Using system fingerprints to track attackers

•Transferir como PPT, PDF•

1 gostou•803 visualizações

Using system fingerprints to track attackers. Talk at B-Sides SF 2014 by Lance Cottrell Leveraging known weaknesses in current anonymity tools to identify who is using such tools, and in some cases to identify the users themselves.

Tecnologia

Using system
fingerprints to
track attackers
Lance Cottrell
Ntrepid/Anonymizer
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

1

When You Are Under Attack
You may
ask:

Who was that masked man?
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

2

As a Defender, You See...

IP: 37.123.118.67
Lat / Long: +54 / -2
Country: UK
Ping: 110ms
ISP: as13213.net (AKA UK2.net) server hosting
Open Ports: SSH, HTTP
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

3

Is THIS Really the Attacker?

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

4

Which is the “Real” Attacker?

It’s Turtles All the Way
Down

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

5

What If You Could
Spot People Hiding?
Block Web Access

DETOUR

Redirect to Honeypot
NO
TRESPASSING

Add Firewall Rule
Deny Credit Card
Flag in Logs

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

6

What If You Could
Identify Your Attacker?

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

7

How Do They Hide?
Proxies
VPNs
Chained VPNs / TOR
Botnets / Compromised Hosts
Tradecraft

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

8

How Can You Spot Them?

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

9

Known Anonymous IP

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

10

Anon IPs are well known

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

11

Open Proxy / Ports

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

12

Obviously not a home PC
HTTP
X11
FTP
SSH

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

13

Non-Consumer IP

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

14

Identifying non-consumer IP
9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net
(129.250.9.201) 1.545 ms 4.888 ms
10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms

VS
13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms
14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

15

Latency vs. Ping Time
HTTP / Javascript
DHCP Ping

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

16

DNS Mismatch
HTTP from Chicago
DNS from Nigeria

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

17

Identify the Attacker

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

18

Identity Leakage

Embedded Media
Apps bypass proxy / VPN
Phone home

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

19

Fortunately (for you),
Good OPSEC is Hard
Tools can be slow and cumbersome
May go direct for “innocent”
activity / reconnaissance
May forget to use it
Accidentally cross the streams
of personas
Correlate attacker print with
all previous activity
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

20

Cookies and Bugs

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

21

Browser Fingerprints

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

22

Fingerprint Entropy
12.3 - User Agent
5.4 - HTTP_ACCEPT Headers
21.9+ - Browser Plugin Details
5.0 - Time Zone
7.5 - Screen Size and Color Depth
21.9 - System Fonts
0.4 - Cookie Test
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

0.9 - Super Cookie Test

23

Attacker Use of Virtualization
Advantages

Disadvantages

Easy to Clean

Cloned Each Time

No Cookies or Super-Cookies

Too Clean or Outdated Cruft

Detection as VM Requires
Local Execution

Can Be Detected as VM

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

24

Dread Pirate Roberts

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

25

Why Should YOU be Stealthy
Lurk in IRC and Forums
Discover Plans
Learn Techniques
Hide your interest & activity

Bait Honeypots
Drop False Leads and Links

Government
Has Other More Aggressive Options
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

26

Thanks
Contact me at:
Email: lance.cottrell@ntrepidcorp.com
Commercial / Gov: http://ntrepidcorp.com
Consumer: http://anonymizer.com
Blog: http://theprivacyblog.com
Twitter: @LanceCottrell
LinkedIn: http://linkedin.com/in/LanceCottrell
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

27

Mais conteúdo relacionado

Mais procurados

FastNetMonを試してみた

Yutaka Ishizaki

How to setup your linux server

Marian Marinov

Blackholing from a_providers_perspektive_theo_voss

Pavel Odintsov

Detecting and mitigating DDoS ZenDesk by Vicente De Luca

Pavel Odintsov

Firewall arch by Tareq Hanaysha

Hanaysha

Ripe71 FastNetMon open source DoS / DDoS mitigation

Pavel Odintsov

Net mcr 2021 05 handout

Faelix Ltd

Protect your edge BGP security made simple

Pavel Odintsov

DeiC DDoS Prevention System - DDPS

Pavel Odintsov

Firewall

Angga Racing

Keeping your rack cool

Pavel Odintsov

Nanog66 vicente de luca fast netmon

Pavel Odintsov

FastNetMon Advanced DDoS detection tool

Pavel Odintsov

Best practices for using VPNs for easy network-to-network protection

Westermo Network Technologies

Cracking Wep And Wpa Wireless Networks

guestf2e41

L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES

Faelix Ltd

Our presentation to UKNOF in September 2020 In two very long nights of maintenance we acheived: - Full table BGP on VyOS converge time in seconds - Routing on MikroTiks converges near-instantly - BCP38 (customers cannot spoof source address) - IRR filtering* (only accept where route/route6 object) - RPKI (will not accept invalid routes from P/T) - Templated configuration (repeatable, automated) Single source of truth (the docs become the config)

