Red Team Summit CFP now open! Register Here
Shopping Cart

No products in the cart.

Getting Started in Cyber Deception

This webcast was originally published on January 30th, 2020.

In this video, John Strand discusses the concept and strategies around cyber deception. They explore the use of deception technology in cybersecurity, clarifying that it does not involve illegal activities such as hacking back but is aimed at increasing the effort required for an attacker to succeed. The talk also covers practical applications and misconceptions related to cyber deception, emphasizing its importance in modern cybersecurity defenses.

  • Cyber deception is a strategic approach to increase the work effort for attackers, not a method of hacking back.
  • The webinar introduces practical applications of cyber deception to enhance cybersecurity defenses without legal infringements.
  • Tools and methods like the Cyber range, Selkie project, and Canary tokens are highlighted for their effectiveness in real-time threat detection and cybersecurity training.

Highlights

Full Video

Transcript

John Strand

So this webcast is a topic that I’ve been talking about for about, I don’t know, five, six, seven years. Paul Azadorian and I started talking about cyber deception. We wrote a book about it, and we wrote a black hat class about it, and we’ve been discussing it.

And I’d like to come back to it as a subject for a webcast at least once a year, just because we have a new influx of people coming into the industry. And we also have people that may have went to an earlier webcast, but they may have questions about how they can get started using cyber deception.

Now, just to be clear, whenever we’re talking about cyber deception, we are not talking about hacking back. That’s a really important point to get across here, because if we were discussing hacking back, the only way that you can actually do hacking back is with a full warrant.

You cannot do it legally if you do not have a warrant. So we’re talking about doing right now is increasing the overall work effort that an adversary, that is an attacker, would have to expend to try to break into your environment.

So kind of setting the stage. I have something. Before we get started, I want to see if we have some people that are interested. We have something cool that we’re working on at Black Hills information security.

We have two major projects, actually, three things. and I can talk about the last one at the end of the webcast, but the cyber range is one of them, and the other one is the Selkey project.

Chris, do you want to talk a little bit about what Selkey is? I know I don’t have any slides for it, but, just give us a quick overview of what we’re doing with Selkie.

Chris

Oh, happy to. There’s other projects that are in this realm, but we’re trying to take a little bit of a different tact with it. So I think most of us are familiar with Sysmon and the cool things you can do with Sysmon as far as being able to run monitor, running processes on it.

We m want to marry that together with being able to analyze what’s going on in your network. So the concept is you may be looking in your firewall log, your intrusion detection system. You see something that you say that might be suspicious, that might not.

I need more data and have a very easy way to go out and query a system to be able to see what application on that system actually created that connection. And if it’s something you expected to see, great.

If it’s something you didn’t expect to see. Oh, that should be pause number one if it doesn’t report anything. But you can see other applications on that system generating outbound sessions, but not this specific one.

Oh, yeah. You’ve really hit on the fact that you’re going to have a bad day. Yeah, that’s Selkie in a nutshell.

John Strand

That’s Selkie. I want to show you the cyber range really quick. This is the other thing that we’re working on. This is my colleague system in the cyber range.

Hopefully I typed in my password. I doubt I did. There we go. I hate these MacBook pro keyboards. They’re horrible. This is in conjunction with the fine folks at MetactF.

If you’ve ever been to Wild west hacking fest, you’ve seen this interface for MetacTF and what they have for cyber range. We’re working with them, and, they’re going to update it here in a little bit, so it’ll look a little bit different.

But we’ve set up a cyber range where you have a number of different challenges from crypto, recon, web exploitation, reverse engineering, threat hunting, forensics, pen testing, and just general trivia, type questions, and you can develop scores, and then you can come onto.

The scoreboard says it’s hidden in this particular situation to build up suspense that, will probably be up and running a little bit later.

So we also have additional resources within the cyber range. We’re going to be changing this up a little bit. Each challenge will have a link that’ll take you to a, video discussing the tools and the techniques that would be used in that specific link itself.

So this is, this is our cyber range. This is what we’re working with. I honestly hope I can get a good number of people that are willing to come in and play around with this.

Here’s the scoreboard. I just brought it up. You can see that we have some people in here, like, blah, the turd burglars. Brandon sucks giant killers. The cloud is safe, and I’m down here, administrators of Bhis.

Now, if you want access to this, we’re opening it up to 50 people for 30 days. So if you could type range in the chat window or in m the question window, we will take them in order, and the first 50 people will gain access to this for 30 days.

We’re trying to stress test it, get some people in playing with it. It’s free to all Bhis customers, but we want to open it up to the community as a whole. So that’s our shiny thing that we have coming up.

And we’ll be adding in more people as webcasts move on.

Jason Blanchard

quick question, John. What’s the skill level? From what to what?

John Strand

Oh, so the skill level is anywhere from very, very, very basic, just getting started, to more advanced people in cybersecurity. So all the ranges are, all the range questions have point values associated with them.

So some of the questions are very, very, very easy. So they’ll be just a general question about, go try to Google search this particular topic and find a picture or look in this email and things like that.

They’re really basic. And then some of the questions are a lot more difficult and then they’ll have a higher point value associated with them, like you can see here in a soviet botnet attack.

It says there may be some merit to rumors about the botnet targeting Iot, IoT devices. John Hurt. After all, one of your contacts at a similar company, DNS Industries, has even recovered some source code from the malware.

Apparently it’s a list of default credentials to hack its way into Internet connection systems. In order to get ahead of this, we need to see if there are any ICMP products. the flag is the default password for the ICMP product.

So you’ve got to reverse engineer the source code to find, the password for ICMP products. It will need you. Some of the questions, all my easy questions are gone.

I did those first because they were easy, but it’ll meet you where you’re at. All right, so let’s talk about beginnings of cyber deception. This was a conversation that Chris and I got into yesterday, and it got a lot more meta than I like conversations to get into.

But it’s something that’s been bothering me for a while. And I think we were able to kind of put our finger on it. Getting any sort of budget for any new technologies can be very difficult. We saw this with threat hunting and then we did the free training and it exploded with like over 6000 people registering for the training.

