Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Honey In The Age Of Cyber

khae
July 08, 2017

Honey In The Age Of Cyber

Deception technology and honeystuff in the modern enterprise - this talk has been held in several variations at various hacker cons. These are the slides from SteelCon 2017

khae

July 08, 2017
Tweet

More Decks by khae

Other Decks in Research

Transcript

  1. Firewalls IPS Anti-DDoS etc. Honeystuff IDS Anomaly-Engine etc. Blackholing Port

    Control Auto-Blocking etc. Protection Detection Reaction Image by Carole Raddato
  2. Honeystuff can‘t… • Prevent attacks • Give 100% visibility of

    malicious activity • Stop people from clicking phishing links
  3. The Cyber Kill Chain and Breach Detection Honeystuff Reconnaissance Weaponization

    Delivery Exploitation Installation Command & Control Actions on Objective Getting aware of a breach 160 – 250 days
  4. Traditional Honeypots • They look like a vulnerable server at

    first. • It can easily become obvious what they are at second glance, but… • … by then it is too late, because the alert has been triggered already.
  5. Low to High Interaction low interaction simulate vulnerable servers and

    services up to OSI Layer 4 do not require a lot of maintenance any kind of connection triggers an alert medium interaction simulate exploitable services like ftp, telnet etc. used to identify the credentials an attacker uses high interaction offer real services with an optional backend in production and are closely monitored. require lots of maintenance
  6. A short excursion: Honeynets If you really want to know

    what attackers would be doing, then setting up a highly monitored, high maintenance environment with tons of logging might be a solution. Honeynets can deliver lots of useful data – if the right kind of attacker finds you.
  7. Pivoting „You only need one exploit. Once you‘re in, you

    just move laterally.“ – the grugq, at Troopers conference in Heidelberg 2017
  8. Pivoting in a segmented network Internet Zones are seperated by

    firewalls. Traffic crossing zones is inspected by IDS/IPS and other stuff.
  9. Pivoting in a segmented network Internet Zones are seperated by

    firewalls. Traffic crossing zones is inspected by IDS/IPS and other stuff. Honeypot
  10. Decoys and deceptive strategies Your advantage: you have the chance

    to know your network better than your attacker. (This, sadly, is not always the case)
  11. Honeyrobots.txt User-agent: * Allow: /search/about Disallow: /sdch Disallow: /bsides/mytalk.ppt Disallow:

    /groups Periodically check the log of your webserver for anyone requesting <your site>/bsides/mytalk.ppt and send an alert if someone did.
  12. Honeypages Create HTML pages on your website, that are not

    linked to by any of your regular pages. For example, name your „About“ page „about_v2.html“ and use this name. Next, create an „about_v1.html“ page you never use and send an alarm when someone requests this page.
  13. Honeyroutes Want to know if someone is accessing your routing

    devices? Or maybe you want to carefully guide your attacker to your honeypot? Just create host routes to some of your honeypots…
  14. Honey data for database use Create an email account at

    a free provider – gmail or any of the others. Forward incoming emails to this account to your SOC team. Put the email together with other relevant data in table USERS (or anywhere you can think of, really). When this email is triggered, you know someone read your database.
  15. Honeypeople Put some honeypeople on your network: • Create a

    fake profile on XING / Linkedin • Use an email address of your company • Give them a phone number, too – and forward both to your SOC / security team Once this triggers you either have an aggressive marketeer or someone who is looking for an easy target for social engineering.
  16. Honeyfiles loki Desktop # stat license.txt […] Access: 2017-03-25 15:45:50.328670000

    +0100 Modify: 2017-03-25 15:45:50.328670000 +0100 Change: 2017-03-25 15:45:50.328670000 +0100 loki Desktop # cat license.txt 9EW2Z-U76AH-LKJI3-P197B loki Desktop # stat license.txt […] Access: 2017-03-25 15:49:35.968670000 +0100 Check the access time periodically. When it changes, send an alert. This works on Windows and other OS as well.
  17. Honey Bitcoins ? Put Honey Bitcoin wallets with very small

    amounts on a vulnerable machine. When the wallet gets stolen / the Bitcoins get transferred, you know that there has been a breach of your network. It‘s safer to use regular files as triggers. Just give them fancy names like „admin-ips.txt“ and watch the access time.
  18. Honey Products If this works, you will feel like you‘ve

    won the lottery. Set up a (non-linked) site with a new (fake) product you plan to announce soon-ish and create a web form asking for the attackers contact data. Be bold and ask for their address (worked for Cliff Stoll, didn‘t it?).
  19. Honey QR Codes If you‘re especially paranoid or have good

    reasons to think that someone does old-fashioned trash digging, put some printouts in your bin. Make sure the QR-Code points to one of your honeysites. Of course you can also do that without QR-Codes, but where is the fun in that?
  20. Honeydoor Feel like you‘ve got someone within your company who

    snoops around? Well.. Honeystuff doesn‘t have to be virtual. Have an electronic lock of sorts that sends an alarm whenever someone is trying to enter a code.
  21. Attackers need guidance, too Do you know the weakest link

    in your network? Good attackers do.
  22. Honeystuff is also about binding resources Most attackers have a

    boss and a budget. If you can decrease their estimated ROI, you make yourself a less attractive target.
  23. Should you put honey on everything? •Be lazy efficient •Avoid

    false positives Find out what works for you and stick to that.
  24. Dilemma If this is my CEO … and I transfer

    the money… … I did not follow procedure and ignored my direct boss. … and I do not transfer the money... … I am going to lose my job. I ignored a direct order from the CEO. If it isn‘t my CEO … I made a huge mistake. My company just lost a lot of money … I did the right thing! … and I transfer the money… … and I do not transfer the money...
  25. Honey to the rescue, but first… First, talk to the

    people. Even better: let the CEO talk to your people. Ask them to forward anything suspicious. Now heighten your chances to catch the attackers by deploying honeystuff.
  26. Things to consider • Terms & Conditions Many websites love

    new users. Some of them do not like fake profiles. • Your HR department They might want to have a say if you hire and fire people, even if they are harmless, useless and virtual (the honeypeople, not HR). • Your honeypeople Keep them interesting and update their status every now and then.
  27. So this is happening… Employees SOC Sidenote: If you‘re interested

    in sharing fraudulent IBANs, please contact me. Fake CEOs
  28. Leave a few documents lying around canarytokens.org Client needs to

    be able to connect to the internet in order for this to work… canarytokens.org
  29. Maybe a custom .exe? canarytokens.org … and, of course, a

    network folder which resides on one of your honeypots.
  30. Some selected links In German: Honey Waterworks: https://www.golem.de/news/honeynet-des-tuev-sued-simuliertes-wasserwerk-wurde-sofort-angegriffen-1507- 115470.html In

    English: Honeynet Project: https://www.honeynet.org/ Thinkst Canary Tokens: https://canarytokens.org/generate Awesome list of honeystuff: https://github.com/paralax/awesome-honeypots The Register on Honeypots: https://www.theregister.co.uk/2017/02/08/honeypots_feature_and_how_to_guide/ Honeytrain: https://www.sophos-events.com/honeytrain/ Bitcoin Wallets: https://www.theregister.co.uk/2014/06/05/deploy_a_fake_bitcoin_wallet_to_save_your_own/ Honeydrive: http://bruteforcelab.com/honeydrive