VYOS & RPKI at the BGP as edge

Faelix Ltd

Product_Engineer_Zscaler

mustufa mithaiwala

Mais procurados (18)

FastNetMonを試してみた

How to setup your linux server

Blackholing from a_providers_perspektive_theo_voss

Detecting and mitigating DDoS ZenDesk by Vicente De Luca

Firewall arch by Tareq Hanaysha

Ripe71 FastNetMon open source DoS / DDoS mitigation

Net mcr 2021 05 handout

Protect your edge BGP security made simple

DeiC DDoS Prevention System - DDPS

Firewall

Keeping your rack cool

Nanog66 vicente de luca fast netmon

FastNetMon Advanced DDoS detection tool

Best practices for using VPNs for easy network-to-network protection

Cracking Wep And Wpa Wireless Networks

L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES

VYOS & RPKI at the BGP as edge

Product_Engineer_Zscaler

Semelhante a Using system fingerprints to track attackers

Conclusions from Tracking Server Attacks at Scale

Guardicore

A common theme in data breach investigations is the deficit between the time it takes an attacker to compromise a system and the time it takes for the defender to detect the attack. In many cases, victim organizations do not know they have been breached for weeks or months after the initial compromise, while attackers can gain access in a matter of minutes or hours. The StealthWatch® System can drastically reduce the time to identify threats, giving security personnel a window of opportunity to mitigate an attack before valuable data is lost. This webinar will cover how StealthWatch quickly detects a variety of malicious activity, using threat information from the Verizon 2015 Data Breach Investigations Report as a backdrop. Participants will learn how StealthWatch can quickly detect: - Crimeware - Insider threats - Point-of-sale (POS) intrusions - Cyber-espionage

Detecting Threats: A Look at the Verizon DBIR and StealthWatch

Lancope, Inc.

Botnet Detection And Countermeasures

Synerzip

Hacking3e ppt ch06

Skillspire LLC

FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ More information at: Twitter: @segofensiva Website: http://www.seguridadofensiva.com What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.

From Kernel Space to User Heaven #NDH2k13

Jaime Sánchez

This presentation has been well received the the SANS community and many information security teams I engage with. It describes how integrating a full content repository to your existing security architecture can decrease incident response time and lead to fast identification of root cause. I also describe a new way of implementing NetFlow without sampling to provide greater visibility of your network. Enjoy! Boni Bruno, CISSP, CISM, CGEIT www.bonibruno.com

Decreasing Incident Response Time

Boni Bruno

IPv6-Hardening.pdf

Mustafazer21

CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz

CODE BLUE

Malware vs Big Data

Frank Denis

IoT security is a nightmare. But what is the real risk?

Zoltan Balazs

Keeping your rack cool with one "/IP route rule"

Faelix Ltd

Issa jason dablow

ISSA LA

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla

Raffael Marty

Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...

Zoltan Balazs

DEF CON 27- JISKA FABIAN - vacuum cleaning security

Felipe Prado

Public facing web sites are constantly under attack and keeping websites protected is an arms race, yet security rarely gets a look-in at specification and budget allocation stages of delivering a web site - or at best is an afterthought. Yet everyone has an expectation of security and QOS that implies it is central to every project. Security considerations should pervade all stages of a project from initial specification, throughout development and testing and on to ongoing hosting and maintenance. In this session I will cover: * Common threats to web security with real world case studies of compromised sites, * Simple approaches to mitigating common threats/vulnerabilities, * Defence in depth – an overview of the various components of web security, * Drupal specific measures that standard penetration testing often does not account for. * An overview of how to benefit from: * Security monitoring and log analysis * Intrusion Detection Systems & Firewalls * Security headers and Content Security Policies (CSP). Comments: https://joind.in/talk/8bbea

Drupal Camp Bristol 2017 - Website insecurity

George Boobyer

No More Fraud, Astricon, Las Vegas 2014

Flavio Eduardo de Andrade Goncalves

[CLASS2014] Palestra Técnica - Franzvitor Fiorim

TI Safe

G3t R00t at IUT

Nahidul Kibria

Wireguard VPN

All Things Open

Semelhante a Using system fingerprints to track attackers (20)

Conclusions from Tracking Server Attacks at Scale

Detecting Threats: A Look at the Verizon DBIR and StealthWatch

Botnet Detection And Countermeasures

Hacking3e ppt ch06

From Kernel Space to User Heaven #NDH2k13

Decreasing Incident Response Time

IPv6-Hardening.pdf

CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz

Malware vs Big Data

IoT security is a nightmare. But what is the real risk?

