Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DECEPTICONv2

Presented at Diana Initiative, Queercon 16, and DEFCON 27 Recon Village 8/9-10, 2019.

When we think of the process for attacking an organization, OSINT comes to the front and center of our minds. This presentation takes a presenter with experience in applying OSINT to effective penetration testing and social engineering and reverse engineers the process to determine what steps can be taken to further complicate their efforts. This is a presentation that talks about online deception, decoy accounts, canary data, encryption, maintaining one’s social media in a secure manner, and protecting one’s identity as much as possible. While nothing is absolute, this is a presentation that will leave attendees more aware of techniques to make it harder for attackers to collect accurate OSINT, either by removal or deception.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Login to see the comments

DECEPTICONv2

  1. 1. DECEPTICON Deceptive Techniques to Derail OSINT Attempts Joe Gray Defcon Recon Village, Diana Initiative, Queercon 16
  2. 2. • Senior Security Architect • 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner • On 3rd Place Team at 2018 & 2019 NOLACon OSINT CTF (Password Inspection Agency) • On 2nd Place Team at 2019 BSides OSINT CTF (Password Inspection Agency) • Served in the US Navy, Navigating Submarines • CISSP-ISSMP, GSNA, GCIH, OSWP • Forbes Contributor • Currently Authoring Social Engineering and OSINT Book, Securing the Human Element with No Starch Press • Maintained blog and podcast at https://advancedpersistentsecurity.net • Just started offering OSINT training (The OSINTion) About Me
  3. 3. Goals • This presentation aims to cover: • Where OSINT lies • Online Deception • Decoy Accounts • Canaries • Encryption • Social Media • Identity Management (not Identity and Access Management)
  4. 4. What is OSINT? OSINT is drawn from publicly available material, including: • The Internet • Traditional mass media (e.g. television, radio, newspapers, magazines) • Specialized journals, conference proceedings, and think tank studies • Photos • Geospatial information (e.g. maps and commercial imagery products) • SOCIAL MEDIA
  5. 5. Where can one gather OSINT?
  6. 6. Major OSINT Resources • Web • OSINTFramework.com (Justin Nordine) • Tools • Recon-ng (Tim Tomes) • Datasploit (Shubham Mittal) • Onion Scan (Sarah Jamie Lewis) • The Harvester (Laramies) • Metagoofil (Laramies) • Spiderfoot (Steve Micallef)
  7. 7. Gathering OSINT • Public conversations (borderline HUMINT) • Bars • Malls • Restaurants • Family and Friends • Back Windshields • Mostly, the internet • Forums • Job Boards/Resume Sites • Search Engines • Social Media • Dating Sites
  8. 8. More of “Where” • Search Engines • Good OSINT requires good “Google-Fu” • Job Boards/Resume Sites • Forums • Github • Social Media • Review sites • i.e. Yelp
  9. 9. Collecting OSINT
  10. 10. Collecting OSINT • Your “Dossier” • Location(s) • Picture/Likeness • USERNAMES/HANDLES • Employers and/or Clients • Friends • Lovers • Family • Personal Identifiable Information (PII) • Interests, Likes, Dislikes • Causes • Political Affiliations
  11. 11. Collecting OSINT • Social Media • Platforms • Sharing Profile (i.e. privacy settings and content of public posts) • Username • Password Reset Questions • From Relationships and school data • THOSE DUMB ONLINE QUIZZES OR VIRAL MEMES SOLICITING THE INFORMATION
  12. 12. Collecting OSINT • Google & Tools • Innovating Thinking • Pwdlogy (https://github.com/tch1001/pwdlogy) • Google Dorks • https://www.offensive-security.com/community-projects/google-hacking-database/ • https://cdn5.alienvault.com/blog-content/GoogleHackingCheatSheet.pdf • https://www.sans.org/security-resources/GoogleCheatSheet.pdf
  13. 13. OSINT Goldmines • Indeed.com Resumes • Github repos • Social Media • Facebook • Twitter • LinkedIn • Pinterest • Snapchat • Dating Apps
