NB this doesnt actually spot attacks, just spots the potential for attacks by looking for reconnaissance activity. Its not a web application firewall or IPS/IDS.
This approach goes a long way to visibility of activities that are normally very difficult to spot, address or report on. It also is not very intensive to set up and configure and doesn't require an ever updating list of signatures (lets be honest signature systems are often a step or 2 behind).
From what I can tell, an attacker that:
Uses a different VM for each recon activity or session
Goes straight for blind attacks
Is very efficient at cleaning their caches
Uses a browser that stores absolutely nothing (or an application that isn't a browser)
may be able to thwart parts of the system tracking. Additionally, the system is not completely mature in terms of its clustering ability/data correlation and I can see companies being very jumpy about anything that is going to sit in line between their SLB and webfarm so it needs to be 100% proven. That said, people already do this with web application firewalls - I can see Mykanos like functionality being incorporated into these appliances very soon.
Does anyone have any experience with this or similar systems? Does anyone have any of this software that can be tested?
EDIT - Some interesting info:
Open source persistent cookies: http://samy.pl/evercookie/
Mykanos blog about evercookie: http://blog.mykonossoftware.com/?p=142
Edited by wwwd40, 17 October 2012 - 07:43 AM.