I think that that shows that there’s an incredible desire and a need for new technologies and new approaches, and we kind of tapped into that and it went viral. So this got into questions about how new things come about.

Intrusion detection systems, firewalls and scanning. If you go back about 15 to 20 years ago, like late nineties, early two thousands, when ids first got started, you had people like Marty rescheduled.

That, came out with snort, and everybody kind of got behind it relatively quickly. Ron Gula, of course, with dragon, I think, would be in that category. And there may have been other technologies that did intrusion detection like activity, but it was really snort that got everyone’s attention.

Firewalls. The idea of a firewall really took off with Marcus Branham. Whenever he released the toolkits, he hates it. Whenever people say he invented the firewall, he did not.

But he really kind of invented the toolkit that your firewalls were based on. that’s kind of the granddaddy. Scanning would go to Nessus that we had a, Saint, we had Sarah, we had Satan.

And then finally Nessus came out from Renault. And back then it was a really, really small community. And Chris and I were talking how everybody back then was an innovator or an early adopter in security, because you had to be.

There weren’t just people sitting in their day jobs doing security really passively, because security as a day job for most people didn’t exist. We were systems administrators, network administrators, and security was more of a passion.

And when someone released something, it kind of took off like wildfire, and it became that standard. So really the forward movement, when we’re talking about the industry and ids, firewalls and scanning came from proof.

Snork worked, stuff that Marcus random released worked for firewalls, tenable, Nessus worked, and more importantly, it didn’t have a name of Satan.

So you really had that proof in the pudding, and things came to fruition because of that. With cyber deception, we don’t have the security focused mailing lists.

We don’t have the really small, tight knit community that we had in security. So the same rule still applies, but the network is much larger and fractured.

You have Twitter, you have Reddit, you have, Facebook, you have all these different groups, LinkedIn, you have all these security professionals all over the place. So there’s not this one place where, like, this infectious idea can take off and spread like wildfire.

And cyber deception is definitely something that isn’t new, but it still needs proof. And the goal of this webcast is to give you some quick things that you can implement that will help you develop proof.

Now, there’s some conversations, a lot of this stuff I talked about at Derbycon, and I realized it was just in one room. We’d never turned it into a webcast, and that’s on me. I should have done that earlier, but, the problem I have with the conversation of deception is deception.

Technology and active defense tends to fall into two conversation topics. Either the first conversation topic is it’s hacking back, and it’s illegal, and that’s garbage.

And then the second conversation that comes up is a number of people pooh pooh deception technologies, because they say no one’s using it. So Brian Krebs comes out and he says, number three, deception technologies are nice, but advisable only if your organization is already doing 99% of the rest of the basic security stuff.

As it happens, a lot of really cool tech being advertised at RSA is for a very exclusive audience. And I’m going to come back to Krebs here in a second. And then you have Jeff Moss, who founded Defcon in Black Hat.

He said an interesting question to an audience in Blackhat in Europe last year. He says, I’ve never had one speaker say that I, checked at the canary, and I reviewed the deception tech, and it worked.

And then he said, who here is using deception technology? And no one raised their hands. The problem with both of these is they stifle any kind of new conversation or forward progress with a new technology.

It’s like, well, no one’s using it, therefore it’s garbage, or you should do everything else first, and then you can do deception technology. And I think that both of those are wrong. So we’ll talk about some deception technologies and some things that we have implemented at Black Hills information security.

And, yes, we have actually seen this in our customers. So, Krebs, we need to have a conversation. And I want to preface this with saying, I love Brian Krebs. His, contribution to the community is huge.

Krebs on security. Everyone reads it. It is absolutely amazing. But he’s wrong. And the reason why he’s wrong is there’s this assumption that if you get 99% of the existing technologies that you should have in place set up properly, that you are going to be secure.

And I keep coming back to these slides again and again and again and again where we’re talking about how do organizations find out their compromise? So, this is a graph from last year’s verizon data breach report, where we broke down all of the different types of attack, sorry, the bunch of different detection technologies and how actual attacks were detected.

And if I kind of circle all of these, look at all of the ones that are external, external fraud detection, external customer, external actor disclosure, external law enforcement, external, unrelated, third party, external incident response, security researcher monitoring service, other, and even the partner at the top that, could really be circled in red as well.

So whenever you’re looking at how organizations actually detect they’ve been compromised, well over 60% of all the detects that organizations have that they were popped come from somebody outside of that organization.

And that, for me, is absolutely terrifying. And what that’s showing is if you implement everything, you still have a really good chance of missing an attack.

So that’s why we spend all of this time talking about network threat hunting, because traditional technologies have gaps and holes. I don’t want to say they’re failing. I have a habit of saying that.

But they have holes that need to be operated augmented and butterist. And the cyber deception technologies can also fit into that as well. So let’s talk about something I think is crap and is garbage.

And I have, I’d love to get into a good conversation about this, but we’ll go through it quickly. I hate threat intelligence feeds. Threat intelligence feeds are what your vendors should be doing.

Your antivirus vendors should be doing threat intelligence. That’s literally their job. They’re finding malware on systems. Your firewall vendors should be doing threat intelligence, because that’s. That’s literally their job.

Your egress, web filtering, should be doing threat intelligence. That’s their job. And ultimately, what a lot of these vendors, especially if you’re buying threat intelligence from, like, a McAfee or Symantec or sophos, is they’re repackaging all of the garbage that they’re already putting in antivirus and that they’re already putting in for their firewalls and blocking rules, and then they’re reselling it to their customers.

This is insane. Right? There is value when you’re researching an incident, being able to look up an IP address, being able to look up, maybe hash values or strings having that type of threat intelligence to kind of on the backend, but using threat intelligence and ingesting indicators of compromise and then cross referencing those indicators of compromise across your entire environment is literally what your antivirus should be doing and is literally what your firewall should be doing.

Why the hell are we doing it again? Right, but this is kind of where everyone went to. Right. Everyone kind of jumped into understanding threat intelligence because we, as an industry, we want to have a better understanding of what a hacker is.

