has a number of example tools, mostly focused around the ADHD distribution, that people can use to perform some of the actions discussed.

I found it particular interesting that the book finished off with a section dedicated to core concepts. Far too many companies think they can jump from 0 straight to 100 without building a secure base to build from. Active defense isn’t for everyone, and if you don’t have your basics all in-hand, then anything you do is more likely to backfire than help.

The book itself is compact, but is a good starting point for meaningful discussions about active defense that don’t devolve into legal arguments from moment one. Because of the compact size of the book, there are a few things that aren’t really discussed although they fall into the active defense category. These omissions where a little disappointing, but keeping true to the core of active defense makes sense for what has to be seen at the first introductory text on the subject. Here’s hoping that future revisions expand on the base and start covering fun things like honeytokens. Overall the information that is presented is useful for people looking for a quick schooling in how they can use active defense to improve their overall level of security, and as an education for people who jump straight to hacking back without considering any other options.

If this book is anything to go by, the discussion on what really is possible in defending your networks intelligently from attackers should be a very interesting one to follow. The time for standing still and just taking punch after punch is over. Time to duck and dodge, and make it harder for attackers!


Defense by Numbers: Making problems for script kiddies and scanner monkies

Since early 2012 I’ve been working on a simple theory…

The Theory:

By varying [response|status] codes, it should be possible to slow down attackers and automated scanners.

If you’ve met me at a conference any time in the last year I’ve probably talked about it at length and bored the hell out of you (sorry about that BTW).

After researching a number of aspects of this theory I put forward a presentation for BSidesLondon to talk about my findings and how it might be applied to application defense.

The topic can be a little complex due to the various ways browsers handle [response|status] codes. Even within a specific browser the handling of different content types varies. JavaScript is a prime example of that. Where as a browser will happily show you a webpage received with a 404 “Not Found” code, the same browser may not accept active script content with the same code.

During testing I also discovered a couple of interesting issues with Proxy servers that could be used by attackers to expose credentials… as well as some very interesting browser quirks that are probably only interesting to a handful of people. Still, I like edge-case stuff, it’s weird and that suits me just right 😉

BSidesLondon Abstract

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

If the topic is something that interests you (and I’m sure there’s a lot more research to be done here) feel free to take a snoop at the slides… The talk was recorded also, so keep an eye on the BSidesLondon website and twitter feed for information on the video/audio release.




  • Some thoughts on HTTP response codes –> HERE
  • Privoxy Proxy Aauthentication Credential Exposure [cve-2013-2503] –> HERE
  • mitm-proxy scripts used in testing –> HERE