lure. deceive. defeat. - chapters site from 3rd... · lure. deceive. defeat. ... perception and...
TRANSCRIPT
2 Proprietary and confidential
Lure. Deceive. Defeat. Benchmarking Offensive Deception Traps and Lures
John Cebulski Director of Sales Engineering, TopSpin Security
3 Proprietary and confidential
%
Welcome, No ones.
As you know, GRRM corp have been withholding the manuscript of the final book of the series from being released in order to maximize profits from media outlets!
We believe the public deserves to get the original ending to the series in their lifetime and not being tortured by alternate story lines. Therefore, we concluded to take action in the name of humanity and set the information free to public!
After months of preparations, we have successfully infiltrated GRRM corp, and maintained persistence in a low level employee's machine inside the GRRM corporate network.
It is your job to successfully find and exfiltrate all 5 parts of the manuscript, assemble and decrypt them in order for us to release it to the public! The Information needs be free!!!
Valar Morghulis!
4 Proprietary and confidential
Take your pick
5 Proprietary and confidential
Agenda
Deception in Post Breach Scenario?!
Putting Deception to the test
How to create deception
Research Results
Wrap up
6 Proprietary and confidential
Why are we talking about post breach detection?
Patchy perimeters Chaotic internal networks
+
Fertile ground for attackers
=
7 Proprietary and confidential
There is no 100% Prevention
Third Party tools
Hackers / Hacktivists Employees
Partners/ Customers
Shadow IT
9 Proprietary and confidential
Attackers have the advantage - Or do they?
The defender’s main advantage is the fundamental control of information
Which leads to the ability to apply Deception
10 Proprietary and confidential
How Deception Works – Traps and Decoys
Assets Decoys
11 Proprietary and confidential
How Deception Works – Traps and Decoys
Assets Decoys Traps
12 Proprietary and confidential
Now Wait a minute…
Seems like nobody checked
Does it really work
So we did…
13 Proprietary and confidential
Defining the research questions
Do attackers really take the bait?
What is the ideal deployment strategy?
Are decoys and traps effective in real-life scenarios?
14 Proprietary and confidential
Workstation VLAN Server VLAN 1. Build the Environment
Let the Games Begin
Infected machine
2. Add data 3. Deception overlay 4. Build the challenge 5. Bring’em on!
15 Proprietary and confidential
CTF – Stats & Scores
• Ran over a month • Over 50 security professionals
from all over the world • 6-7 hours on average per
player • 34 Malware samples • ~1.9M log lines collected
Decorations • 1491 Documents • 5532 Emails • 29 Users • 31 application installed • 3 Full Browser profiles (Chrome, IE, FF) • 2 Corporate web applications • 2 Databases • 1 DC • 1 DNS Server • 1 Private cloud service
Hope I didn’t forget anything…
16 Proprietary and confidential
Exploiting the knowledge Gap
600
370
120 132
14 0
100
200
300
400
500
600
700
PHASE 1 PHASE 2 PHASE 3 PHASE 4 PHASE 5
AVERAGE # OF SHELL COMMANDS TO SOLVE CTF
17 Proprietary and confidential
The Knowledge Gap = The difference between attacker’s perception and reality
18 Proprietary and confidential
The Knowledge Gap =
The knowledge gap quickly decreases over time (but it always exists!)
The difference between attacker’s perception and reality
19 Proprietary and confidential
The Knowledge Gap =
A knowledgeable attacker = A sophisticated attack
The knowledge gap quickly decreases over time (but it always exists!)
Widen the Gap -> Increase Probability of Detection
The difference between attacker’s perception and reality
20 Proprietary and confidential
Trap Construction
22 Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections • Windows Credential Manager • Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…) • Browsers (History, Passwords,
Bookmarks) • App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xls pdf …)
• Canaries • Emails (as file or inside PST) • Logs • Databases • Recent files • Host and lmHost files
23 Proprietary and confidential
File Based traps
• Simplest trap, yet most versatile • Understanding the organization is
crucial
plaintext configuration file A guide on how to use the corporate a VPN
24 Proprietary and confidential
Who Opened my files?
• Open sourced by
Canarytokens project
25 Proprietary and confidential
Emails
Most triggered Trap! Triggered by 27% of Contestants
26 Proprietary and confidential
Wait… Can our users get in the way?
27 Proprietary and confidential
Permissions and System
• Hidden + System directory • Locked to Domain Admin User • Files Inside are unique traps • Access to folder monitored by a
canary.
