Deception Driven Defense - Infragard 2016
-
Upload
greg-foss -
Category
Technology
-
view
482 -
download
3
Transcript of Deception Driven Defense - Infragard 2016
![Page 1: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/1.jpg)
Deception Driven Defense
![Page 2: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/2.jpg)
Greg Foss
Head of Security Operations
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
# whoami
![Page 3: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/3.jpg)
Diversion & Deception in Warfare
Draw Attention Away From True Attack Point
Mislead With False Appearance
Gain Advantage Over Enemy
“All war is based on deception” -Sun Tzu
![Page 4: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/4.jpg)
Operation Mincemeat - 1943
Operation Zeppelin - 1944
Battle of Megiddo - 1918
Operation Bodyguard - 1942
Operation Anadyr - 1962
..and many more
Diversion & Deception in Warfare
![Page 5: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/5.jpg)
Operation Mincemeat - 1943
Germans find British corpse from sunken enemy warship
1.
![Page 6: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/6.jpg)
Operation Mincemeat - 1943
Corpse holds Plans to upcoming attack in Greece
2.
![Page 7: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/7.jpg)
Operation Mincemeat - 1943
Germans move defenses from Sicily to Greece
3.
![Page 8: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/8.jpg)
Operation Mincemeat - 1943
Allied Nations invade Sicily
4.
![Page 9: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/9.jpg)
9
![Page 10: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/10.jpg)
Apply this to InfoSec?
![Page 11: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/11.jpg)
In Practice
Network
Data HumanDefense
![Page 12: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/12.jpg)
First things first…Baseline security controls!
Warning banners are critical and assist in the event prosecution is necessary / desired.
![Page 13: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/13.jpg)
![Page 14: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/14.jpg)
HoneypotsEasy to configure, deploy, and maintain
Fly traps for anomalous activity
You will learn a ton about your adversaries. Information that will help in the future…
![Page 15: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/15.jpg)
Subtle Traps
Catch Internal Attackers
Observe Attack Trends
Decoy From Real Data
Waste Attackers Time
Honeypot Use Cases
![Page 16: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/16.jpg)
Fake Web Applications
github.com/gfoss/phpmyadmin_honeypot
![Page 17: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/17.jpg)
$any-web-app
Custom + Believable, with a Hidden Motive
![Page 18: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/18.jpg)
![Page 19: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/19.jpg)
Passive Honeypots
19https://chloe.re/2015/06/20/a-month-with-badonions/
![Page 20: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/20.jpg)
Passive Honeypots
20https://chloe.re/2015/06/20/a-month-with-badonions/
![Page 21: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/21.jpg)
Passive Honeypots
21https://chloe.re/2015/06/20/a-month-with-badonions/
![Page 22: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/22.jpg)
![Page 23: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/23.jpg)
Honey Tokens and Web Bugs
![Page 24: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/24.jpg)
Issues with Document Tracking
![Page 25: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/25.jpg)
Issues with Document Tracking
![Page 26: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/26.jpg)
Issues with Document Tracking
![Page 27: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/27.jpg)
Zip BombsAdobeFlash.zip
42 bytes 4.5 petabytes
www.unforgettable.dk
![Page 28: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/28.jpg)
![Page 29: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/29.jpg)
Keys to Success
Real World Awareness Training
Use a Blended Approach to Exercises
Gather Metrics for Program Improvements
Note: Never Punish or Embarrass Users!
![Page 30: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/30.jpg)
Scope Social Habits
Public Information
Username Correlation
Application Usage
“Private” Information
Examine Network Usage
![Page 31: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/31.jpg)
“Free” Coupons!QR Destination as training or
phishing site
Print > Place on Cars in Lot
Rate of Connections
Rate Reported to Security
Track via internal IP address
![Page 32: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/32.jpg)
Targeted Spear Phishing
Open Attachment Rate
Open Message Rate
Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics
Beyond User Awareness
Defense Success / Failures
Response / Exploitation Rate
![Page 33: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/33.jpg)
Rogue Wi-Fi
Setup Wi-Fi Access Provide Fake Landing Page Get Credentials!
