Deception Driven Defense

Greg Foss

Head of Security Operations

OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT

# whoami

Diversion & Deception in Warfare

Draw Attention Away From True Attack Point

Mislead With False Appearance

Gain Advantage Over Enemy

“All war is based on deception” -Sun Tzu

Operation Mincemeat - 1943

Operation Zeppelin - 1944

Battle of Megiddo - 1918

Operation Bodyguard - 1942

Operation Anadyr - 1962

..and many more

Diversion & Deception in Warfare

Operation Mincemeat - 1943

Germans find British corpse from sunken enemy warship

1.

Operation Mincemeat - 1943

Corpse holds Plans to upcoming attack in Greece

2.

Operation Mincemeat - 1943

Germans move defenses from Sicily to Greece

3.

Operation Mincemeat - 1943

Allied Nations invade Sicily

4.

9

Apply this to InfoSec?

In Practice

Network

Data HumanDefense

First things first…Baseline security controls!

Warning banners are critical and assist in the event prosecution is necessary / desired.

HoneypotsEasy to configure, deploy, and maintain

Fly traps for anomalous activity

You will learn a ton about your adversaries. Information that will help in the future…

Subtle Traps

Catch Internal Attackers

Observe Attack Trends

Decoy From Real Data

Waste Attackers Time

Honeypot Use Cases

Fake Web Applications

github.com/gfoss/phpmyadmin_honeypot

$any-web-app

Custom + Believable, with a Hidden Motive

Passive Honeypots

19https://chloe.re/2015/06/20/a-month-with-badonions/

Passive Honeypots

20https://chloe.re/2015/06/20/a-month-with-badonions/

Passive Honeypots

21https://chloe.re/2015/06/20/a-month-with-badonions/

Honey Tokens and Web Bugs

Issues with Document Tracking

Issues with Document Tracking

Issues with Document Tracking

Zip BombsAdobeFlash.zip

42 bytes 4.5 petabytes

www.unforgettable.dk

Keys to Success

Real World Awareness Training

Use a Blended Approach to Exercises

Gather Metrics for Program Improvements

Note: Never Punish or Embarrass Users!

Scope Social Habits

Public Information

Username Correlation

Application Usage

“Private” Information

Examine Network Usage

“Free” Coupons!QR Destination as training or

phishing site

Print > Place on Cars in Lot

Rate of Connections

Rate Reported to Security

Track via internal IP address

Targeted Spear Phishing

Open Attachment Rate

Open Message Rate

Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics

Beyond User Awareness

Defense Success / Failures

Response / Exploitation Rate

Rogue Wi-Fi

Setup Wi-Fi Access Provide Fake Landing Page Get Credentials!

Connection Rate Credential Submission Rate Report to Security Rate

www.slideshare.net/heinzarelli/wifi-hotspot-attacks

https://youtu.be/v36gYY2Pt70

USB Drop Case Study

Building a Believable CampaignUSB Human Interface Device (HID) attacks are too obvious. A dead giveaway that the target just compromised their system.

http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649

Building a Believable Campaign

Use Realistic Files with somewhat realistic data

Staged approach to track file access and exploitation

Webbug file opened from within your company network?

Correlate using Network Security Tools to find out who it was

Tracking File Access

Who Opened the File?

Compress the PowerShell Script

You may want to use a bogus email address, unlike I did here…

I know, I know, Bad OpSec…

Send email when macro is run

“Nobody’s going to run an executable from some random USB” - Greg

At least they didn’t run it as an Admin

But… We now have our foothold…

Macro Attack Detection

Malware Beaconing Detection

Red Teaming

Not Penetration Testing!

No Scope Restrictions

Offensive Honeypots

All of these tools have something in common…

● Configuration Management Systems

● Vulnerability Scanners

● System Health Checks

They tend to log in to remote hosts!

Simulate SSH service

Stand this up during internal penetration test

Catch Credentials...

#!/bin/bash

attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l);

echo ""

echo $attempts" => login attempts"

echo "--------------------"

cat /opt/kippo/log/kippo.log | \

grep 'login attempt' | \

cut -d "," -f 3,4,5 | \

awk '{print "["$1" "$4}'

echo "--------------------"

echo ""

Social Engineering

Social Engineering

WYSINWYC

http://thejh.net/misc/website-terminal-copy-paste

DEMO

Post-Exploitation Tricks

Use Deception to:

Elevate Privileges

Access Protected Resources

Pivot and Move Laterally

Etc.

OS X - AppleScript

fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html

DEMO

Windows - PowerShell

github.com/gfoss/misc/blob/master/PowerShell/popuppwn.ps1

DEMO

Attack Security Tools

● Generate False and/or Malformed Logs

● Spoof Port Scanning Origins

$ sudo nmap -sS -P0 -D sucker target(s)

● Block UDP Port 514 or disable logging service

● Capture Service Account Credentials

● Wear AV like a hat and backdoor legitimate programs on the shares…

https://www.shellterproject.com/

Target IT Staff…

It’s broken. :-(

I don’t know what

happened…

Can you fix it?

github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz

In Conclusion

Network

Data HumanDefense

Recommended ResourcesRed Team: How to Succeed By Thinking Like the Enemy Micah Zenko

Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand

Reverse Deception: Organized Cyber Threat Counter-exploitation. Sean Bodmer

Second World War Deception: Lessons Learned from Today’s Joint Planner Major Donald J. Bacon, USAF

Thank You!

Questions?

Greg Fossgreg.foss [at] LogRhythm.com

@heinzarelli