Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

DerbyCon 5 - Tactical Diversion-Driven Defense

734 Aufrufe

Veröffentlicht am

Thomas Hegel and Greg Foss - DerbyCon 5 Stable Talk
Using diversion and deception to actively defend your network.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

DerbyCon 5 - Tactical Diversion-Driven Defense

  1. 1. Tactical Diversion-Driven Defense
  2. 2. Thomas Hegel Incident Response and Security Analytics Engineer GCFE, CISSP, PIE ETR Greg Foss SecOps Lead / Sr. Researcher OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
  3. 3. Diversion & Deception in Warfare Draw Attention Away From True Attack Point Mislead With False Appearance Gain Advantage Over Enemy “All war is based on deception” -Sun Tzu
  4. 4. Success From Diversion/Deception Operation Mincemeat - 1943 Operation Zeppelin - 1944 Battle of Megiddo - 1918 Operation Bodyguard - 1942 Operation Anadyr - 1962 ..and many more
  5. 5. Operation Mincemeat - 1943 Germans find British corpse from sunken enemy warship 1.
  6. 6. Operation Mincemeat - 1943 Corpse holds Plans to upcoming attack in Greece 2.
  7. 7. Operation Mincemeat - 1943 Germans move defenses from Sicily to Greece 3.
  8. 8. Apply this to InfoSec?
  9. 9. The Rules: Sound Techniques Adequate Secrecy Feedback on Execution Sufficient Time For Execution Control All Information Chanels Follows strategic and operational objectives
  10. 10. In Practice Network Data Human Offense
  11. 11. Network Defense
  12. 12. Honeypots Easy to configure, deploy, and maintain Fly traps for anomalous activity You will learn a ton about your adversaries. Information that will help in the future…
  13. 13. Subtle Traps Catch Internal Attackers Observe Attack Trends Decoy From Real Data Waste Attackers Time Honeypot Use Cases
  14. 14. Fake Web Applications github.com/gfoss/phpmyadmin_honeypot
  15. 15. $any-web-app Custom + Believable, with a Hidden Motive
  16. 16. Data Defense
  17. 17. Honey Tokens and Web Bugs
  18. 18. Zip Bombs AdobeFlash.zip 42 bytes 4.5 petabytes www.unforgettable.dk
  19. 19. Human Defense
  20. 20. Keys to Success Real World Awareness Training Use a Blended Approach to Exercises Gather Metrics for Program Improvements Note: Never Punish or Embarrass Users!
  21. 21. Scope Social Habits Public Information Username Correlation Connection Capability “Private” Information Examine Network Usage
  22. 22. “Free” Coupons! QR Destination as training or phishing site Print > Place on Cars in Lot Rate of Connections Rate Reported to Security
  23. 23. Spear Phishing Open Attachment Rate Open Message Rate Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics Beyond User Awareness Defense Success/Failures
  24. 24. Rogue Wi-Fi Setup Wi-Fi Access Provide Fake Landing Page Get Credentials! Connection Rate Credential Submission Rate Report to Security Rate www.slideshare.net/heinzarelli/wifi-hotspot-attacks https://youtu.be/v36gYY2Pt70
  25. 25. Red Teaming Not Penetration Testing! Not Limited in Scope Outsider's Perspective Intelligence on Weaknesses
  26. 26. Diversion and Deception Based Offense
  27. 27. Offensive Honeypots All of these tools have something in common… ● Configuration Management Systems ● Vulnerability Scanners ● System Health Checks They tend to log in to remote hosts!
  28. 28. Simulate SSH service Stand this up during internal penetration test Catch Credentials...
  29. 29. #!/bin/bash attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l); echo "" echo $attempts" => login attempts" echo "--------------------" cat /opt/kippo/log/kippo.log | grep 'login attempt' | cut -d "," -f 3,4,5 | awk '{print "["$1" "$4}' echo "--------------------" echo ""
  30. 30. Social Engineering
  31. 31. Social Engineering WYSINWYC http://thejh.net/misc/website-terminal-copy-paste
  32. 32. DEMO
  33. 33. Post-Exploitation Tricks Use Deception to: Elevate Privileges Access Protected Resources Pivot and Move Laterally Etc.
  34. 34. OS X - AppleScript fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
  35. 35. DEMO
  36. 36. Windows - PowerShell github.com/gfoss/misc/blob/master/PowerShell/popuppwn.ps1
  37. 37. DEMO
  38. 38. Attack Security Tools ● Generate False and/or Malformed Logs ● Spoof Port Scanning Origins $ sudo nmap -sS -P0 -D sucker target(s) ● Block UDP Port 514 or disable logging service ● Capture Service Account Credentials ● Wear AV like a hat and backdoor 
 legitimate programs on the shares…
  39. 39. https://www.shellterproject.com/
  40. 40. Target IT Staff… It’s broken. :-( I don’t know what happened… Can you fix it? github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
  41. 41. In Conclusion Network Data Human Offense
  42. 42. Recommended Resources Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand Reverse Deception: Organized Cyber Threat Counter-exploitation. Sean Bodmer Second World War Deception: Lessons Learned from Today’s Joint Planner Major Donald J. Bacon, USAF
  43. 43. Thank you! Questions? Thomas Hegel @Thomas_Hegel thomas.hegel@logrhythm.com Greg Foss @Heinzarelli greg.foss@logrhythm.com @LogRhythmLabs blog.logrhythm.com