Using deceptive tactics to actively defend your network. This is a modified version of the talk that Thomas Hegel and I gave at DerbyCon 5.

1. Deception Driven Defense

2. Greg Foss
Head of Security Operations
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
# whoami

3. Diversion & Deception in Warfare
Draw Attention Away From True Attack Point
Mislead With False Appearance
Gain Advantage Over Enemy
“All war is based on deception” -Sun Tzu

4. Operation Mincemeat - 1943
Operation Zeppelin - 1944
Battle of Megiddo - 1918
Operation Bodyguard - 1942
Operation Anadyr - 1962
..and many more
Diversion & Deception in Warfare

5. Operation Mincemeat - 1943
Germans find British corpse
from sunken enemy warship
1.

6. Operation Mincemeat - 1943
Corpse holds Plans to
upcoming attack in Greece
2.

7. Operation Mincemeat - 1943
Germans move defenses
from Sicily to Greece
3.

8. Operation Mincemeat - 1943
Allied Nations invade Sicily
4.

9. 9

10. Apply this to InfoSec?

11. In Practice
Network
Data Human
Defense

12. First things first…
Baseline security controls!
Warning banners are critical and assist in the
event prosecution is necessary / desired.

14. Honeypots
Easy to configure, deploy, and maintain
Fly traps for anomalous activity
You will learn a ton about your adversaries.
Information that will help in the future…

15. Subtle Traps
Catch Internal Attackers
Observe Attack Trends
Decoy From Real Data
Waste Attackers Time
Honeypot Use Cases

16. Fake Web Applications
github.com/gfoss/phpmyadmin_honeypot

17. $any-web-app
Custom + Believable, with a Hidden Motive

19. Passive Honeypots
19
https://chloe.re/2015/06/20/a-month-with-badonions/

20. Passive Honeypots
20
https://chloe.re/2015/06/20/a-month-with-badonions/

21. Passive Honeypots
21
https://chloe.re/2015/06/20/a-month-with-badonions/

23. Honey Tokens and Web Bugs

24. Issues with Document Tracking

25. Issues with Document Tracking

26. Issues with Document Tracking

27. Zip Bombs
AdobeFlash.zip
42 bytes
4.5 petabytes
www.unforgettable.dk

29. Keys to Success
Real World Awareness Training
Use a Blended Approach to Exercises
Gather Metrics for Program Improvements
Note: Never Punish or Embarrass Users!

30. Scope Social Habits
Public Information
Username Correlation
Application Usage
“Private” Information
Examine Network Usage

31. “Free” Coupons!
QR Destination as training or
phishing site
Print > Place on Cars in Lot
Rate of Connections
Rate Reported to Security
Track via internal IP address

32. Targeted Spear Phishing
Open Attachment Rate
Open Message Rate
Martin Bos & Eric Milam
SkyDogCon 2012 - Advanced Phishing Tactics
Beyond User Awareness
Defense Success / Failures
Response / Exploitation Rate

33. Rogue Wi-Fi
Setup Wi-Fi Access
Provide Fake Landing Page
Get Credentials!
Connection Rate
Credential Submission Rate
Report to Security Rate
www.slideshare.net/heinzarelli/wifi-hotspot-attacks
https://youtu.be/v36gYY2Pt70

34. USB Drop Case Study

35. Building a Believable Campaign
USB Human Interface Device (HID) attacks are too obvious. A dead
giveaway that the target just compromised their system.
h"p://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649

36. Building a Believable Campaign
Use Realistic Files with somewhat realistic data
Staged approach to track file access and exploitation

39. Webbug file opened from within your company network?
Correlate using Network Security Tools to find out who it was
Tracking File Access

40. Who Opened the File?

44. Compress the PowerShell Script

49. You may want to use a bogus email address, unlike I did here…
I know, I know, Bad OpSec…
Send email when macro is run

52. “Nobody’s going to run an
executable from some random USB”
- Greg

53. At least they didn’t run it as an Admin
But… We now have our foothold…

54. Macro Attack Detection

55. Malware Beaconing Detection

57. Red Teaming
Not Penetration Testing!
No Scope Restrictions

59. Offensive Honeypots
All of these tools have something in common…
● Configuration Management Systems
● Vulnerability Scanners
● System Health Checks
They tend to log in to remote hosts!

60. Simulate SSH service
Stand this up during internal penetration test
Catch Credentials...

61. #!/bin/bash
attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l);
echo ""
echo $attempts" => login attempts"
echo "--------------------"
cat /opt/kippo/log/kippo.log |
grep 'login attempt' |
cut -d "," -f 3,4,5 |
awk '{print "["$1" "$4}'
echo "--------------------"
echo ""

62. Social Engineering

63. Social Engineering
WYSINWYC
http://thejh.net/misc/website-terminal-copy-paste

64. DEMO

65. Post-Exploitation Tricks
Use Deception to:
Elevate Privileges
Access Protected Resources
Pivot and Move Laterally
Etc.

66. OS X - AppleScript
fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html

67. DEMO

68. Windows - PowerShell
github.com/gfoss/misc/blob/master/PowerShell/popuppwn.ps1

69. DEMO

70. Attack Security Tools
● Generate False and/or Malformed Logs
● Spoof Port Scanning Origins
$ sudo nmap -sS -P0 -D sucker target(s)
● Block UDP Port 514 or disable logging service
● Capture Service Account Credentials
● Wear AV like a hat and backdoor
legitimate programs on the shares…

71. https://www.shellterproject.com/

73. Target IT Staff…
It’s broken. :-(
I don’t know what
happened…
Can you fix it?
github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz

74. In Conclusion
Network
Data Human
Defense

75. Recommended Resources
Red Team: How to Succeed By Thinking Like the Enemy
Micah Zenko
Offensive Countermeasures: The Art of Active Defense
Paul Asadoorian and John Strand
Reverse Deception: Organized Cyber Threat Counter-
exploitation.
Sean Bodmer
Second World War Deception: Lessons Learned from Today’s
Joint Planner
Major Donald J. Bacon, USAF

76. Thank You!
Questions?
Greg Foss
greg.foss [at] LogRhythm.com
@heinzarelli