Tactical Diversion-Driven Defense

Thomas Hegel Incident Response and Security

Analytics Engineer GCFE, CISSP, PIE ETR

Greg Foss SecOps Lead / Sr. Researcher OSCP, GAWN, GPEN, GWAPT, GCIH,

CEH, CYBER APT

Diversion & Deception in Warfare

Draw Attention Away From True Attack Point

Mislead With False Appearance

Gain Advantage Over Enemy

“All war is based on deception” -Sun Tzu

Success From Diversion/Deception

Operation Mincemeat - 1943

Operation Zeppelin - 1944

Battle of Megiddo - 1918

Operation Bodyguard - 1942

Operation Anadyr - 1962

..and many more

Operation Mincemeat - 1943

Germans find British corpse from sunken enemy warship

1.

Operation Mincemeat - 1943

Corpse holds Plans to upcoming attack in Greece

2.

Operation Mincemeat - 1943

Germans move defenses from Sicily to Greece

3.

Apply this to InfoSec?

The Rules:

Sound Techniques

Adequate Secrecy

Feedback on Execution

Sufficient Time For Execution

Control All Information Chanels

Follows strategic and operational objectives

In Practice

Network

Data HumanOffense

Network Defense

HoneypotsEasy to configure, deploy, and maintain

Fly traps for anomalous activity

You will learn a ton about your adversaries. Information that will help in the future…

Subtle Traps

Catch Internal Attackers

Observe Attack Trends

Decoy From Real Data

Waste Attackers Time

Honeypot Use Cases

Fake Web Applications

github.com/gfoss/phpmyadmin_honeypot

$any-web-app

Custom + Believable, with a Hidden Motive

Data Defense

Honey Tokens and Web Bugs

Zip BombsAdobeFlash.zip

42 bytes 4.5 petabytes

www.unforgettable.dk

Human Defense

Keys to Success

Real World Awareness Training

Use a Blended Approach to Exercises

Gather Metrics for Program Improvements

Note: Never Punish or Embarrass Users!

Scope Social Habits

Public Information

Username Correlation

Connection Capability

“Private” Information

Examine Network Usage

“Free” Coupons!QR Destination as training or

phishing site

Print > Place on Cars in Lot

Rate of Connections

Rate Reported to Security

Spear Phishing

Open Attachment Rate

Open Message Rate

Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics

Beyond User Awareness

Defense Success/Failures

Rogue Wi-Fi

Setup Wi-Fi Access Provide Fake Landing Page

Get Credentials!

Connection Rate Credential Submission Rate

Report to Security Rate

www.slideshare.net/heinzarelli/wifi-hotspot-attacks

https://youtu.be/v36gYY2Pt70

Red Teaming

Not Penetration Testing!

Not Limited in Scope

Outsider's Perspective

Intelligence on Weaknesses

Diversion and Deception Based Offense

Offensive Honeypots

All of these tools have something in common…

● Configuration Management Systems

● Vulnerability Scanners

● System Health Checks

They tend to log in to remote hosts!

Simulate SSH service

Stand this up during internal penetration test

Catch Credentials...

#!/bin/bash

attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l);

echo ""

echo $attempts" => login attempts"

echo "--------------------"

cat /opt/kippo/log/kippo.log | \

grep 'login attempt' | \

cut -d "," -f 3,4,5 | \

awk '{print "["$1" "$4}'

echo "--------------------"

echo ""

Social Engineering

Social Engineering

WYSINWYC

http://thejh.net/misc/website-terminal-copy-paste

DEMO

Post-Exploitation Tricks

Use Deception to:

Elevate Privileges

Access Protected Resources

Pivot and Move Laterally

Etc.

OS X - AppleScript

fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html

DEMO

Windows - PowerShell

github.com/gfoss/misc/blob/master/PowerShell/popuppwn.ps1

DEMO

Attack Security Tools

● Generate False and/or Malformed Logs

● Spoof Port Scanning Origins

$ sudo nmap -sS -P0 -D sucker target(s)

● Block UDP Port 514 or disable logging service

● Capture Service Account Credentials

● Wear AV like a hat and backdoor legitimate programs on the shares…

https://www.shellterproject.com/

Target IT Staff…

It’s broken. :-(

I don’t know what

happened…

Can you fix it?

github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz

In Conclusion

Network

Data HumanOffense

Recommended Resources

Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand

Reverse Deception: Organized Cyber Threat Counter-exploitation. Sean Bodmer

Second World War Deception: Lessons Learned from Today’s Joint Planner

Major Donald J. Bacon, USAF

Thank you! Questions?

Thomas Hegel @Thomas_Hegel

thomas.hegel@logrhythm.com

Greg Foss @Heinzarelli

greg.foss@logrhythm.com

@LogRhythmLabs blog.logrhythm.com