28 Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections • Windows Credential Manager • Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…) • Browsers (History, Passwords,
Bookmarks) • App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xls pdf …)
• Canaries • Emails (as file or inside PST) • Logs • Databases • Recent files • Host and lmHost files
29 Proprietary and confidential
Arp Cache
• Static entries :-( • Syn Spoofing :-)
30 Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections • Windows Credential Manager • Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…) • Browsers (History, Passwords,
Bookmarks) • App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xls pdf …)
• Canaries • Emails (as file or inside PST) • Logs • Databases • Recent files • Host and lmHost files
31 Proprietary and confidential
Common Applications
• Any Application that contains credentials, locations or useful info
• Can be file or registry • Installed or not…
• How to create?
32 Proprietary and confidential
Common Applications
• Leaked malware source are your friend
• 200+ potential applications…
33 Proprietary and confidential
Browsers – Chrome Browsing History
34 Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections • Windows Credential Manager • Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…) • Browsers (History, Passwords,
Bookmarks) • App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xls pdf …)
• Canaries • Emails (as file or inside PST) • Logs • Databases • Recent files • Host and lmHost files
35 Proprietary and confidential
Windows Credential Manager
36 Proprietary and confidential
Credential Injections puts honeytoken credentials into memory by calling the CreateProcessWithLogonW Windows API
to launch a suspended subprocess with the LOGON_NETCREDENTIALS_ONLY flag.
DCEPT
37 Proprietary and confidential
Guidelines to making of a good trap
Non-Intrusive Low attack surface Blend in
38 Proprietary and confidential
39 Proprietary and confidential
CTF – Stats & Scores
Deception numbers
• 177 Traps
• 11 Decoys
• 95 Decoy services
Only one clear winner emerged (and has the drone to prove it!)
61 files 12 applications
10 IOT 27 emails
2 network 26 credentials
39 Canaries
40 Proprietary and confidential
Who Took My Bait?
• Traps consumed 340 times • Overall 62% of traps laid
were consumed
90%
70%
64%
50%
38%
18%
50%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0
20
40
60
80
100
120
140
App Email File IOT Credential Canary NetworkTrap Type
Consumed Traps Count
Traps Touched count % of Unique Traps Touched
Average: 3.09 Max: 21
Min: 1
0.9
1
1.1
0 5 10 15 20 25
Consumed Traps Distribution
41 Proprietary and confidential
Who Took My Bait?
• Malware and Human Attackers present different behavior patterns
• Each Human Attacker triggered ~10.5 traps
• No one trap type covers all attackers.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
App Email File IOT Credential Canary Network
Attacker Percentage Consumed each Trap type
Touched % of Human Attackers Touched % of Malware
43 Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
172.20.40.6 RDP/3389
172.20.40.6 SMB/445
172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
172.20.50.6 SMB/445
44 Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
172.20.40.6 RDP/3389
172.20.40.6 SMB/445
172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
172.20.50.6 SMB/445
45 Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
172.20.40.6 RDP/3389
172.20.40.6 SMB/445
172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
172.20.50.6 SMB/445
46 Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
? 172.20.40.6 RDP/3389
? 172.20.40.6 SMB/445
? 172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
? 172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
? 172.20.50.6 SMB/445
• Attacker “expands his horizons”
• Information gap gets wider as attacker gets tangled in the decoy
• Total time wasted > 4H
47 Proprietary and confidential
Passwords
• Attackers treat credentials as a holy grail. • Act as an amplifier • Attackers found average of 2 credentials each. • Every password found got used in 2.5 times on average. • Max used: 11 different places
48 Proprietary and confidential
ARP “Poisoning”
• Interaction with traps built into ARP increased the likelihood of tapping a decoy by 14%.
52% 48%
66%
34%
Did not tap decoy
Tapped decoy
Accessed ARP Table “General Population”
49 Proprietary and confidential
Decoy Access
• Contestant interacted with 9.7 different decoy services
1
10
100
1000
10000
100000Decoy Access By Popular Service group (logarithmic scale)
51 Proprietary and confidential
High Interaction Decoy Services
• 4 High interactivity Decoy access per attacker
• Attacker had hard time differentiating between decoy and real machines.
1
10
100
1000
10000Decoy Access - Only High Interactivity events (logarithmic scale)
54 Proprietary and confidential
38% Decoys Data
Analysis
Canaries Multiple Detection engines
66%
25%
100% Detection
57 Proprietary and confidential
Wrap up
Deception increases attacker knowledge gaps The bigger it is, the easier it to detect
Diversity - Key to get coverage on all types of attacks Traps and decoys tailored for the organization
End Goal is Detection – not deception! Relying on multiple detection mechanisms will increase detection effectiveness
58 Proprietary and confidential
Thank You…
Questions??
65 Proprietary and confidential
Browsers – Chrome Browsing History