SlideShare a Scribd company logo

Implementing Inexpensive Honeytrap Techniques

Daniel Miessler
Daniel Miessler

My talk at the IOActive IOAsis on implementing honeytrap techniques throughout the stack without a budget.

Technology
1 of 29
Download to read offline
SAN FRANCISCO 2017 Implementing Inexpensive Honeytrap Techniques 1 Daniel Miessler Director of Advisory Services
SAN FRANCISCO 2017 Agenda • What are honey techniques? • When to use them • Honeytrap examples • Logging/responding • Keep in mind • Takeaways 2
SAN FRANCISCO 20173 What are honey techniques?
SAN FRANCISCO 2017 Honey techniques The art of detecting malicious behavior by monitoring attackers’ access to, and interaction with, attractive false targets purposely placed within your organization. 4
SAN FRANCISCO 2017 Many names • Honey pots • Honey nets • Honey tokens • Honey files • Honey traps • Honey $foos 5
SAN FRANCISCO 2017 Hidden (fake) treasure • Leaving enticing things where they might be found • Could be anywhere in the stack • Anywhere in the organization • Key point is out of band of normal operation • More off-path = more signal 6
SAN FRANCISCO 20177 When to use them
SAN FRANCISCO 2017 Time and place • Key benefit is that it can magnify a small team • You might not be able to cover everything (yet) with two people, but you CAN respond to high- signal events • Don’t let this replace fundamentals! 8
SAN FRANCISCO 20179 Examples
SAN FRANCISCO 2017 Network ranges • Cut out a piece of your network, and put only detection / response there • IDS it up • 10.100.5.0/24, 10.100.7.0/24 • 10.100.6.0/24 is empty! • Violently log and respond 10
SAN FRANCISCO 2017 Honey daemons • Create application listeners on various ports that shouldn’t be touched by normal applications • Can be in a DMZ, in the cloud, or on the internal network • E.g.: SSH listeners on non-standard ports • Log bruteforce attempts • Log and respond 11
SAN FRANCISCO 2017 Web servers • Leave a backup.zip file in your root directory for all those dirbusters out there • Put some stuff in it like 2014_taxes_copy2.html, etc. • Have it launch a JS request for a honey URL that you capture • Violently log and respond 12
SAN FRANCISCO 2017 Web applications • Leave a comment in the code for a god cookie <!– For test admin use AdminCookie=sl2K9lwlel4gAksl7dA0LA7wl --> • If you see that cookie, there’s no way for it to be legit • Violently log and respond 13
SAN FRANCISCO 2017 File servers • Create a juicy directory parallel or one level up from a common access location - Salaries2017 - Prohibited Content (admin) - RestrictedHRFiles • There are more chances for legitimate curiosity here, so you may want to add additional filters • Expect a good number of “um, you probably want to hide this”, which is high noise and low signal • Log and respond 14
SAN FRANCISCO 2017 URLs • Have one or more URLs that sound juicy that you log requests to - admin.intranet.lan - assetmanager02.company.com • Nothing legitimate points to these URLs • Incoming requests can provide some information about the inquisitor • Log and respond 15
SAN FRANCISCO 2017 Github • Leave some API or SSH keys deep within your repositories (maybe even deleted) - API access - SSH access • Anyone using these are purposely rifling through your content online looking for a way in • Violently log and respond 16
SAN FRANCISCO 2017 App credentials • Leave credential sets sitting in various places (web server, file server, github, etc.) and wait for people to try to use them • You can tie credential sets to different locations, so you have some idea of what was being explored • You can rotate semi-frequently to get more accuracy • Violently log and respond 17
SAN FRANCISCO 2017 AWS • Create fake AWS access keys • Tie them to accounts that have no permissions • Drop them at ~/.aws/credentials • Configure CloudTrail and CloudWatch to log and notify on key usage • CREDIT: https://blog.komand.com/early-warning-detectors-using- aws-access-keys-honeytokens • Violently log and respond 18
SAN FRANCISCO 2017 DNS • Hints to certain domains or hostnames that don’t have any applications or servers associated with them • Note who tries to resolve those names - assetmanager02.company.com - backups.intranet.lan • Zone files • Asset lists (.txt or .xlsx) • Log and respond 19
SAN FRANCISCO 2017 Database • Create false databases, tables, and data • Not used by any real applications • Add names, numbers, URLs, and other content that you can flag in IDS/IPS/DLP • Will only get accessed if there’s a SQLi situation or a complete server compromise • Have some way of detecting that the contnent was explored after the fact (website logs, phone calls, values entered into fields, etc.) • Violently log and respond 20
SAN FRANCISCO 201721 Logging and responding
SAN FRANCISCO 2017 Logging without response is like clapping with one hand • Don’t wire up detectors without taking them all the way to logging, alerting, and responding • Use your existing infrastructure if you have it • Try to avoid super-custom texting to one person, etc. Make it operational • Test periodically to make sure detection and response is still working 22
SAN FRANCISCO 201723 Keep in mind
SAN FRANCISCO 2017 There are downsides to running a CTF on your production network • Honey traps are an awful lot like trolling • If you build it, they might hack • Attracting attention is sometimes the worst thing you can do • Temper your honeythings to be fun, self-deprecating, etc. • Don’t throw down gauntlets, taunt, etc. • They have more time than you do 24
SAN FRANCISCO 2017 Honey maturity • Low interaction is better for lower maturity shops • The more manual and out of band the trap, the higher the signal • If you have the time to watch attackers play in high-interaction honeypots, you should probably be spending that time improving your fundamental defenses • Monitor your time sink carefully; don’t let it dominate your strategy 25
SAN FRANCISCO 201726 Takeaways
SAN FRANCISCO 2017 Implementing in the real world • Visibility is key! • A little can go a long way • Focus the traps around your jewels (app/net/cloud/db/etc) • There are commercial options as well (CanaryTools is one) HT Haroon Meer • It’s best to have signal from everything, but honey techniques let you shortcut by getting high value signal from very few things • Fundamentals > honeyfoos 27
SAN FRANCISCO 2017 Interact • @danielmiessler • daniel.miessler@ioactive.com • https://danielmiessler.com/podcast 28
SAN FRANCISCO 201729 Questions?