And if you buy an antivirus project, it’s ingesting all of these signatures, and it’s kind of abstracted from you. You don’t see it. If you buy a firewall, it’s updating its signatures and its blacklist IP address without you really seeing.

But if I can sell you on the idea that I’m going to sell you threat intelligence. All of a sudden, you have this concept in your head that now you’re developing a better understanding of what threat actors do.

But this is a trap, right? This is a trap because many of these threat intelligence feeds are serving up information about previous attacks.

And I use an analogy quite a bit in my presentations. A human being is hardwired to think in terms of blacklists. That’s just how we think of risk.

And it makes sense because. Because it’s worked for us for hundreds of thousands, if not millions of years, right? So I, use the story all the time. Imagine you have two people. Chris and I are walking through the woods 150,000 years ago, and we walk by this mushroom, and Chris looks at me, and he’s like, john, eat that mushroom.

And I’m like, I don’t want to eat that mushroom. He’s like, eat the mushroom, dude. I’m like, I’m not going to eat the stupid mushroom. He goes, I double dog dare you to eat the mushroom. Like, all right, I eat the mushroom.

I eat the mushroom, and I die horribly, right? Well, then Chris goes back to the village, and he immediately tells everyone, John ate this mushroom. He foamed at the mouth, his eyes rolled back in his head, and he died.

And from that day forth, they start singing songs of the idiot John Strand, who ate the mushroom. Right? And they do this because blacklists work for that type of risk.

Eat this, don’t eat this. Go cuddle with a puppy. Do not cuddle with a polar bear, whatever you do. So whenever somebody is trying to sell you a blacklist, it hits all of these sensors in your head that I can create a blacklist for what is bad, and I can create a whitelist for what is good, and I’ll be safe.

And that doesn’t apply to cybersecurity. So when we’re talking about threat intelligence, I really want you to start looking at these things that I’m going to recommend as recommendations that will give you threat intelligence, not for attacks that happened a month ago or two months ago or a year ago on somebody else’s network, but what can happen right now, or what is happening right now in your organization?

So the first one I want to talk about is canary tokens. This is by thinkist, amazing group of security researchers. really cool. You can do this.

Right now, a lot of this presentation is going to be straight out of canarytokens.org, and we’ll talk about ADHD. And ADHD has a local canary token server installed on it.

Let me show you ADHD. If we go to ADHD, we log in with the password of ADHD. ADHD is [email protected].

anybody can pull it down, and then you can play along. And if you look in the ADHD usage document on the desktop, by the way, the password is ADHD, and you go to attribution, we have a number of different tools.

You can run Canary live or canary on the local system. So this is built into ADHD already, so you guys can play along with it. The idea of canary tokens is that you can create a number of different artifacts that as soon as an attacker interacts with it, it will automatically beacon back.

Think of these as tripwires. You can put them in a variety of different places around your environment. And if an adversary interacts with that file, interacts with that service, interacts with that, share, interacts with that website, it’s automatically going to alert you that this IP address is doing some shenanigans.

So if we tie this back to threat intelligence, this is actually like real threat intelligence. This is telling you not what’s happening for an attack against an environment a month ago.

This is telling you what is happening on your organization right now. So let’s go ahead and let’s jump in. But before we do, I put up the link here for ADHD.

So, Jason, do we have any questions?

Jason Blanchard

Nothing right now that stands out that you haven’t answered or addressed. So you can keep going.

John Strand

Very good. So if you have any questions, please type them in. So, this is where you can get ADHD. You can also get ADHD from active countermeasures as well. So let’s go through some attack scenarios, right?

Let’s say you’re an attacker and you’re doing recon, and you want to find out everything about an organization before you actually attack that organization. And we’re looking at the cyber kill chain.

So, God help me, I want everyone to know. I’m going to start using cyber kill chain to describe things in backdoors and breaches. I’m going to describe cyber kill chain as it applies to this, because I’ve lost all capability to stop the cyber kill chain.

Like juggernaut, so can’t beat them, join them. So when you’re looking at cyber kill chain and we’re looking at the methodologies, the methodology really starts with Recon. How can I find out all of the different points that I can attack on an organization?

Now going through full recon is outside of the scope of this particular session. But you get an idea if you just google recon. So let’s go through how we can mess with the attacker’s ability to do proper recon.

One of the things that you can do in canary tokens, and if I can go to Canary tokens right now, I can show you, go to canarytokens.org, i can drop this down and I can say, I want to find some aws keys.

So where is it? there we go. So I can go Aws key and I can put in an email.

People are making fun of my typing ability. You get uncomfortable when I have a lot of people watching me. I just can’t do it. So I just generated this token.

Now, if I take this token and I put it on a GitHub repository, if an attacker is going through and searching GitHub for the name of your organization, you can have a GitHub project, throw this out there and say, here’s our AWs secret keys.

The attacker will see that, they’ll pull it down, and then they use something like s three browser, s three explorer to try to access that AWS s three bucket.

And when they do, there’s going to be an alert that’s going to pop up. So here I am using s three browser, trying to access that particular key, and it pops up and it says, I’m, unable to perform the request that you’re trying to do here.

There’s no such bucket, but it doesn’t matter because there’s an alert that’s been triggered on the other side. So it pops up and it says, aws API key token. We have the date, timestamp, the canary token, the little reminder, I know who’s making that connection.

So now let’s pull this back to threat intelligence. Right from a threat intelligence perspective. I have a source IP address. I know who’s messing around with my s three buckets now.

Yeah, an attacker can pop through, different, proxies, but how in the hell is that any different than spending hundreds of thousands of dollars for a threat intelligence feed for IP addresses?

This is an IP address that right now is trying to access your resources in your tripwire that you set up. And how much does it cost for you to implement this?

Nothing. It doesn’t cost you anything at all. You just create a GitHub repository, throw up a key, have it come into your email at work, have an alert, set it, forget it, walk away.

