No replies to this topic

[wwwd40]

I've recently been looking into intrusion deception systems, specifically the Mykonos Juniper solution (see for an overview). Essentially it is a proxy that sits in front of your webserver and injects/strips code served by the webserver to place 'tar traps' that entice an attacker during the early phases of an attack. It attempts to profile the attacker on a per machine basis according to the severity of their activities. It attempts to track them by placing various "persistent tokens" (cookies, browser specific storage, multimedia framework storage (Flash, silverlight) clientside javascript storage, clever use of etag values): so independent of and more intelligent than simple ip tracking. The injected code points are numerous and configurable making it very difficult to tell whether the object you are playing with is a true resource of the website or a tar trap until you've already "tripped a wire" at which point the system may be remediating you: slowing your connection, presenting captcha if it thinks you are a bot, blocking your connection entirely, serving up broken pages, forcing log out etc.

NB this doesnt actually spot attacks, just spots the potential for attacks by looking for reconnaissance activity. Its not a web application firewall or IPS/IDS.

This approach goes a long way to visibility of activities that are normally very difficult to spot, address or report on. It also is not very intensive to set up and configure and doesn't require an ever updating list of signatures (lets be honest signature systems are often a step or 2 behind).


From what I can tell, an attacker that:

Uses a different VM for each recon activity or session
or
Goes straight for blind attacks
or
Is very efficient at cleaning their caches
or
Uses a browser that stores absolutely nothing (or an application that isn't a browser)

may be able to thwart parts of the system tracking. Additionally, the system is not completely mature in terms of its clustering ability/data correlation and I can see companies being very jumpy about anything that is going to sit in line between their SLB and webfarm so it needs to be 100% proven. That said, people already do this with web application firewalls - I can see Mykanos like functionality being incorporated into these appliances very soon.

Does anyone have any experience with this or similar systems? Does anyone have any of this software that can be tested?

Cheers,

/wd


EDIT - Some interesting info:

Open source persistent cookies: http://samy.pl/evercookie/
Mykanos blog about evercookie: http://blog.mykonossoftware.com/?p=142

Edited by wwwd40, 17 October 2012 - 07:43 AM.