Connection Rate Credential Submission Rate Report to Security Rate
www.slideshare.net/heinzarelli/wifi-hotspot-attacks
https://youtu.be/v36gYY2Pt70
![Page 34: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/34.jpg)
USB Drop Case Study
![Page 35: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/35.jpg)
Building a Believable CampaignUSB Human Interface Device (HID) attacks are too obvious. A dead giveaway that the target just compromised their system.
h"p://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
![Page 36: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/36.jpg)
Building a Believable Campaign
Use Realistic Files with somewhat realistic data
Staged approach to track file access and exploitation
![Page 37: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/37.jpg)
![Page 38: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/38.jpg)
![Page 39: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/39.jpg)
Webbug file opened from within your company network?
Correlate using Network Security Tools to find out who it was
Tracking File Access
![Page 40: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/40.jpg)
Who Opened the File?
![Page 41: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/41.jpg)
![Page 42: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/42.jpg)
![Page 43: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/43.jpg)
![Page 44: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/44.jpg)
Compress the PowerShell Script
![Page 45: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/45.jpg)
![Page 46: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/46.jpg)
![Page 47: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/47.jpg)
![Page 48: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/48.jpg)
![Page 49: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/49.jpg)
You may want to use a bogus email address, unlike I did here…
I know, I know, Bad OpSec…
Send email when macro is run
![Page 50: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/50.jpg)
![Page 51: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/51.jpg)
![Page 52: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/52.jpg)
“Nobody’s going to run an executable from some random USB”
- Greg
![Page 53: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/53.jpg)
At least they didn’t run it as an Admin
But… We now have our foothold…
![Page 54: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/54.jpg)
Macro Attack Detection
![Page 55: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/55.jpg)
Malware Beaconing Detection
![Page 56: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/56.jpg)
![Page 57: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/57.jpg)
Red Teaming
Not Penetration Testing!
No Scope Restrictions
![Page 58: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/58.jpg)
![Page 59: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/59.jpg)
Offensive Honeypots
All of these tools have something in common…
● Configuration Management Systems
● Vulnerability Scanners
● System Health Checks
They tend to log in to remote hosts!
![Page 60: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/60.jpg)
Simulate SSH service
Stand this up during internal penetration test
Catch Credentials...
![Page 61: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/61.jpg)
#!/bin/bash
attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l);
echo ""
echo $attempts" => login attempts"
echo "--------------------"
cat /opt/kippo/log/kippo.log | \
grep 'login attempt' | \
cut -d "," -f 3,4,5 | \
awk '{print "["$1" "$4}'
echo "--------------------"
echo ""
![Page 62: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/62.jpg)
Social Engineering
![Page 63: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/63.jpg)
Social Engineering
WYSINWYC
http://thejh.net/misc/website-terminal-copy-paste
![Page 64: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/64.jpg)
DEMO
![Page 65: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/65.jpg)
Post-Exploitation Tricks
Use Deception to:
Elevate Privileges
Access Protected Resources
Pivot and Move Laterally
Etc.
![Page 66: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/66.jpg)
OS X - AppleScript
fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
![Page 67: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/67.jpg)
DEMO
![Page 68: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/68.jpg)
Windows - PowerShell
github.com/gfoss/misc/blob/master/PowerShell/popuppwn.ps1
![Page 69: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/69.jpg)
DEMO
![Page 70: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/70.jpg)
Attack Security Tools
● Generate False and/or Malformed Logs
● Spoof Port Scanning Origins
$ sudo nmap -sS -P0 -D sucker target(s)
● Block UDP Port 514 or disable logging service
● Capture Service Account Credentials
● Wear AV like a hat and backdoor legitimate programs on the shares…
![Page 71: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/71.jpg)
https://www.shellterproject.com/
![Page 72: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/72.jpg)
![Page 73: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/73.jpg)
Target IT Staff…
It’s broken. :-(
I don’t know what
happened…
Can you fix it?
github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
![Page 74: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/74.jpg)
In Conclusion
Network
Data HumanDefense
![Page 75: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/75.jpg)
Recommended ResourcesRed Team: How to Succeed By Thinking Like the Enemy Micah Zenko
Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand
Reverse Deception: Organized Cyber Threat Counter-exploitation. Sean Bodmer
Second World War Deception: Lessons Learned from Today’s Joint Planner Major Donald J. Bacon, USAF
![Page 76: Deception Driven Defense - Infragard 2016](https://reader034.fdocuments.us/reader034/viewer/2022042707/58ec561d1a28ab8e148b463b/html5/thumbnails/76.jpg)
Thank You!
Questions?
Greg Foss greg.foss [at] LogRhythm.com
@heinzarelli