Now, any pen tester that’s trying to attack your organization, if they trip on this, you’re going to know if, you’re dealing with an attacker that’s looking at your organization and sniffing around, you’re going to know.

But let’s talk about pen testers, because security researchers have somehow confused finding open s three buckets with actual real security research.

So there’s literally dozens of, examples of pen testing firms that are going around and just trying to find cloud data that’s leaking user ids, passwords, encryption keys, and it’s always put out by these security firms as though they found something really huge, right?

It’s like, oh, yeah. Well, through our research we discovered they basically had a script that’s going through all the s three buckets and trying to find if there’s data exposed, right. And right now, the way it is with Amazon, if you’re using AWS, if you have your s, three buckets exposed, it will literally lock your Amazon account out.

So this can be used for Aws. You can also put it up on, you can have it part of Azure. You can put these wherever, wherever you want to put these API keys. And if an attacker is going through and doing recon, pull down the API key, bam, exactly who they are and where they are as well with their IP address.

So let’s talk about executables. The cool thing about, another cool thing with canary tokens is you can actually take the take within canary tokens.

You can create a new token, you can create an executable. Well, you’re not really creating an executable per se. What you’re doing is you’re uploading an existing executable and then you, then you’re backdooring that executable and we’ll talk about how you can do this.

But if you start thinking in terms of what types of executables could I use to generate a, really enticing snack for an attacker that they would probably run that executable.

You’re probably thinking in the right area. If we start looking at VPN config Exe or we start looking at Sysprep exe, there’s all kinds of ways that you can create an executable that looks legit and the attacker is totally going to run that.

So this is the way you set it up. You set up a custom, binary, custom executable, put in the email address for the alert, say you want it to be an executable. In this example, I just uploaded Rufus, which is ISO, burning to USB utility, and then it creates that token and I just named it free candy because, once again sticking with chiasms and themes within the presentation.

So now if the attacker takes that executable and runs that executable, it’s automatically going to trigger alert and it’s going to tell you who’s actually trying to access and run that executable in your environment.

Now you don’t want to put that executable in a really super easy accessible area on your web server. You would want to put it under a share that has robots txT saying no index, no follow disallow.

And you want to say don’t go to that directory in robots TXT and make it something that’s not directly hooked up for your user population, like not off your main website.

An attacker that’s going through will automatically look in robots TXT look for sensitive directories like help desk and they’re going to go to that directory and then they’re going to see free candy. They’re going to be like, free candy, that’s awesome.

And they’re going to try to run it. Great. Now you’ve got an alert from them. And we love it at Bhis. I’ll show you a report finding that we love putting in whenever we have customers using cyber deception.

But it makes my heart glow when my pen testers are like, hey, this customer, we’re on a red team. And they totally found my IP address at home or the IP address of the VPN at Bhis.

That means it’s, it’s catching on. That’s ultimately what we’re looking for. Right. But we can actually go forth a little bit further and make it real.

if you go to this, this is fake. This isn’t a VPN. Well, you could upload a VPN executable. You could totally do that. Or what you could do is just really use your VPN and make it completely real.

You see, OpenVPN has the ability of a script that when someone, tries to connect to the VPN, you can execute Powershell, Python, or just a straight up executable.

That’s awesome. You’re not even using cyber deception technologies. You’re literally using your real VPN to run commands on an attacker’s computer that’s trying to access your VPN.

This gets into some wishy washy things where people are like, well that’s entrapment. First, understand that if we’re talking about entrapment, entrapment is something that’s done by law enforcement.

Okay? But an entrapment, usually with law enforcement is enticing, somebody to commit a crime. Let me give you an example. The actual legal case, the, Brandeis court in the sixties dealing with, entrapment had to do with child pornography.

There was a local law enforcement at a town, there was somebody in the town that was creepy. And they sent him a letter and they said, hey, you want some child porn? He responded back in a letter. He said no, and they sent him another letter like, are, you sure?

It’s a pretty cool child porn. And he’s like, sure. And as soon as they put the child porn and delivered it in the mail, they arrested him for possession. There was two things that came out of that case. The first thing was, you can’t do that.

Like that was reaching out to a criminal and saying, would you like to commit a crime? Come commit a crime with us. That’s entrapment. If you have a door and it’s unlocked, you’re not entrapping somebody that breaks and enters your home.

And they can’t say, well, they entrap me because they left their door open. What did they expect? That’s not how that works. The second thing is, gets into questions of possession. I don’t want to get into that, but we could talk about that later.

But when we’re talking about this, you can set it up in such a way that you’re not getting remote access to the computer, you’re not getting a shell and uploading Powershell, empire, meterpreter or cobalt strike on that computer.

No, what I would do is just get system name, get the IP address, get the version of the operating system who’s logged in, and maybe wireless profiles, and that’s it.

And the cool thing is you can do that for all your users that are accessing your environment, not just on the attacker. Then it’s not, targeted. It’s just something you do to validate the security of a system when it connects in, and that’s defendable in court.

So we could totally do this and make it real. Once again, none of this is hard, none of this is illegal, none of this is this huge lift for an organization. It’s just something that takes a little bit of time.

So how will we do this? Well, we talked about robots. Txt. We can actually put inside of an executable where we can do netsh, wlan, shell, networks mode, Bssid.

And you would put that script inside of an executable and you would put it in a directory, like registration, admin, admin, page, JSF, detect, admin, email, maps, whatever directory you want to put it in.

And when an attacker goes to that page, they pull down the executable. It does a wireless site survey. We’ll talk more about wireless site surveys here in just a little bit. But with the wireless site survey, it’s going to find all the access points that are near them and that could be used for very solid geolocation of an attacker.

I want to pause for a second, jason, any questions that have not been answered? We have a crack team of our top people, answering questions. So do you have any questions so far?

Jason Blanchard

there’s one. Is AdHD something you place off premises.

John Strand

Whenever you’re running ADHD? You can run it on prem, you can run it off prem, it’s really up to you, but you’re going to want to go through and secure it. If you look in ADHD, there’s actually a, log in real quick.

