Deception technology and honeystuff in the modern enterprise - this talk has been held in several variations at various hacker cons. These are the slides from SteelCon 2017
services up to OSI Layer 4 do not require a lot of maintenance any kind of connection triggers an alert medium interaction simulate exploitable services like ftp, telnet etc. used to identify the credentials an attacker uses high interaction offer real services with an optional backend in production and are closely monitored. require lots of maintenance
what attackers would be doing, then setting up a highly monitored, high maintenance environment with tons of logging might be a solution. Honeynets can deliver lots of useful data – if the right kind of attacker finds you.
linked to by any of your regular pages. For example, name your „About“ page „about_v2.html“ and use this name. Next, create an „about_v1.html“ page you never use and send an alarm when someone requests this page.
a free provider – gmail or any of the others. Forward incoming emails to this account to your SOC team. Put the email together with other relevant data in table USERS (or anywhere you can think of, really). When this email is triggered, you know someone read your database.
fake profile on XING / Linkedin • Use an email address of your company • Give them a phone number, too – and forward both to your SOC / security team Once this triggers you either have an aggressive marketeer or someone who is looking for an easy target for social engineering.
+0100 Modify: 2017-03-25 15:45:50.328670000 +0100 Change: 2017-03-25 15:45:50.328670000 +0100 loki Desktop # cat license.txt 9EW2Z-U76AH-LKJI3-P197B loki Desktop # stat license.txt […] Access: 2017-03-25 15:49:35.968670000 +0100 Check the access time periodically. When it changes, send an alert. This works on Windows and other OS as well.
amounts on a vulnerable machine. When the wallet gets stolen / the Bitcoins get transferred, you know that there has been a breach of your network. It‘s safer to use regular files as triggers. Just give them fancy names like „admin-ips.txt“ and watch the access time.
won the lottery. Set up a (non-linked) site with a new (fake) product you plan to announce soon-ish and create a web form asking for the attackers contact data. Be bold and ask for their address (worked for Cliff Stoll, didn‘t it?).
reasons to think that someone does old-fashioned trash digging, put some printouts in your bin. Make sure the QR-Code points to one of your honeysites. Of course you can also do that without QR-Codes, but where is the fun in that?
snoops around? Well.. Honeystuff doesn‘t have to be virtual. Have an electronic lock of sorts that sends an alarm whenever someone is trying to enter a code.
the money… … I did not follow procedure and ignored my direct boss. … and I do not transfer the money... … I am going to lose my job. I ignored a direct order from the CEO. If it isn‘t my CEO … I made a huge mistake. My company just lost a lot of money … I did the right thing! … and I transfer the money… … and I do not transfer the money...
people. Even better: let the CEO talk to your people. Ask them to forward anything suspicious. Now heighten your chances to catch the attackers by deploying honeystuff.
new users. Some of them do not like fake profiles. • Your HR department They might want to have a say if you hire and fire people, even if they are harmless, useless and virtual (the honeypeople, not HR). • Your honeypeople Keep them interesting and update their status every now and then.