Recommended

Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
Android Zararlı Yazılım Analizi ve Güvenlik Yaklaşımları
Android Zararlı Yazılım Analizi ve Güvenlik YaklaşımlarıAndroid Zararlı Yazılım Analizi ve Güvenlik Yaklaşımları
Android Zararlı Yazılım Analizi ve Güvenlik YaklaşımlarıBGA Cyber Security
 
The Social Media Honey Trap
The Social Media Honey TrapThe Social Media Honey Trap
The Social Media Honey TrapLucy James
 
Osint skills
Osint skillsOsint skills
Osint skillsFelixK4
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringJeremiah Tillman
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
E-Ticaret ve Güvenlik
E-Ticaret ve GüvenlikE-Ticaret ve Güvenlik
E-Ticaret ve GüvenlikAbdullah Fatih UYLAŞ
 

Recommended

Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
Android Zararlı Yazılım Analizi ve Güvenlik Yaklaşımları
Android Zararlı Yazılım Analizi ve Güvenlik YaklaşımlarıAndroid Zararlı Yazılım Analizi ve Güvenlik Yaklaşımları
Android Zararlı Yazılım Analizi ve Güvenlik YaklaşımlarıBGA Cyber Security
 
The Social Media Honey Trap
The Social Media Honey TrapThe Social Media Honey Trap
The Social Media Honey TrapLucy James
 
Osint skills
Osint skillsOsint skills
Osint skillsFelixK4
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringJeremiah Tillman
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
E-Ticaret ve Güvenlik
E-Ticaret ve GüvenlikE-Ticaret ve Güvenlik
E-Ticaret ve GüvenlikAbdullah Fatih UYLAŞ
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...Alan Yau Ti Dun
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from SymantecArrow ECS UK
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Osint
OsintOsint
OsintKamal Rathaur
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsEslamAkl
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Dark Triad
Dark TriadDark Triad
Dark TriadCol Mukteshwar Prasad
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Securing Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesSecuring Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesDaniel Miessler
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The ApplicationDaniel Miessler
 