You have credentials and ADHD lists out all the default credentials of all of the different services like D cloak user ADHD, beef, beef ADHD, ADHD, ADHD, ADHD.

Web labyrinth username is web labyrinth user web bug server. If you use this, you’re going to want to go through and actually change these credentials. And all of those credentials are actually listed in the credential file of ADHD.

So I hope that that answered your question. All right, if there’s no more questions, I’ll keep going. Otherwise Jason can just chime in. Oh, go ahead, Jason, what do you got?

Jason Blanchard

Is there a recommended opinion where you place honey pots and which ones generally work better in your network, for example, like high interactions ones or something?

John Strand

So I recommend staying away from high interaction honey pots. High interaction honey pots are the land for college students going for their master’s degree and they want to collect an attack because they’ve never seen a real attack. You really want to focus on low interaction honey pots and all the honey pots that we’ve gone over here, we put in the category of low to medium interaction.

So you want to reduce the work effort that you have to put in place to get these things running and get them running properly. And you don’t want to have to do love, care and feeding for the honey pots all the time. That’s a great question.

And where you should put them everywhere. Put them everywhere. They should be on your DMZ, on your servers. They should be on file servers on the inside of your environment in the form of word documents.

You should run honey ports on external servers and port spoof on external servers? On internal servers, you should run them everywhere.

Jason Blanchard

And this is a clarifying question. so we can use Python Powershell and our VPN to grab information on who used the Exe.

Apologies if I misunderstood.

John Strand

Yep. It’s for whoever’s logging into the VPN. You can create it as an executable outside of your VPN. If I was going to do this OpenVPN trick, I would stand up OpenVPN on a separate server and call it VPN dot hackedcompany.com and have it completely separate from my organization, but have the logging and the alerting and the scripts running for anybody that tried to access it.

So you’ve created this little pitfall for an attacker. As far as a honey service, whenever it comes to a VPN, that’s capturing and intercepting and running and commands on the attacker’s computer system.

Jason Blanchard

I got one more. Yeah, I understand. The tokens are not hacking back, but leaving artifacts or command history on a potential attacker’s machine is bad.

John Strand

No, you’re actually not leaving any commands. You are leaving an artifact. There’ll be a file. But the cool thing about this is with this command, it’s too late.

The cat’s out of the bag. At that particular point, whenever you’re talking about an executable, it’s just a DNS lookup. When you’re looking at the Aws keys, you’re not really leaving any commands.

It’s their own service in this situation, s three browser that’s making the connections back. The word documents are doing image source tags. So the actual artifacts on the attacker system are incredibly, incredibly minimal.

When you’re dealing with low interaction honey pots, you’re basically just trying to get them to connect back further. Whenever you’re talking about this from a philosophical perspective, whenever you’re doing cyber offensive operations for like a nation state or a hacking group, the one key rule is don’t get caught.

And what happens as soon as an attacker sees that they may have been outed by an IP address, or outed by geolocation, or outed, or even if these technologies are being used at all, even if they didn’t fall into that trap, I want you to think about how that would change your mindset if you were launching an attack in an organization.

If you’re launching an attack in an organization and you come across a document that beacons back, or you come across an executable that beacons back, now, everything in that environment is dangerous to you.

Now, how does that change your approach? As far as being an attacker, the vast majority of attackers, especially at the nation state level, will move on to an easier target because the risk is far too high to the organization and the attacker for them being outed and basically discovered.

So any other questions?

Jason Blanchard

So my interest is IoT. Any specific strategies for IoT honeypoint honey pot approaches?

John Strand

Yep, there’s a number of different honey pot approaches. One of my favorite utilities is actually in ADHD. Let me go over here. And if you go to annoyance, there’s a honey pot in here called Kipo.

And there’s another one in here that we can talk about. Kalri is the newer version of Kipo. Kipo has some really cool things that Kaori doesn’t have yet, but kaori is the newer version.

But it allows you to emulate an SSH honeypot or a telnet honey pot. And a lot of the IoT devices have IoT or they have, excuse me, a lot of the IoT devices have telnet or SSH.

And you can actually modify the configuration here. Let me show you real quick. Quick. We cd into opt, Keepo and then we ls and we cd into text commands here.

Let’s go to bin. You can actually modify these different, the output of these files. So if you look at mount, if they run the mount command, this is what it’s going to pop up.

And you can actually modify that particular executable and you can make that executable run a different output. But if config isn’t all that interesting.

But all of these commands are here and they’re in text commands and then utils are there as well that you can play around with the attacker as well. So you can actually modify Kippo and Kaori to match your IoT device of your choosing.

Good question.

Jason Blanchard

We’ll do one more and then get back to.

John Strand

Yeah, let’s do it.

Jason Blanchard

so a seam and multiple medium honey pots could be a good combination for threat intelligence in the environment.

John Strand

Yeah, absolutely. We’ll talk a little bit about what we’re doing at Bhis. And I know Kent and the systems team get a little nervous when I talk about this, but we are running honey pots on the edge of our network and we have that dumping into elastisearch, or logstash elastisearch elk stack for pulling in that data and tracking it.

So good question. So I’m going to move on. This is one of my favorites, actually. I’ve said that like three times now, but a cloned website. So what you can do is you can take this JavaScript, right?

And you can put this JavaScript, you can even obfuscate the JavaScript and you can put it on your website that has a user id and password. So if an attacker is coming at your organization, one of the things they’re going to do is they’re going to clone your website and they’ll use that for spear phishing to do harvesting of credentials.

So the clone a website that has user id and password and then they’re going to start phishing and they’re going to say, oh, you got to log into the OWA portal before your account locks out and the link takes them to a webpage that looks just like your OwA portal, but it’s cloned and on the attacker system.

Well what happens is when the attacker clones that they’ll snarf up this code and as soon as they fire up that server or visit that webpage, that server will automatically make a call back to your server.

Here it’s making a callback to canarytokens.com. but if you stand up your own, excuse me, Canary token server, then it’s going to call back to your domain. And with the domains that we use for honey pots, we try to come up with domains that have nonsensical names that look like ad services because ad services look crazy and your system is making hundreds of calls to weirdly named ad services.