  14. 14. Mitigations • There are mitigations for OSINT • Rate Limiting • Canaries/Deceptive Technologies • Disinformation • Segmentation and DLP • Encryption (to a degree) • Data minimization • Opting Out 14
  15. 15. Training Rant • In training, clearly define: • Who to report incidents to and how to report them • Precise actions for receipt of a phish or vish, etc. • Precise actions when a user falls for a phish and realizes it • Who and how to contact • What to do with computer • Non-punitive policy; open door (mostly cultural) • EXACT company policy for what to do; not something generic • Consider gamification; be cautious (ref: Wells Fargo) 15
  16. 16. Collection Considerations • What is the Endgame? • Is what you’re doing ethical? • Do you have an ethical obligation to do this a certain way? • I have collected all this data, how do I protect it? • How long do I retain it? • How do I dispose of it? • What value could be assigned to it? • Do a ”collection swap” with a trusted peer
  17. 17. Protecting Yourself Operations Security (OPSEC) The Thoughts and Opinions Expressed in this presentation are solely the presenter’s and do not necessarily reflect those of IBM.
  18. 18. Know Your Enemy • Who/What/Why are you looking at Anti-OSINT (DECEPTICON)? • What are their capabilities and intentions? • What have you done to trigger a response (if anything; i.e. being successful)? • What vectors could they use? • This is why I talked about how to collect earlier • Where do you “live” online? • What outcomes will result in them finding “you?” • Through no fault of your own, is there a reason that someone may target you? • Sexual Orientation • Gender or Gender Identification • Political Affiliation/Views • Military Affiliation
  19. 19. A note about OPSEC • When you start this, you will need to maximize your OPSEC • Blogs about opting out • https://tisiphone.net/2017/01/25/thwart-my-osint-efforts-while-binging-tv/ • h/t @Hacks4Pancakes (Lesley Carhart) • https://webbreacher.com/2017/04/24/removing-yourself-from-the-internet/ • h/t: @WebBreacher (Micah Hoffman) • https://www.learnallthethings.net/blog/2018/1/23/opting-out-like-a-boss- the-osint-way • h/t: @Baywolf88 (Josh Huff)
  20. 20. Opting out links • Another h/t to Micah… • https://docs.google.com/spreadsheets/d/1UY9U2CJ8Rnz0CBrNu2iGV 3yoG0nLR8mLINcnz44XESI/edit#gid=1864750866 • https://the.osint.ninja/optoutdoc
  21. 21. Secure Internet Usage • I am not saying to not use Google • Be cautious and calculate the risk (Bing and DuckDuckGo use different algorithms and will have different outcomes) • Use a VPN • You could pay for PIA, ExpressVPN, HideMyA** • You could stand up your own for cheap with Streisand • Browser add-ons and extensions • Vulnerability Management • Cloud Storage • File Metadata
  22. 22. More Secure Internet Usage • Using your real name or pics: • Social Media • Dating Apps • Publicity • Are you an exec or a public speaker? • Does the news or other outlets interview you? • Email? • Are your addresses in breach data? • Username: • I am not C_3PJoe on every platform
  23. 23. Streisand Effect
  24. 24. Streisand Effect • https://github.com/StreisandEffect/streisand • VPN (L2TP or IPSEC) • OpenConnect • OpenVPN • Stunnel – TLS tunelling • ShadowSocks – SOCKS proxy • SSH • Tor Browser • WireGuard - VPN
  25. 25. Types of Deception • Disinformation (Sock Puppet Accounts) • Social Media • Email • Phone • Payment • Deception • Canaries • Honey Data • Pots • Docs • Nets • Tokens • Jobs
  26. 26. Disinformation The Thoughts and Opinions Expressed in this presentation are solely the presenter’s and do not necessarily reflect those of IBM.
