Thomas Hegel and Greg Foss - DerbyCon 5 Stable Talk Using diversion and deception to actively defend your network.

1. Tactical Diversion-Driven Defense

2. Thomas Hegel
Incident Response and Security
Analytics Engineer
GCFE, CISSP, PIE ETR
Greg Foss
SecOps Lead / Sr. Researcher
OSCP, GAWN, GPEN, GWAPT, GCIH,
CEH, CYBER APT

3. Diversion & Deception in Warfare
Draw Attention Away From True Attack Point
Mislead With False Appearance
Gain Advantage Over Enemy
“All war is based on deception” -Sun Tzu

4. Success From Diversion/Deception
Operation Mincemeat - 1943
Operation Zeppelin - 1944
Battle of Megiddo - 1918
Operation Bodyguard - 1942
Operation Anadyr - 1962
..and many more

5. Operation Mincemeat - 1943
Germans find British corpse
from sunken enemy warship
1.

6. Operation Mincemeat - 1943
Corpse holds Plans to
upcoming attack in Greece
2.

7. Operation Mincemeat - 1943
Germans move defenses
from Sicily to Greece
3.

8. Apply this to InfoSec?

9. The Rules:
Sound Techniques
Adequate Secrecy
Feedback on Execution
Sufficient Time For Execution
Control All Information Chanels
Follows strategic and operational objectives

10. In Practice
Network
Data Human
Offense

11. Network Defense

12. Honeypots
Easy to configure, deploy, and maintain
Fly traps for anomalous activity
You will learn a ton about your adversaries.
Information that will help in the future…

13. Subtle Traps
Catch Internal Attackers
Observe Attack Trends
Decoy From Real Data
Waste Attackers Time
Honeypot Use Cases

14. Fake Web Applications
github.com/gfoss/phpmyadmin_honeypot

15. $any-web-app
Custom + Believable, with a Hidden Motive

17. Data Defense

18. Honey Tokens and Web Bugs

19. Zip Bombs
AdobeFlash.zip
42 bytes
4.5 petabytes
www.unforgettable.dk

20. Human Defense

21. Keys to Success
Real World Awareness Training
Use a Blended Approach to Exercises
Gather Metrics for Program Improvements
Note: Never Punish or Embarrass Users!

22. Scope Social Habits
Public Information
Username Correlation
Connection Capability
“Private” Information
Examine Network Usage

23. “Free” Coupons!
QR Destination as training or
phishing site
Print > Place on Cars in Lot
Rate of Connections
Rate Reported to Security

24. Spear Phishing
Open Attachment Rate
Open Message Rate
Martin Bos & Eric Milam
SkyDogCon 2012 - Advanced Phishing Tactics
Beyond User Awareness
Defense Success/Failures

25. Rogue Wi-Fi
Setup Wi-Fi Access
Provide Fake Landing Page
Get Credentials!
Connection Rate
Credential Submission Rate
Report to Security Rate
www.slideshare.net/heinzarelli/wifi-hotspot-attacks
https://youtu.be/v36gYY2Pt70

26. Red Teaming
Not Penetration Testing!
Not Limited in Scope
Outsider's Perspective
Intelligence on Weaknesses

27. Diversion and Deception
Based Offense

28. Offensive Honeypots
All of these tools have something in common…
● Configuration Management Systems
● Vulnerability Scanners
● System Health Checks
They tend to log in to remote hosts!

29. Simulate SSH service
Stand this up during internal penetration test
Catch Credentials...

30. #!/bin/bash
attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l);
echo ""
echo $attempts" => login attempts"
echo "--------------------"
cat /opt/kippo/log/kippo.log |
grep 'login attempt' |
cut -d "," -f 3,4,5 |
awk '{print "["$1" "$4}'
echo "--------------------"
echo ""

31. Social Engineering

32. Social Engineering
WYSINWYC
http://thejh.net/misc/website-terminal-copy-paste

33. DEMO

34. Post-Exploitation Tricks
Use Deception to:
Elevate Privileges
Access Protected Resources
Pivot and Move Laterally
Etc.

35. OS X - AppleScript
fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html

36. DEMO

37. Windows - PowerShell
github.com/gfoss/misc/blob/master/PowerShell/popuppwn.ps1

38. DEMO

39. Attack Security Tools
● Generate False and/or Malformed Logs
● Spoof Port Scanning Origins
$ sudo nmap -sS -P0 -D sucker target(s)
● Block UDP Port 514 or disable logging service
● Capture Service Account Credentials
● Wear AV like a hat and backdoor
legitimate programs on the shares…

40. https://www.shellterproject.com/

42. Target IT Staff…
It’s broken. :-(
I don’t know what
happened…
Can you fix it?
github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz

43. In Conclusion
Network
Data Human
Offense

44. Recommended Resources
Offensive Countermeasures: The Art of Active Defense
Paul Asadoorian and John Strand
Reverse Deception: Organized Cyber Threat Counter-exploitation.
Sean Bodmer
Second World War Deception: Lessons Learned from Today’s
Joint Planner
Major Donald J. Bacon, USAF

45. Thank you!
Questions?
Thomas Hegel
@Thomas_Hegel
thomas.hegel@logrhythm.com
Greg Foss
@Heinzarelli
greg.foss@logrhythm.com
@LogRhythmLabs
blog.logrhythm.com