So it blends into the background a lot better. The default one at Canary Tokens is kind of a dead giveaway, but you can change that if you stand up your own instance as well. Then this is what it looks like when it fires.

You see the canary token has been fired. A clone website for this particular site, dot blackhillsinfosec.com, has been compromised. And we can actually see who’s actually making those requests and who’s actually doing that cloning.

so this is really cool, right? So what happens? Just putting this in perspective, this allows, allows you to stop spear phishing attacks before the spear phishing attack even starts.

So the attacker will clone your website. As soon as they view that page, that website calls back, blacklist that IP address. Congratulations. Now when they send their spear phishing attack into your environment, your users won’t even get the opportunity to make a connection to that phishing website.

This is threat intelligence, folks. Like, honestly, this is what threat intelligence should have been from the beginning, not an attack that happened to somebody else’s organization a month ago.

But what’s happening on your organization right now. I’m not blacklisting IP addresses that were used for malware a month ago. I’m blacklisting evil IP addresses as they are actively targeting my organization as well.

So here’s a history of a bunch of different IP addresses and incidents that the, great systems team at BHis has sent me. And you can see some of these are set South Dakota, that’s us actually testing it, but we have a number of IP addresses that are launching attacks.

Word docs. I actually started the process at some point last year. Wanted to completely rewrite green eggs and ham as a hacker thing. And this was my favorite part.

When we’re talking about word docs, that beacon back, would you run it from a share? Could you run it from a chair? Would you run it from Tor? If the FBI comes, should you open the door? Went on and on and on, and my family thought I had lost my mind and they were probably pretty accurate on that.

But we can put the document up somewhere, right? We can put it on a share, we can put it on a website, you can email it to spammers. So if somebody is trying to do, social engineering, spear phishing attack, respond back with a word document, I don’t know, maybe they’ll open it.

And if they do, that document will actually be can back. There’s a couple of things to keep in mind on this, and I’ll get to that here in a second. But I want to focus on the compromised system.

Compromised systems is key. If you have a workstation that you believe is compromised, one of the tricks that you can pull is you can drop a word document or an excel spreadsheet on the desktop of that system with the name of something that would be super enticing for an attacker.

Something like socialsecurity, numbers, xls, or passwords, doc, because we don’t see that literally all the time in our pen test. But you would put it on, this compromise system that you’re doing, incident response, and the whole hopes that the attacker watching that system will reach out, grab that document, pull it back, open it, and then you would then, have their IP address at that particular point.

Now we have people that will say, well, the attacker could literally open up every single document they pull from a virtual machine that’s completely sandboxed. Yeah, no, they’re not going to do that.

Sorry, that’s not how it works. They could absolutely do that, but they’re not going to because they have jobs. If you literally have to open everything in a sandboxed environment.

And you’re that paranoid. I’m okay with that. And the reason why I’m okay with that is it’s going to drastically slow down the attacker and their ability to successfully attack organizations.

Some people will say, well, they’re going to use Tor. Once again, I’m okay with that. The reason Tor is incredibly slow. So if we’re slowing down the attacker and they’re using like, using tongs and radioactive proof vests to, to analyze each file in your environment, awesome.

It’s going to take them forever to do anything. And that’s ultimately what we want to have happen. So I was messing with my brother at Derbycon. It was probably four or 05:00 in the morning.

It was super early, maybe it was like six. I can’t remember what I created it for. And him and I were sharing a room in Louisville, Kentucky, and I sent him a word document. And I’m like, please open this.

Thanks. And I wake him up and I’m like, Brian, I sent you a document. Open it. He’s like, no. I’m like, come on, dude, open it. He’s like, no, I mean, you’ve told me never to open documents and things like this.

What the hell is this going to do to my computer? And I’m like, what does it matter? Just open the document. He’s like, this is just weird. So he opened it, and whenever he opened it, there was a couple of things about this that are really super cool.

One, it made a full HTTP request. We get the date timestamp. I got the token reminder as he opened it. We have the source IP address, but here’s where it gets cool.

So we were over here in downtown Louisville. Okay, we were right about here, okay. When the document opened, it basically came back to this location kind of in the middle of Louisville.

And what’s weird about that is that was not quite where we were at. I mean, it’s not bad, but it’s probably about 4 miles off from where we were over here.

Now this is where a lot of people get freaked out about cyber deception. They’re like, yeah, the IP address isn’t going to be very accurate because the IP address is just going to put you to the centralized location for the DHCP pool.

And they’re right. Absolutely right. You see, what happens is with the DHCP pool, for an Internet service provider, they may not know exactly what IP address you’re going to get. So when they put in geolocation information for IP addresses, they just kind of put it the center of the geographic location that DHCP pool may come up from, or as they’re handing out Lisa statically, same thing.

They’re going to put it in the middle of a city. So you’re not going to get like this super accurate, like pinpointing of an attacker with just the straight IP address.

However, we can do better. One m of the things you can do is you can trace route to that IP address fairly quickly. The reason why trace routing is important is because the endpoint IP will be part of a DHCP pool and that DHCP pool is going to have really loosey goosey IP location information in various databases.

But the last routing hop before that IP address, that tends to be a lot more accurate. You see, as you’re going through all the routing hops, they tend to be far more accurate where those routers are, are, and they tend to give information of exactly where those points of presence are because if the network goes down, they have to be able to find where that router actually is and a lot of that is published.

So if I trace route to this IP address, which is way far off from where we’re at, back up one hop, it actually puts us within a block of where we were.

So the accuracy went from being off by a couple of miles to being off by one block. And that is awesome. That, that is threat intelligence we’re not talking about, once again, an IP address that may or may not have been used a year ago.

We’re talking about. This is the, this is the block that the attacker is in that pulled this particular word doc down. That’s awesome, folks. This is, this is cool. So jason’s got some questions, I think.

Jason Blanchard

Yeah. Does the attacker have to enable macros for the word canary token to fire?

