derbycon 5 - tactical diversion-driven defense

Download DerbyCon 5 - Tactical Diversion-Driven Defense

Post on 11-Apr-2017




1 download

Embed Size (px)


  • Tactical Diversion-Driven Defense

  • Thomas Hegel Incident Response and Security

    Analytics Engineer GCFE, CISSP, PIE ETR

    Greg Foss SecOps Lead / Sr. Researcher OSCP, GAWN, GPEN, GWAPT, GCIH,


  • Diversion & Deception in Warfare

    Draw Attention Away From True Attack Point

    Mislead With False Appearance

    Gain Advantage Over Enemy

    All war is based on deception -Sun Tzu

  • Success From Diversion/Deception

    Operation Mincemeat - 1943

    Operation Zeppelin - 1944

    Battle of Megiddo - 1918

    Operation Bodyguard - 1942

    Operation Anadyr - 1962

    ..and many more

  • Operation Mincemeat - 1943

    Germans find British corpse from sunken enemy warship


  • Operation Mincemeat - 1943

    Corpse holds Plans to upcoming attack in Greece


  • Operation Mincemeat - 1943

    Germans move defenses from Sicily to Greece


  • Apply this to InfoSec?

  • The Rules:

    Sound Techniques

    Adequate Secrecy

    Feedback on Execution

    Sufficient Time For Execution

    Control All Information Chanels

    Follows strategic and operational objectives

  • In Practice


    Data HumanOffense

  • Network Defense

  • HoneypotsEasy to configure, deploy, and maintain

    Fly traps for anomalous activity

    You will learn a ton about your adversaries. Information that will help in the future

  • Subtle Traps

    Catch Internal Attackers

    Observe Attack Trends

    Decoy From Real Data

    Waste Attackers Time

    Honeypot Use Cases

  • Fake Web Applications

  • $any-web-app

    Custom + Believable, with a Hidden Motive

  • Data Defense

  • Honey Tokens and Web Bugs

  • Zip

    42 bytes 4.5 petabytes

  • Human Defense

  • Keys to Success

    Real World Awareness Training

    Use a Blended Approach to Exercises

    Gather Metrics for Program Improvements

    Note: Never Punish or Embarrass Users!

  • Scope Social Habits

    Public Information

    Username Correlation

    Connection Capability

    Private Information

    Examine Network Usage

  • Free Coupons!QR Destination as training or

    phishing site

    Print > Place on Cars in Lot

    Rate of Connections

    Rate Reported to Security

  • Spear Phishing

    Open Attachment Rate

    Open Message Rate

    Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics

    Beyond User Awareness

    Defense Success/Failures

  • Rogue Wi-Fi

    Setup Wi-Fi Access Provide Fake Landing Page

    Get Credentials!

    Connection Rate Credential Submission Rate

    Report to Security Rate

  • Red Teaming

    Not Penetration Testing!

    Not Limited in Scope

    Outsider's Perspective

    Intelligence on Weaknesses

  • Diversion and Deception Based Offense

  • Offensive Honeypots

    All of these tools have something in common

    Configuration Management Systems Vulnerability Scanners System Health Checks

    They tend to log in to remote hosts!

  • Simulate SSH service

    Stand this up during internal penetration test

    Catch Credentials...

  • #!/bin/bash

    attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l);

    echo ""

    echo $attempts" => login attempts"

    echo "--------------------"

    cat /opt/kippo/log/kippo.log | \

    grep 'login attempt' | \

    cut -d "," -f 3,4,5 | \

    awk '{print "["$1" "$4}'

    echo "--------------------"

    echo ""

  • Social Engineering

  • Social Engineering


  • DEMO

  • Post-Exploitation Tricks

    Use Deception to:

    Elevate Privileges

    Access Protected Resources

    Pivot and Move Laterally


  • OS X - AppleScript

  • DEMO

  • Windows - PowerShell

  • DEMO

  • Attack Security Tools

    Generate False and/or Malformed Logs

    Spoof Port Scanning Origins

    $ sudo nmap -sS -P0 -D sucker target(s)

    Block UDP Port 514 or disable logging service

    Capture Service Account Credentials

    Wear AV like a hat and backdoor legitimate programs on the shares


  • Target IT Staff

    Its broken. :-(

    I dont know what


    Can you fix it?

  • In Conclusion


    Data HumanOffense

  • Recommended Resources

    Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand

    Reverse Deception: Organized Cyber Threat Counter-exploitation. Sean Bodmer

    Second World War Deception: Lessons Learned from Todays Joint Planner

    Major Donald J. Bacon, USAF

  • Thank you! Questions?

    Thomas Hegel @Thomas_Hegel

    Greg Foss @Heinzarelli



View more >