This document summarizes a presentation by Jared Peck on active cyber defense techniques. It discusses the difference between active defense and hacking back, types of decoys that can be used like honeypots and honeytokens, and how and when to deploy them. It also covers detection and alerting methods, adversary infrastructure tracking, legal issues surrounding active defense, and examples of decoys and personas that could be used like fake credentials and social media profiles.

1. Jared Peck
BSides Chicago
May 12th, 2018

2.  Firefighter
 Paramedic
 Sysadmin
 SOC Analyst
 Threat Intelligence

3.  Active Defense vs. “Hacking Back”
 Types of decoys and how to create them
 When and how to deploy decoys
 Detection / Alerting Methods
 Adversary Infrastructure Tracking
◦ Phishing / ATO

4. I’m not a lawyer…so always check the latest
court opinions and laws before doing anything
active...not to mention company policy!
“Hacking Back” = Reach out and touch someone
“Active Defense” = Booby trapping your own
stuff

5.  Carpenter vs. Sandia
◦ Chinese hack of Lockheed Martin
◦ Carpenter assisted FBI, given immunity
◦ Case is wrongful termination - $4.7 Million
◦ National Security
 Georgia SB 315 (Vetoed!)
◦ Legal “Hack Back” to get stolen stuff
◦ Trouble for vulnerability researchers

6.  Active Cyber Defense Certainty Act (Pending)
◦ Tom Graves, (D) Georgia
“Congress holds that active cyber defense
techniques should only be used by qualified
defenders with a high degree of confidence in
attribution, and that extreme caution should be
taken to avoid impacting intermediary computers
or resulting in an escalatory cycle of cyber
activity.”

7.  Beacons
 Keyloggers
 DDoS
 Malware
 Rootkits
 Kinetic?

10. May act on or run on adversary computers, but
doesn’t have a negative effect.
Disruption is the goal!
 Web Bugs
 Decoys
 Honeypots / Tarpits
 Honey Tokens / Honeycreds

11.  Crawl
 Walk
 Run

12.  Fake Hosts
 Fake Network
Ranges
 Fake AD Credentials
 Fake AWS
Credentials
 Fake Database
Credentials

13.  Just an entry in a table or list
 Detection when anyone scans / tries to
connect
 No interaction / responses
 Easy to detect for an adversary
 Many False Positives

14.  Real AD Creds
 Can be normal user or admin
 Can be risky if not set up correctly
 User set up with no active login hours
 Tougher OPSEC
 Have to have right logs

15.  Again, real creds
 This time no permissions
 Detection with Cloudwatch and CloudTrail
 Pretty easy to set up
 Rapid7 Blog: “Early Warning Detectors Using
AWS Access Keys as Honeytokens”

16.  Fake – just detect login attempt
 Decoy – can be part of honeypot or tarpit
 Real login with fake data to keep attacker
busy
 Can salt database with other creds
◦ Account numbers
◦ AD Creds

17.  Email
 Documents
◦ Workstation, server,
cloud, etc
 Databases
 Logs
 Bash History
 Anywhere the bad
guys look

18.  Logs!
 Be sure to have
what you need
 Make sure logs are
together (SIEM)
 Think of any place
creds would be
tried
 Don’t forget DLP
detections

19.  SIEM tools
 Splunk / Hadoop
 Proxy alerts
 Windows Event
Logs
 Unix event logs

20.  Your own callback server!
 Domains and VPS are cheap
◦ $35 a year for both
 Custom scripts
 Out of band email alerting
 Make it believable
◦ Externally hosted pictures
◦ Links in trapped docs
◦ JavaScript calls

21.  Honeypots
 Honeynets
 Tarpits
 Trapped
Documents
 Personas

22.  Low Interaction
◦ Few services
◦ No Data
◦ Easy to figure out
 High Interaction
◦ More like a real
system
◦ Still little activity

23.  Collection of Honeypots
 Segregated on VLAN
 More lively
 Still feel fake
 Higher risk

24.  High Interaction
 High complexity
 Applications
 Data Transfers
 Logs
 Difficult to set up and maintain

25.  Web bug
 JavaScript
 Remote Image
 Scatter on shares
 Place in email (CEO, SysAdmin, etc)
 Unique callback per document
 Need both Internal and External network
detection

26.  Canarytokens.org
 Automatically create:
◦ Web bug
◦ Trapped Documents
◦ AWS Keys
◦ Etc
 Affiliated with “Thinkst Canary”
◦ Canary.tools
 OPSEC issues….

27.  Play pretend
 Build some
connections
◦ Twitter
◦ Facebook
◦ Linkedin
◦ IRC
 What TOS??

28.  Basic Info
 Unique info / picture
 No connections to your company (unless
decoy)
 Don’t friend your fake personas
 Post occasionally
 Random friend requests are OK

29.  Get permission
 Make it believable
 Positions in:
◦ HR
◦ Finance
◦ Etc.
 How about an executive?

31.  Phish the Phishers
◦ Infrastructure
Tracking
◦ “HoneyCreds”
◦ Live Credential
Placement
◦ Mule Operations
◦ Physical Drops

32.  Customer Reports
 WHOIS Registration Tracking
 Email Drop tracking
 TLS Certificate Transparency Logs
 Server Logs

33.  Sites like Domain Tools (Paid)
 Track new sites as they are registered
◦ GDPR making this difficult*
 Predict Phishing Domains based on
registrations

34.  Collect Phishing kits
◦ Open directories
 Most common kits list address for drop
 Track campaigns based on email address

35.  Track new TLS certificates issued
 Certstream (Python)
 Keyword search -> Slack
 Github: Jerry Gamblin
 “login.companyname.anysite.com”

36.  Apache / IIS
 WAF
 Fraud detection
tools

37.  Detect Phishing
Pages
 Takedown phishing
pages
 Track Actors
 Track Campaigns
 Protect customers

38.  Made up login
credentials
 Made up Name,
address, etc
 Made up email
address
 Made up account
numbers

39.  Phishing site
reported by
customer…
 Entered creds…
 Checked a few
hours later and…

42.  1923 Yankees
Roster
 1886 Census List
 Famous
shipwrecks?

43.  Fill out phishing pages
 Complete information
 Unique Information
 Use different proxies
 Use a variety of User Agents
 Set up detection!
 Pastebin?

44.  Credential Testing
IP addresses!
 Early detection of
compromised creds
 Pass to fraud
 Block or not?
 Don’t delay
takedowns!

45.  175 “Honeycreds” placed
 43% Seen tested
 80 Testing IPs to monitor
 Hundreds of real customer creds
 Shortest = <1 minute
 Longest = ~ 6 months
 Some creds re-tested much later

46.  Most credentials were tested within 24 hours
 Average (mean)– ~ 9 days
 Median – 5 hours
 3-4 other customer creds tested with fakes
most times

47.  Live Account Credentials!
 Testing IPs
 Fraud patterns
 Mules
 Drops

48.  High risk
 Need coordination
 Known monetary
loss
◦ $500?
 Cash back?
 Miles?

49.  How is your site accessed?
 What User Agent Strings are used?
 Automated or Manual?
 Email Addresses

50.  Willing or unwilling
accomplice
 “Work from home”
 Move money for
laundering
 Expendable
 Need law
enforcement

51.  Place to get the fraudulently purchased items
 Again, willing or unwilling
 More “Work at home”
◦ Reshipping overseas
◦ May be paid through other fraud
 Need local law enforcement

52.  Get your basic “Cyber Hygiene” set
 Keep it simple
 OPSEC!
 Build your decoys
 Build your detection
 Profit!

53. Jared Peck
@medic642