DerbyCon 5 - Tactical Diversion-Driven Defense
2 likes1,073 views
The document discusses the application of diversion and deception strategies in cybersecurity, aligning historical warfare tactics with modern information security practices. It emphasizes the importance of using honeypots, social engineering, and red teaming to distract and mislead potential attackers. Key insights include the necessity for adequate secrecy and control over information channels, as well as implementing real-world awareness training for personnel.
DerbyCon 5 - Tactical Diversion-Driven Defense
- 2. Thomas Hegel Incident Response and Security Analytics Engineer GCFE, CISSP, PIE ETR Greg Foss SecOps Lead / Sr. Researcher OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
- 3. Diversion & Deception in Warfare Draw Attention Away From True Attack Point Mislead With False Appearance Gain Advantage Over Enemy “All war is based on deception” -Sun Tzu
- 4. Success From Diversion/Deception Operation Mincemeat - 1943 Operation Zeppelin - 1944 Battle of Megiddo - 1918 Operation Bodyguard - 1942 Operation Anadyr - 1962 ..and many more
- 5. Operation Mincemeat - 1943 Germans find British corpse from sunken enemy warship 1.
- 6. Operation Mincemeat - 1943 Corpse holds Plans to upcoming attack in Greece 2.
- 7. Operation Mincemeat - 1943 Germans move defenses from Sicily to Greece 3.
- 8. Apply this to InfoSec?
- 9. The Rules: Sound Techniques Adequate Secrecy Feedback on Execution Sufficient Time For Execution Control All Information Chanels Follows strategic and operational objectives
- 11. Network Defense
- 12. Honeypots Easy to configure, deploy, and maintain Fly traps for anomalous activity You will learn a ton about your adversaries. Information that will help in the future…
- 13. Subtle Traps Catch Internal Attackers Observe Attack Trends Decoy From Real Data Waste Attackers Time Honeypot Use Cases
- 15. $any-web-app Custom + Believable, with a Hidden Motive
- 17. Data Defense
- 18. Honey Tokens and Web Bugs
- 19. Zip Bombs AdobeFlash.zip 42 bytes 4.5 petabytes www.unforgettable.dk
- 20. Human Defense
- 21. Keys to Success Real World Awareness Training Use a Blended Approach to Exercises Gather Metrics for Program Improvements Note: Never Punish or Embarrass Users!
- 22. Scope Social Habits Public Information Username Correlation Connection Capability “Private” Information Examine Network Usage
- 23. “Free” Coupons! QR Destination as training or phishing site Print > Place on Cars in Lot Rate of Connections Rate Reported to Security
- 24. Spear Phishing Open Attachment Rate Open Message Rate Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics Beyond User Awareness Defense Success/Failures
- 25. Rogue Wi-Fi Setup Wi-Fi Access Provide Fake Landing Page Get Credentials! Connection Rate Credential Submission Rate Report to Security Rate www.slideshare.net/heinzarelli/wifi-hotspot-attacks https://youtu.be/v36gYY2Pt70
- 26. Red Teaming Not Penetration Testing! Not Limited in Scope Outsider's Perspective Intelligence on Weaknesses
- 27. Diversion and Deception Based Offense
- 28. Offensive Honeypots All of these tools have something in common… ● Configuration Management Systems ● Vulnerability Scanners ● System Health Checks They tend to log in to remote hosts!
- 29. Simulate SSH service Stand this up during internal penetration test Catch Credentials...
- 30. #!/bin/bash attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l); echo "" echo $attempts" => login attempts" echo "--------------------" cat /opt/kippo/log/kippo.log | grep 'login attempt' | cut -d "," -f 3,4,5 | awk '{print "["$1" "$4}' echo "--------------------" echo ""
- 33. DEMO
- 34. Post-Exploitation Tricks Use Deception to: Elevate Privileges Access Protected Resources Pivot and Move Laterally Etc.
- 35. OS X - AppleScript fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
- 36. DEMO
- 38. DEMO
- 39. Attack Security Tools ● Generate False and/or Malformed Logs ● Spoof Port Scanning Origins $ sudo nmap -sS -P0 -D sucker target(s) ● Block UDP Port 514 or disable logging service ● Capture Service Account Credentials ● Wear AV like a hat and backdoor legitimate programs on the shares…
- 42. Target IT Staff… It’s broken. :-( I don’t know what happened… Can you fix it? github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
- 44. Recommended Resources Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand Reverse Deception: Organized Cyber Threat Counter-exploitation. Sean Bodmer Second World War Deception: Lessons Learned from Today’s Joint Planner Major Donald J. Bacon, USAF
- 45. Thank you! Questions? Thomas Hegel @Thomas_Hegel [email protected] Greg Foss @Heinzarelli [email protected] @LogRhythmLabs blog.logrhythm.com