More Related Content

What's hot

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...Alan Yau Ti Dun
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from SymantecArrow ECS UK
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsEslamAkl
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 

What's hot (20)

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about...
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from Symantec
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Osint
OsintOsint
Osint
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Dark Triad
Dark TriadDark Triad
Dark Triad
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 

Viewers also liked

Securing Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesSecuring Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesDaniel Miessler
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The ApplicationDaniel Miessler
 
Διοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης Σεμιναρίου
Διοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης ΣεμιναρίουΔιοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης Σεμιναρίου
Διοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης ΣεμιναρίουFANIS MITSINIKOS
 
Mohammad Anchassi - Major Projects 1
Mohammad Anchassi - Major Projects 1Mohammad Anchassi - Major Projects 1
Mohammad Anchassi - Major Projects 1Mohamad Anchassi
 
Announcements, 9/13/15
Announcements, 9/13/15Announcements, 9/13/15
Announcements, 9/13/15CLADSM
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015Daniel Miessler
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Sailaja Tennati
 
The Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change EverythingThe Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change EverythingDaniel Miessler
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Makalah KD IPA GAYA GERAK dan ENERGI
Makalah KD IPA GAYA GERAK dan ENERGIMakalah KD IPA GAYA GERAK dan ENERGI
Makalah KD IPA GAYA GERAK dan ENERGIIrfan Riski
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]Daniel Miessler
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Peak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to ResiliencePeak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to ResilienceDaniel Miessler
 

Viewers also liked (20)

Securing Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesSecuring Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing Methodologies
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The Application
 
sp210 computer organization
sp210 computer organizationsp210 computer organization
sp210 computer organization
 
Guia didactica
Guia didacticaGuia didactica
Guia didactica
 
Διοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης Σεμιναρίου
Διοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης ΣεμιναρίουΔιοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης Σεμιναρίου
Διοίκηση Επιχειρήσεων_Βεβαίωση Περαίωσης Σεμιναρίου
 
Mohammad Anchassi - Major Projects 1
Mohammad Anchassi - Major Projects 1Mohammad Anchassi - Major Projects 1
Mohammad Anchassi - Major Projects 1
 
تحلیل رفتگی نهایی
تحلیل رفتگی نهاییتحلیل رفتگی نهایی
تحلیل رفتگی نهایی
 
Announcements, 9/13/15
Announcements, 9/13/15Announcements, 9/13/15
Announcements, 9/13/15
 
Pantalica
PantalicaPantalica
Pantalica
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
 
Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter Spirent: The Internet of Things: The Expanded Security Perimeter
Spirent: The Internet of Things: The Expanded Security Perimeter
 
The Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change EverythingThe Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change Everything
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014
 
Makalah KD IPA GAYA GERAK dan ENERGI
Makalah KD IPA GAYA GERAK dan ENERGIMakalah KD IPA GAYA GERAK dan ENERGI
Makalah KD IPA GAYA GERAK dan ENERGI
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
Gangguan pada sistem pernapasan 2017
Gangguan pada sistem pernapasan 2017Gangguan pada sistem pernapasan 2017
Gangguan pada sistem pernapasan 2017
 
Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Peak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to ResiliencePeak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to Resilience
 

Similar to Implementing Inexpensive Honeytrap Techniques

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hostingshendison
 
Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...SPC Adriatics
 
Osint, shoelaces, bubblegum
Osint, shoelaces, bubblegumOsint, shoelaces, bubblegum
Osint, shoelaces, bubblegumJamieMcMurray
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Homezaimorkai
 
The Times They Are a-Changin’: Domino Applications in the New World of HCL No...
The Times They Are a-Changin’: Domino Applications in the New World of HCL No...The Times They Are a-Changin’: Domino Applications in the New World of HCL No...
The Times They Are a-Changin’: Domino Applications in the New World of HCL No...panagenda
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!Dave Nielsen
 