  27. 27. Disinformation • Make it hard to perform attribution • Use different browsers and multiple VPNs when setting up accounts • Use your phone (if you feel comfortable – calculated risk) • Especially easy if you travel a lot • Put known bad or false data out there about yourself • Birthdate • Spelling of Name • Location • Picture • Subscribe to magazines and known publications that will sell your data • With a false address
  28. 28. Disinformation Accounts • Email • Hushmail • Protonmail • Sudo • Phone Number • Google Voice (not really, but will work against the non-sophisticated adversaries) • Sudo • Payment • Sudo pay • Bitcoin (limited) • Social Media • Register a plethora of accounts with varying levels of accuracy • Some with legit info and bad pics, others with legit pics and bogus data • Double legit can be tricky, double bogus can burn you
  29. 29. A final layer of OPSEC • New Mexico LLCs • Affordable • Not tied to your name • Public Records • Home buying • Criminal records • Property records • Landlines • Magazine Subscriptions
  30. 30. A note about public records and info • Data breaches • Credit Reporting • Positions in publicly traded companies • SEC filings • Paying in cash avoids a lot of this
  31. 31. What NOT to do • Apply for a new Social Security Number • The SSA may assign a new Social Security number to you if you are being harassed, abused, or are in grave danger when using the original number, or if you can prove that someone has stolen your number and is using it. • Legally changing your name • What artifacts will this leave behind? • Avoid Social Media altogether • If you don’t have accounts, how can you control your data flow? • Automatically take an absolute stance about involving Law Enforcement • This could help you or hurt you, measure the risk
  32. 32. Deception
  33. 33. Deceptive Technologies • Honeypots/ honey _____ • Interactive • Emulates vulnerabilities or data • Records attacker activity • Decoys • Less sophisticated than honeypots • Are not interactive • Canaries • Like a honeypot, but used to alert moreso than monitor
  34. 34. Honeypots • John Strand’s ADHD • Currently being “renovated” • Includes various Honeypots • Artillery • Honeybadger • Modern Honey Network (MHN) https://github.com/threatstream/mhn • Snort and Suricata - IDS • Kippo - SSH • Dionaea – FTP, HTTP, SMB, MySQL, MSSQL • Wordpot - WordPress • P0f – passive fingerprinting • Elastichoney – Elastic Search
  35. 35. Canaries • RedCanary • Canary.tools • Thinkst Canary • OpenCanary • http://docs.opencanary.org/en/latest/
  36. 36. Mission Statement: To provide free and low cost training resources to enable information security professionals and aspiring professionals to expand their skill sets and marketability to close the skills gap. This is based on the frequent occurrence of a paradigm of employers seeking entry-level people with experience beyond typical formal education curricula. This further allows professionals and those seeking to enter industry the opportunity to gain experience beyond the walls of academic institutions or capture the flags (CTFs). tthg@advancedpersistentsecurity.net (for the Interim) Twitter: @hackingglass Facebook: facebook.com/hackingglass Through the Hacking Glass (TTHG)
  37. 37. Upcoming Speaking Engagements • 9/26-27: DefendCon (Seattle) • 10/10-11: HackerHalted (Atlanta, GA) • 10/22: Wild West Hackin Fest
  38. 38. Upcoming OSINT Training Opportunities •In-Person •All with details TBD (unless otherwise noted): • Louisville (around the time of DerbyCon • Atlanta (around the time of HackerHalted) • Maybe Dallas, Philadelphia, and Boston in 2019 •Online: • https://bit.ly/2YVqyJu
  39. 39. Hacker Halted 2019 • October 10-11 • Atlanta, GA USA • Free Admission • Coupon Code: Joe100 or https://hackerhalted2019.eventbrite.com?discount=Joe100 • Discount on Training • Coupon Code: JJHHTRN (15% off training) • Register at: - https://hackerhalted2019.eventbrite.com
  40. 40. Questions? @C_3PJoe / @advpersistsec / @hackingglass / @TheOSINTion / @valhallainfos3c

×