Keeping your rack cool with one "/IP route rule"

Issa jason dablow

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla

Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...

DEF CON 27- JISKA FABIAN - vacuum cleaning security

Drupal Camp Bristol 2017 - Website insecurity

No More Fraud, Astricon, Las Vegas 2014

[CLASS2014] Palestra Técnica - Franzvitor Fiorim

G3t R00t at IUT

Wireguard VPN

Último

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Using system fingerprints to track attackers

3. As a Defender, You See... IP: 37.123.118.67 Lat / Long: +54 / -2 Country: UK Ping: 110ms ISP: as13213.net (AKA UK2.net) server hosting Open Ports: SSH, HTTP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 3

6. What If You Could Spot People Hiding? Block Web Access DETOUR Redirect to Honeypot NO TRESPASSING Add Firewall Rule Deny Credit Card Flag in Logs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 6

15. Identifying non-consumer IP 9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms 10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms VS 13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms 14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 15

20. Fortunately (for you), Good OPSEC is Hard Tools can be slow and cumbersome May go direct for “innocent” activity / reconnaissance May forget to use it Accidentally cross the streams of personas Correlate attacker print with all previous activity ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 20

23. Fingerprint Entropy 12.3 - User Agent 5.4 - HTTP_ACCEPT Headers 21.9+ - Browser Plugin Details 5.0 - Time Zone 7.5 - Screen Size and Color Depth 21.9 - System Fonts 0.4 - Cookie Test ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 0.9 - Super Cookie Test 23

24. Attacker Use of Virtualization Advantages Disadvantages Easy to Clean Cloned Each Time No Cookies or Super-Cookies Too Clean or Outdated Cruft Detection as VM Requires Local Execution Can Be Detected as VM ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 24

26. Why Should YOU be Stealthy Lurk in IRC and Forums Discover Plans Learn Techniques Hide your interest & activity Bait Honeypots Drop False Leads and Links Government Has Other More Aggressive Options ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 26

27. Thanks Contact me at: Email: lance.cottrell@ntrepidcorp.com Commercial / Gov: http://ntrepidcorp.com Consumer: http://anonymizer.com Blog: http://theprivacyblog.com Twitter: @LanceCottrell LinkedIn: http://linkedin.com/in/LanceCottrell ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 27

Notas do Editor

Because most attackers are smart enough not to use their own home IP address
When you look at any attacker activity, you can see the immediate source.
That source is likely a relay or innocent compromised bystander
You identify the visible attacker Then track who connected there then who connected there, and who …
Imagine what you could do if you knew with certainty which of your visitors was doing so anonymously.
Even better, what if you could actually identify them?
There are a number of tools attackers will use to hide their identity
The question is, how can you identify and recognize the people using these tools?
Overtly Anonymous activity Addresses of public privacy services are easily discovered.
If the machine visiting you has server characteristics, or proxy or VPN ports, it is almost certainly a relay.
Easy to see that an IP addresses is from a data center not consumer - likely relay. Bulletproof hosting providers even more likely to be dubious.
The speed of light and causality are unavoidable. Using relays will have impacts. VM on the relay harder to detect.
DNS mismatch indicates effort to hide. Use wildcard DNS and unique dynamic hostnames to detect this.
Now lets move from recognizing that someone is being anonymous to trying to identify who they actually are.
Often only the browser is hidden. Side doors may exit more directly. Flash, Active X, Media Players, Apps,
Human error is your best friend. Few if any have the needed discipline
Conventional Cookies / Super cookies / flash cookies. Yours and others. Browser history cookies. Third party trackers and identifiers. Look for teleportation. Good for forensics.
Known fingerprint from other activity - hard to change Odd, unusual or impossible fingerprints suggest fakes.
Attacker use of VM can be very effective Still some tell tale indicators.
Ross Ulbricht. Forged IDs sent to his house account “altoid” linked to his silk road blog in some posts and to his real name email in others. Used characteristic language and rant topics.
Taking the next step, you may want to go on the “offensive” which will require you to use anonymity yourself.

Using system fingerprints to track attackers

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (18)

Semelhante a Using system fingerprints to track attackers

Semelhante a Using system fingerprints to track attackers (20)

Último

Último (20)

Using system fingerprints to track attackers

Notas do Editor