The legendary Chinese philosopher Sun Tzu wrote in his tome Art of War: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." When it comes to IT security, however, knowing the enemy isn't enough; there is merit in actually emulating some of the behaviors and tactics of attackers in order to create a better defense. A pair of researchers from security vendor Trustwave will present this proposition during a session later this month at the RSA security conference in San Francisco.

"You can learn a lot about different hacker methods and apply those techniques for defense in other areas," said Ryan Barnett, lead security researcher at Trustwave.

Barnett explained that hackers using exploit kits are locked in a battle against secure Web gateways and fraud detection technologies that aim to block attacks. Banking trojans such as Zeus are among the most popular payloads deployed by exploit kit users.


Barnett said there are many such adversarial pairings of hacker tools and defender tools in the market today. "There are some techniques that exploit kits used to try and evade detection by different security devices," he said.

Fooling Trojans

Obfuscation, an effort to hide code on route to a Web browser or other application, is a commonly used technique in exploit kits. Barnett and Ziv Mador, director of Security Research at Trustwave, advocate for using the same basic obfuscation technique for defensive purposes. The idea is to wrap banking fraud detection code in some form of obfuscation.

Zeus-based trojans typically have some form of Web injection component that is used in an attempt to manipulate login pages. By applying the obfuscation, the Web injection can potentially be broken since the trojan doesn't know how to deal with it.

Mador told eSecurity Planet that obfuscation isn't the only technique that Trustwave researchers see as having potential. Randomization of page components, a technique that exploit kits and malware use to fool detection engines, could also possibly be used by the good guys.

Trustwave isn't the only vendor interested in using randomization to prevent exploitation. Startup Shape Security recently announced its ShapeShifter technology platform, which aims to randomize Web page code in a bid to limit the attack risk.

Attack Arms Race

As it has always been with security, the challenge is that an arms race is always on the horizon. As attackers come up with new attack techniques that defenders copy, the attackers will come up with other techniques to evade them.

"There are some cybergangs that can make a lot of money, and in my opinion the problem won't be solved until we start a much more aggressive global law enforcement effort," Mador said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.