In 1943, Spanish officials recovered the body of a spy from the Atlantic coast of Huelva. The suitcase still attached to his arm contained Allied war plans, identifying Greece and Sardinia as the beachhead for the forthcoming assault on Italy. Amazed by their luck, Axis forces redeployed divisions from Sicily, Northern France, and the Eastern front to counter the forthcoming invasion. Except of course, the invasion never came; well at least not that one. The “spy” was in a fact a recently deceased drifter; preserved by British Intelligence, furnished with impeccable credentials and then set adrift from a submarine.
This counter-intelligence coup is widely regarded as key factor in the success of Operation Husky (the actual Allied assault on Sicily) and the eventual assault on mainland Italy.
What has this to do with Network Security?
Well it would seem some old tricks are new again. There is a niche of vendors that provide counter-security tools to the Enterprise. Unlike SIEM and IDS which sifting through the network for “known bad things”, counter-security tools gather intelligence, soliciting bad behaviour and looking for behaviours which are uniquely nefarious. Going back to 1943, had the Spanish officials(s) just buried the poor chap and stored his briefcase like they were supposed to, it is likely the invasion would have faltered, or least cost many more lives.
There any many different approaches to how the intelligence is gathered and then used to combat the attacker.
- Junos WebApp Secure (formerly Mykonos Web Security) fingerprints connections, looking for suspect client behaviour based upon “tar traps” placed into the network flow.
- FireEye replays client-server network traffic within a Virtual Machine, watching for any attempts to modify the host or “breakout” to the rest of the network to track and prevent “Zero Day” Malware attacks.
- Junos DDoS Secure (formerly WebScreen) uses an advanced behavioural to identify malicious traffic mitigate denial of service attacks.
These technologies use similar techniques to protect networks, although they differ in what they actually protect. They are united as they all look for behaviours which are exclusive to malware, an attacker, or an extortionist. For example:
- Good web users do not screw around with debug variables in the URI string.
- Good web applications do not download 15 encrypted MIME objects and decrypt themselves into a .EXE file in WindowsSystem32.
- Good traffic does not batter all servers on a subnet at once.
Compared with traditional technologies such as IPS/IDS, counter-security tools tend to produce very few false positives. What makes them unique is their efficacy; they only drop what is unequivocally bad. There are other technologies out there, but in lieu of a Gartner Magic Quadrant to complain about, you’ll have to do with Glen’s Magic list (TM) for now.
Want to find out more?
Funnily enough, I wrote a “free” book on one of the technologies in this category; Juniper’s Junos WebApp Secure. Without stealing too much thunder from the book, JWAS is a really cool technology which protects web servers in some truly original ways. The ultimate goal is not to make the application invulnerable, but to make the task of attacking it catastrophically expensive; to make your web assets an uneconomic target. If the attacker has to devote too much time and effort into breaching your defences, they are more likely to move to the next, less well defended sap.
The books is available for free from the Juniper website in its original PDF format (free login required) or you can purchase from the Kindle Store for £2/$3 or from iTunes for 49p/79c. I make no money from any format, but both Apple and Amazon charge for the distribution of “free” books.
If you want to learn more about operation mincemeat, I can recommend the 1957 film “The Man Who Never Was”; or if you prefer your history lesson more space-opera based, check out Space: Above and Beyond.