John Strand

No, they don’t. Great question. I’m going to get to that here in a second. But no, they don’t. If you look at how Microsoft Word works, and it’s not just word, Microsoft Word is a web browser.

It actually supports cascading style sheets, it supports image source tags, so macros are not needed. And I’ll show you what the actual code looks like here in a second for a much more accurate word bug, that we’ll talk about.

Great question. Any other questions?

Jason Blanchard

Can text be a token?

John Strand

Can text be a token? No. If they were to open up this document directly. Let’s actually get to this. If they were going to use a text viewer, which they’re not going to do, especially whenever you’re dealing with docx files and XLsx files, those are compressed.

If you actually try to look at them in Vi it actually shows you a manifest of what the compressed files are inside of that. So they won’t be able to do that. But no, I know of no way to make like Vi make a callback.

I just haven’t seen it. But we can do is we can take our word web bugs and we can make them far more effective without needing macros.

Now we can use macros and I’ll get to that here in a second. Here’s how it looks. If you were to open this word document in something like vi or text edit or notepad plus plus not textedit but notepad or vi, you would actually see HTML.

It says HTML head, we’ve got a cascading style sheet and then down below it says image source tag. That’s not a macro, that’s straight HTML. And if you open it up in word it just says oh that’s a buggy document.

You’re not going to see the HTML. But this particular document will work with Abi Word, libreOffice writer, Apple text edit and Microsoft Word. And Microsoft Word.

So it works on a lot of them. But if they’re opening it up with raw Vi or emacs, no it’s not going to fire. So any other questions?

Jason Blanchard

Yeah, I think people just wanted to clarify. So I’m just going to read this one and this should cover everybody’s. I just want to make sure I understand this correctly. You get the public ip that the attacker is using, run trace route on it, then run a geo lookup on the last hop that will hopefully be more accurate.

John Strand

Yes, that’s it, that’s it. So just back up one from that IP address on that trace route and do a geo lookup on that. And what you’re looking at is that routing hop that that Internet service provider uses.

So right, let’s talk about moving forward. There’s a number of different companies, Javelin, I loved Javelin. I thought their product was great. They were bought by Symantec.

So I feel less entitled to not talk about some issues with the Javelin product. But the way Javelin works is you can create fake users and fake machines in your environment.

Problem with this, this is at least something that Bo Bullock found at Bhis is the last access time for the service accounts and the user accounts and the system accounts that javelin creates that are fake is basically it’s January 1 1601 but when you have clock drift in Utah it can come back as, December 31, 1600.

So that’s one of the dead giveaways. But what I want to do is talk about how you can do Javelin for free, because why spend money if you don’t have to? Once again, I’ve got the shirt proudly sucking at capitalism. So let’s keep going so you can create a honey user in your environment.

In this situation, I’m creating an administrator account. I’m, naming it admin, ADM, administrator. I’m making sure that its login hours are set to none.

This is critical because you don’t want the attacker actually to log into this account ever. You can just want it so they see the account, they maybe try to authenticate, then we can generate an alert to sim.

So the login hours are completely shut off for this particular account. So if we run something like kerberoasting, we can also detect kerberoasting. I can’t remember what product this is, but we had a customer that basically said, hey, somebody’s trying to run kerberoasting.

This may have been a canary product that can be really useful for popping up and saying, someone’s launching kerberoasting. Because kerberoasting is one of those default attacks that every pen tester is going to do and we can detect it.

So here’s a customer that detected it.

Derek

Cred and defense toolkit.

John Strand

What was that? Derek crud defense toolkit. Was this from crud defense toolkit, though?

Derek

Yeah, I wrote this.

John Strand

Okay, well, that makes a lot more sense. See, we actually had a customer using your tool against us in a pen.

Derek

Test and call it me.

John Strand

You want to talk about that a little bit more?

Derek

I mean, it was just essentially setting.

Jason Blanchard

Up,

Derek

A honey SPN, not an account, fake SPN that no user would ever look for. And then ingesting all the event logs. Ingesting event logs and alerting on.

I, can’t remember the exact id.

John Strand

Dude, I didn’t know that this was you. I was just going through the reports and pulling out examples. I didn’t know this was you.

Derek

Me and M Brian and Beau wrote it to go to Derbycon, actually. We were like, how can we go to Derbycon? We need to do a talk. What we should do, we should write something that catches us. And then we had customers start using it.

John Strand

So we’ve had a couple of different updates recently, but here’s the cred defense toolkit that he’s talking about out on GitHub. And then we also have a blog on the cred defense toolkit, it does a detection of kerberosing.

It also has some password filters that Brian Furman wrote as well. So check out the cred defense toolkit. So that’s awesome. Whenever we get caught by our own tools, I just absolutely love it.

And we’ve added in, this thing to our reports recently, and I love it whenever we get to put it in. Effective use of traps. Multiple hosts on the domain were installed as traps. Activities conducted by Bhis revealed that these traps were vulnerable to multiple insecurities.

In the May 10 targets interact. Any interaction with these hosts triggered alerts to the customer, and these were reported to Bhis during the test. While these should not be relied upon as a sole source of protection, they do provide an added layer of defense in depth.

And Im kind of using a lot this year is I love it when testers cry, collect their tears. It makes the best one. So go ahead.

Derek

Ive been caught three times this year or last year, 2019, with somebody doing something along these lines.

John Strand

And that’s. And I know Darren’s got caught a couple of times, and I think Bo got caught, a couple of times as well. So those are just the ones that I was able to find. There’s a lot of pen test reports, but I think, Derek, it’s important to share with people that this is something that’s happening.

we’re starting to see more and people, more people using these technologies effectively, and we need more people using them moving forward. We also have an update to honey Badger.

Hopefully this will get pulled into the main honey Badger project. I’ll show you where you can actually import this, and you can pull it before it’s actually merged into the main honey Badger project.

So this was created by Bradley, one of our interns, who’s going to be joining us as a full time employee as soon as he graduates. And he updated honey Badger. And we now have full, VB Macros.

