Scout Tags Unknown Hackers

November 2002
By Henry S. Kenyon

System notes probes and parries return intruders.

A new type of defensive software protects computer networks by actively identifying reconnaissance probes and blocking subsequent attacks. The program operates in front of a firewall by marking all incoming scans and probes. The mark consists of false data about servers and other applications. Any attempts to penetrate the system using the distorted information is treated as an attack and automatically stopped.

In the cat and mouse game of defending computer networks against intrusion, responding in real time to threats often is not possible. Traditional firewalls block only known attacks, but intrusion detection systems can overload administrators with false alarms. The difficulty with existing technologies is that they react after an incident has taken place instead of pre-empting it, experts say.

ActiveScout, developed by ForeScout Technologies Incorporated, Palo Alto, California, provides flexible perimeter security against both known and unknown cyberattacks, explains Nancy Blair, ForeScout’s vice president of marketing. According to Blair, what sets ActiveScout apart from other types of software is its ability to defend against unknown attacks that can automatically penetrate most firewalls. Because distinguishing an actual attack from false alarms and other background noise is very difficult, many security systems cannot easily detect, define and pinpoint threats. Blair claims that ActiveScout is nearly 100 percent accurate and generates no false alarms while detecting attackers in the routine traffic at a network’s perimeter. Security managers can focus their efforts on real threats without conducting a manual analysis of system logs, which takes place after an attack and is more damage assessment than a deterrent, she maintains.

ActiveScout is currently being evaluated by the U.S. Army Communications-Electronics Command (CECOM) at Fort Monmouth, New Jersey. According to Stanley Fong, an electronics engineer and group leader of the Command and Control Protect project, part of CECOM’s Chief Information Officer/Command, Control and Communications Systems Office, the military is especially interested in the software’s ability to identify and rapidly deny attacks. He explains that this is a completely different approach to intrusion detection.

A recent CECOM report does not recommend the product’s current version because of problems encountered during testing. These issues are a vulnerability to Network Mapper “fin” scans when the software is configured in front of a CISCO router, and a potential weakness created by the program’s placement. Because ActiveScout operates in front of a firewall, a port must be opened in the firewall for the program to communicate with its server. This opens the ActiveScout server to potential detection and compromise because it resides in an unprotected zone in the network. The report strikes a positive tone, nonetheless, concluding that if these problems were repaired, the software would be recommended for inclusion on an approved list of information assurance products.

While the laboratory does not officially endorse the product, from a technical standpoint, the evaluating engineers were pleased with ActiveScout. Although parts of the software must be corrected, Fong believes that it has considerable advantages over many intrusion detection systems. “It’s a very novel product. You don’t see that type of approach from anybody else. Instead of jumping in as an intrusion detection system, they are coming from a different angle,” he says.

Another advantage of ActiveScout is its low total operating cost. Unlike firewalls that require constant updates and intrusion detection systems that must be calibrated to work on specific networks, the program can work out of the box with minimal configuration. Aside from installation and software updates to keep the core system operating, the program requires no signature updates or manual analysis. Fong notes that this is a much better approach than many firewalls and intrusion detection systems currently offer.

Blair maintains that 95 percent of all attacks are preceded by some kind of reconnaissance activity. This is usually done with well-known and widely available system administration tools such as ping sweeps and port scans. However, Fong adds that these types of attacks are rare and comprise roughly 20 easily identifiable classes of attacks.

When a network is queried, it replies with data about specific systems and servers that are accessible. With ActiveScout operating on the system, data is provided to the hackers, but the reply contains a mark—unique information about services, users, hosts and passwords that actually do not exist on the network. This ability to provide false data to hackers and mark them also drew praise from the Army engineers. “If you use that false information to try to break in, they know for sure you are attacking,” Fong says.

Blair claims that the program’s patented active response technology makes it impossible for intruders to distinguish between this mix of true and false data. But the application’s ability to feed false data to hackers may raise some legal concerns that need to be examined. These questions involve the specific circumstances under which government organizations may provide false information and lock users out, Fong says.

Another potential complication with its acceptance by the U.S. government is that the software was developed in Israel. ForeScout’s research and development office is located in Tel Aviv. Fong notes that the government has specific policy guidelines regarding the acceptance and use of foreign products. However, if requested, the company indicated that it would provide the source code used to verify that no Trojan horses or back doors exist in the software, he adds.

The software is designed to ease the workload associated with intrusion detection software. No alerts are raised during the scouting process so managers are not overwhelmed with updates about the activity. “We haven’t cried wolf. We haven’t gotten all the security managers trying to analyze whether a real attack happened,” Blair explains.

Blair estimates that 90 percent of firewall users do not have any intrusion detection. For those who do, the software is reactive, sending out alerts only when an attack has taken place. Many intrusion detection systems are triggered by reconnaissance, sending out alarms every time the network is probed. “The net result is that security managers actually don’t pay attention to those alerts anymore because most of them are meaningless,” she observes.

But when an attack does occur, the software shifts into an intercept mode. Part of this effort will be against the false resources provided by the marked data. The program uses this to identify and block the intruder automatically. Blair notes that the goal of ActiveScout is not to entice hackers to return to a network, but if they do, they are identified and kept out of the system.

The software works with firewalls and other applications as part of a layered defense. One way for hackers to get through a firewall is to use an attack that is unknown to the program. This type of assault is dangerous because the system cannot identify the threat and the intruder enters the network without resistance. “You can’t possibly change firewall policies to stay up to date with every new potential threat. All you can do is try your best to allow services out that you know the organization wants to allow out through the firewall. But letting anything out means stuff can get in,” Blair says.

ActiveScout complements firewalls by protecting against a variety of attacks without constant updates and policy changes. Most firewalls are not fully managed and kept up to date, she explains. But because ActiveScout stops attackers before they reach the firewall, an added layer of security is provided, even if other systems have not been updated.

Recently, the software successfully defended servers against a self-replicating worm called Slapper. According to ForeScout officials, the worm scans for Apache hypertext transfer protocol servers that are using a defective version of the OpenSSL software package. When a vulnerable server is located, the worm enters the system. Once inside, it can reproduce, launch distributed denial of service attacks or act as a back door into the server.

ActiveScout prevents these attacks on servers it is installed on even before the security community identifies the worm as a threat. The company maintains that this is done through the software’s core technology, which creates virtual Apache and Apache/secure socket layer services. These “services” are located by the scanning worms, which are then marked and blocked from attacking the site.

ForeScout claims that its application complements intrusion detection software by permitting administrators to turn off most or all reconnaissance signature alerts. This reduces the amount of network noise that managers must filter and reduces the labor required to operate the system. Blair notes that if an attack is not preceded by reconnaissance, ActiveScout probably will not detect it, especially if it is an unknown attack. But only a very small percentage of attacks fall into this category, she adds.

To provide scalability across an entire network, ForeScout has two products, ActiveScout Site Solution and ActiveScout Enterprise Solution. Site Solution allows technicians to install and manage one “scout” program on a network. The enterprise solution permits between 50 and 60 network access points to be protected. The software can be scaled up easily because it does not require intensive processing from the host computer. “We don’t have to do signature or anomaly analysis. We’re just looking for the return of marked information,” Blair says.

Additional information on ForeScout is available on the World Wide Web at

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.