Social Security Company Nexgate's Success Relies on Apache Cassandra
Social Security Company Nexgate's Success Relies on Apache CassandraSocial Security Company Nexgate's Success Relies on Apache Cassandra
Social Security Company Nexgate's Success Relies on Apache CassandraDataStax Academy
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
Improving Hadoop Cluster Performance via Linux Configuration
Improving Hadoop Cluster Performance via Linux ConfigurationImproving Hadoop Cluster Performance via Linux Configuration
Improving Hadoop Cluster Performance via Linux ConfigurationDataWorks Summit
 
Silicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionSilicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionDaniel Coupal
 
Mapping Life Science Informatics to the Cloud
Mapping Life Science Informatics to the CloudMapping Life Science Informatics to the Cloud
Mapping Life Science Informatics to the CloudChris Dagdigian
 

Similar to Implementing Inexpensive Honeytrap Techniques (20)

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...
 
Osint, shoelaces, bubblegum
Osint, shoelaces, bubblegumOsint, shoelaces, bubblegum
Osint, shoelaces, bubblegum
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
The Times They Are a-Changin’: Domino Applications in the New World of HCL No...
The Times They Are a-Changin’: Domino Applications in the New World of HCL No...The Times They Are a-Changin’: Domino Applications in the New World of HCL No...
The Times They Are a-Changin’: Domino Applications in the New World of HCL No...
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information Gathering
 
Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!
 
Social Security Company Nexgate's Success Relies on Apache Cassandra
Social Security Company Nexgate's Success Relies on Apache CassandraSocial Security Company Nexgate's Success Relies on Apache Cassandra
Social Security Company Nexgate's Success Relies on Apache Cassandra
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 
Presentation2 certificate farce
Presentation2 certificate farcePresentation2 certificate farce
Presentation2 certificate farce
 
Improving Hadoop Cluster Performance via Linux Configuration
Improving Hadoop Cluster Performance via Linux ConfigurationImproving Hadoop Cluster Performance via Linux Configuration
Improving Hadoop Cluster Performance via Linux Configuration
 
Subdomain Takeover
Subdomain TakeoverSubdomain Takeover
Subdomain Takeover
 
Silicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionSilicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in production
 
Mapping Life Science Informatics to the Cloud
Mapping Life Science Informatics to the CloudMapping Life Science Informatics to the Cloud
Mapping Life Science Informatics to the Cloud
 

Recently uploaded

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Implementing Inexpensive Honeytrap Techniques