And there’s two things that are really cool about this. If you want really hyper accurate attribution, you can put a macro and the macro gets you down to like 20 meters.

Being able to detect an adversary. So it works really, really well, but it requires the attacker to actually run the macro. So you wouldn’t necessarily put this in a word document. I’d recommend putting this in something like an Excel spreadsheet where they would expect to run Macros.

The other thing that you can do is you can actually convert this to a standalone executable, with something like mono, just to basically compile it down and then you can create an executable, call it your VPN config, merge it with other ones if you want.

So here’s the instructions on how to compile it with VBC and mono and it’ll automatically drop the executable and it’ll put your location in this situation. It put us right on top of the hotel where I was staying and it got us accuracy within 77 meters.

And that was actually a little bit more accurate. It was a guess that it was 77 meters, but it literally put it on the middle of the Marriott. And we were right here in the middle of the Marriott.

So it was a little bit more accurate than just, the straight 77 meters. And of course you can get it here. So go ahead and check it out and try using it. It will require a Google API key.

That is something you’re going to have to set up with it. It used to be that the API was completely open and free, but Google started getting a little bit weird and they are now forcing people to get registered API keys for honey badger to actually run.

And what it actually does is it runs a wireless site survey and pulls that information. So back to threat intel. And I know everyone gets uncomfortable whenever I talk about this. I’m probably going to have it on my tombstone that threat intel was crap.

But, this is threat intelligence, right? We want to learn about attackers. We want to improve defense, we want to increase awareness. Can we do that cheaper and better with deception technology, with actual attacks, literally on your network, not attacks on someone else’s network?

That’s what we’ve all been trying to get, folks, and now we’re finally able to get to do that. And ADHD has all this stuff built into it. You can download it, you can run it. So please give it a shot.

Implement it in your environment. Because when we’re talking about changing trends in information security, it requires us to generate proof. And as Derek was talking just a couple of seconds ago with, with his tests, he said like three customers had ran this and caught him last year with his own tool that he wrote.

And we have a number of other people that are using these tools. And I’m telling you right now that it’s one of my favorite phone calls. Whenever I have customers call me up and say, yo, we caught your pen tester.

We caught your pen tester using deception technology that you talked about in a webcast that your cons, that your company wrote or something that’s in ADHD. That’s beautiful. If you’re going to fail.

You want to fail that way in your life. And I’m perfectly happy failing if we’re in the middle of a pen test because a customer was using deception technology, techniques that we’ve talked about or stuff that we’ve written and how we use it.

This is an email from Ken. I don’t think much of these in their own. Initially, there was a bunch of IP addresses. However, they all seem to have, geographically quarter related. We figured we should let if you want to look specifically, specific value targeted fish originated from the Netherlands, from this particular IP address.

This is great, right? We now knew that somebody was trying to attack us from Antwerp. I actually think I went on Twitter and I said, the people that are trying to attack us from Antwerp, I want to say hi.

And I actually got a DM from a disposable Twitter account that was like, how the hell did That could be crap, right? That could be just somebody being goofy. But it works, folks.

It works. Use it. Get it out there. So I want to open it up to questions. I’m going to close out the slide deck and I will open it to questions from the group.

Does anybody have any questions at all? Start typing them in. Well, people are typing their first questions. Phis is starting up a new service hunt teaming operations center.

It’s not a soc or an MSSP, but, we actually deploy AI hunter on your environment. We manage it, we watch the alerts, and we give you, actionable intel saying, hey, this IP address is beaconing all the time to Kazakhstan or the Netherlands.

So if you’re interested, just type htalk into chat and we’ll reach out. We’ll talk to you about htalk, but other than that, let’s go with the questions. So, Jason, what do we have?

Jason Blanchard

It says, we were promised a recipe for wine. How many pen testers tears does it take to make a truly magnificent wine?

John Strand

Okay, so, to make a truly magnificent wine, whenever you’re looking at wines, usually wines come from one vintage, right? When I can’t remember, what do they call a wine that’s made from multiple different types of wines?

They actually have a specific name for it. Is that a blend? but yeah, you would call that like a blended wine. So it really depends on your tastes. If you’re just kind of. You like high quality merlot, you’re going to want to run with one tester.

But if you want to blend, I recommend a blend of like, Derek Banks. Darren, I would say, would be fantastic. And if you can get just a touch of joff in there.

It’s a great blend.

Jason Blanchard

So, we’re running up at the end of the hour, and so what we’re going to do is we’re going to have you answer this one last question.

John Strand

Wrap up.

Jason Blanchard

We’re going to kill the recording, and then we’re going to stick around. Rapid fire. Some questions.

John Strand

Let’s do it.

Jason Blanchard

The last one was someone had heard it. I’m kind of paraphrasing. They say they’re concerned by doing the searches on the attackers, by looking up who they are, by doing the trace routes, by doing all these things, because if you start alerting the attackers that that they’re there, then they start changing up their tactics, and then doesn’t that cause you more problems?

John Strand

It can, but there’s two things about that. First, if you’re going to do like, the trace route trick back to an attacker, you’re probably going to want to work from, like a disposable digital ocean system.

Stand up something that’s disposable, run it, and then just burn it when you’re done. And that’s easy to do. You can do it in the node, you can do it in digitalocean, you can do it in Amazon. Doesn’t really matter.

But if we get to kind of the crux of that, and I, might be reading more into this question than I should, but if we get to the crux of that question, one of the issues that we have is this concept of pissing off the attacker, and then they do something to us.

And that’s not exactly what you said in this question, but I want to hit this head on. The point is, if we have attackers, and our whole entire approach to dealing with attackers is not making them angry, we’ve already lost.

If we’re going to develop better security technologies, we want them to change their tactics, we want them to think twice. And I will guarantee you, if you have an attacker coming after you and they find these technologies in play, number one rule for an attacker, don’t get caught.

And if they think that there’s a chance of getting caught, trust me, they’re going to go someplace else. So I think that that’s wrap up now. That’s the hour, right? Yep.

Jason Blanchard

That is.