A Brief History of The Mire
The Mire is a security solution designed to empower the defenders against the hackers. Its sole aim is to impair any progress a hacker, adversary or assailant can make.
Clients that fail to follow the directives set by the web server owner are treated as hostile.
The Mire achieves this in two key ways:
- Causing Cost
The Mire imposes cost in time, compute, network, storage, and analysis. - Causing Confusion
The Mire serves content designed to appear real—sometimes convincingly so—for as long as possible.
Setting the Scene - why The Mire?
Think of the post-Glastonbury mess that results when it rained for the whole festival. Rubbish and tents are everywhere and pools of water and mud are the paths through which you have to walk to get in, out or anywhere.
People came prepared and still they fell victim to British weather and the stickiest mud on the planet.
A Wellington boot stands trapped in the mud, a lasting memory of several days of music, little sleep, no showering and lots of queuing for Portaloos.
That is the mire.
It’s a place where most people don’t go but some have to, finding it irresistible.
Life Before The Mire
My web domains have long-since sat behind the free Cloudflare tier with levels of caching, DDoS protection and so on being a great benefit. Next in line is a Caddy Server that either serves content from files or proxies onto my WordPress host.
Some security goodness is also added at the Caddy layer where all sites have a consistent robots.txt and security headers set on Caddy.
At this point, I noticed many domains being probed within five seconds of going live—that is, from service startup and certificate issuance. Certificate Transparency logs are actively monitored by both benign and hostile actors.
Striving to keep my web logs clean of errors, I began programmatically blocking connections if they ignored my robots.txt directives.
Birth of The Mire
After some time, it seemed clear that connections were attempting to scrape my content, my hidden-in-plain-sight should-be-secret content. Which does not exist but that stops nobody.
The blocks were lifted and the scanners allowed to collect their content. Yes, there was a transition from generating 404 errors to serving something for the scanner to think about.
The Mire, willing to cause cost and confusion, was giving the scanners content on the fly.
I won’t share the secret sauce, but The Mire now sees a large volume of connections that try to collect content from the websites behind the Caddy Server.
What Next?
Taking The Mire to another level is my next challenge. I have a vision of where The Mire should sit and what its output, its product and value should be.
FUSION is one part of the threat intelligence story.
Empowering the defenders in their fight against the attackers is key and The Mire can help greatly with this.
It’s a little similar to how Harry Houdini performed over 100 years ago, some smoke and mirrors, a little deception and something happens in the background behind the illusion of normality. If it prevents hackers from being effective, this can only be a good thing.
The Mire is a good thing. You can see how it is performing on the Statistics page.
MIRE/C³ (MIRE C-Cubed - Causing Cost and Confusion) is here to help defend our resources and platforms.