  • 1. SAN FRANCISCO 2017 Implementing Inexpensive Honeytrap Techniques 1 Daniel Miessler Director of Advisory Services
  • 2. SAN FRANCISCO 2017 Agenda • What are honey techniques? • When to use them • Honeytrap examples • Logging/responding • Keep in mind • Takeaways 2
  • 3. SAN FRANCISCO 20173 What are honey techniques?
  • 4. SAN FRANCISCO 2017 Honey techniques The art of detecting malicious behavior by monitoring attackers’ access to, and interaction with, attractive false targets purposely placed within your organization. 4
  • 5. SAN FRANCISCO 2017 Many names • Honey pots • Honey nets • Honey tokens • Honey files • Honey traps • Honey $foos 5
  • 6. SAN FRANCISCO 2017 Hidden (fake) treasure • Leaving enticing things where they might be found • Could be anywhere in the stack • Anywhere in the organization • Key point is out of band of normal operation • More off-path = more signal 6
  • 8. SAN FRANCISCO 2017 Time and place • Key benefit is that it can magnify a small team • You might not be able to cover everything (yet) with two people, but you CAN respond to high- signal events • Don’t let this replace fundamentals! 8
  • 10. SAN FRANCISCO 2017 Network ranges • Cut out a piece of your network, and put only detection / response there • IDS it up • 10.100.5.0/24, 10.100.7.0/24 • 10.100.6.0/24 is empty! • Violently log and respond 10
  • 11. SAN FRANCISCO 2017 Honey daemons • Create application listeners on various ports that shouldn’t be touched by normal applications • Can be in a DMZ, in the cloud, or on the internal network • E.g.: SSH listeners on non-standard ports • Log bruteforce attempts • Log and respond 11
  • 12. SAN FRANCISCO 2017 Web servers • Leave a backup.zip file in your root directory for all those dirbusters out there • Put some stuff in it like 2014_taxes_copy2.html, etc. • Have it launch a JS request for a honey URL that you capture • Violently log and respond 12
  • 13. SAN FRANCISCO 2017 Web applications • Leave a comment in the code for a god cookie <!– For test admin use AdminCookie=sl2K9lwlel4gAksl7dA0LA7wl --> • If you see that cookie, there’s no way for it to be legit • Violently log and respond 13
  • 14. SAN FRANCISCO 2017 File servers • Create a juicy directory parallel or one level up from a common access location - Salaries2017 - Prohibited Content (admin) - RestrictedHRFiles • There are more chances for legitimate curiosity here, so you may want to add additional filters • Expect a good number of “um, you probably want to hide this”, which is high noise and low signal • Log and respond 14
  • 15. SAN FRANCISCO 2017 URLs • Have one or more URLs that sound juicy that you log requests to - admin.intranet.lan - assetmanager02.company.com • Nothing legitimate points to these URLs • Incoming requests can provide some information about the inquisitor • Log and respond 15
  • 16. SAN FRANCISCO 2017 Github • Leave some API or SSH keys deep within your repositories (maybe even deleted) - API access - SSH access • Anyone using these are purposely rifling through your content online looking for a way in • Violently log and respond 16
  • 17. SAN FRANCISCO 2017 App credentials • Leave credential sets sitting in various places (web server, file server, github, etc.) and wait for people to try to use them • You can tie credential sets to different locations, so you have some idea of what was being explored • You can rotate semi-frequently to get more accuracy • Violently log and respond 17
  • 18. SAN FRANCISCO 2017 AWS • Create fake AWS access keys • Tie them to accounts that have no permissions • Drop them at ~/.aws/credentials • Configure CloudTrail and CloudWatch to log and notify on key usage • CREDIT: https://blog.komand.com/early-warning-detectors-using- aws-access-keys-honeytokens • Violently log and respond 18
  • 19. SAN FRANCISCO 2017 DNS • Hints to certain domains or hostnames that don’t have any applications or servers associated with them • Note who tries to resolve those names - assetmanager02.company.com - backups.intranet.lan • Zone files • Asset lists (.txt or .xlsx) • Log and respond 19
  • 20. SAN FRANCISCO 2017 Database • Create false databases, tables, and data • Not used by any real applications • Add names, numbers, URLs, and other content that you can flag in IDS/IPS/DLP • Will only get accessed if there’s a SQLi situation or a complete server compromise • Have some way of detecting that the contnent was explored after the fact (website logs, phone calls, values entered into fields, etc.) • Violently log and respond 20
  • 22. SAN FRANCISCO 2017 Logging without response is like clapping with one hand • Don’t wire up detectors without taking them all the way to logging, alerting, and responding • Use your existing infrastructure if you have it • Try to avoid super-custom texting to one person, etc. Make it operational • Test periodically to make sure detection and response is still working 22
  • 24. SAN FRANCISCO 2017 There are downsides to running a CTF on your production network • Honey traps are an awful lot like trolling • If you build it, they might hack • Attracting attention is sometimes the worst thing you can do • Temper your honeythings to be fun, self-deprecating, etc. • Don’t throw down gauntlets, taunt, etc. • They have more time than you do 24
  • 25. SAN FRANCISCO 2017 Honey maturity • Low interaction is better for lower maturity shops • The more manual and out of band the trap, the higher the signal • If you have the time to watch attackers play in high-interaction honeypots, you should probably be spending that time improving your fundamental defenses • Monitor your time sink carefully; don’t let it dominate your strategy 25
  • 27. SAN FRANCISCO 2017 Implementing in the real world • Visibility is key! • A little can go a long way • Focus the traps around your jewels (app/net/cloud/db/etc) • There are commercial options as well (CanaryTools is one) HT Haroon Meer • It’s best to have signal from everything, but honey techniques let you shortcut by getting high value signal from very few things • Fundamentals > honeyfoos 27
  • 28. SAN FRANCISCO 2017 Interact • @danielmiessler • daniel.miessler@ioactive.com • https://danielmiessler.com/podcast 28