home.. presentations..

Active Defense and Cyber Deception: Dirty Blue Team Tricks

purple blue red


Transcript:

Active Defense and Cyber Deception Dirty Blue Team Tricks

What is Active Defense? Passive Defense Defending by creating barriers Waiting for the attacks and then blocking them Active Defense Taking the initiative to find attackers Dynamically respond to attacks

*Note that you need to do passive defense before you do active defense

Why do Active Defense? Current Strategies are not working Every time the defenders get better, attackers will find a way around it We need to do everything we can to get ahead of the attackers

How many Security Vendors do you know?

None of them are infallible…

Everyone can be hacked

In the news…

Bill Text 2.2 As a result of the unique nature of cybercrime, it is very difficult for law enforcement to respond to and prosecute cybercrime in a timely manner, leading to the existing low level of deterrence and a rapidly growing threat…

2.6 Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes.

Bill Text 2.9 Computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside.␋ 2.10 Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.

AAA Annoyance Make it hard for the attackers to hack you This will get rid of “opportunistic attackers” Attribution For more targeted attacks Slow them down so you have more chances to detect them Attack Hacking Back Not really legal. Still fun to think about␋ “Poison, not venom” Lay traps inside your system, but don’t attack theirs

Current Detections - What should could I be alerting on? Commands being executed Network connections being established Programs being executed New users New groups TGT or TGS being requested Files being written Files being accessed SMB shares being accessed …

Leads to a LOT of false positives!

What can we do about this?

Option 1 - More specific rules

Option 2 - Trick the attacker In the real world, we can probably kick out an attacker when we discover them Probably by quarantining machines

If we can trick the attacker into doing suspicious things, we can detect them more easily… and then kick them out

Dirty Red Team Tricks

If the red team can play dirty, why can’t we?

Enter… Dirty Blue Team Tricks

But first - Honeypots

Let’s go through the steps of an attack

Our Modified Cyber Kill Chain

Portspoof

OsChameleon

OS no longer found!

Dropping Traffic From the adversarial cyber tradecraft book:

Tarpitting Traffic From the adversarial cyber tradecraft book:

Adversarial Cyber Tradecraft Class! Targeted towards freshman & sophomores Open to all undergrads Perfect way to prepare for Cyber Defense competitions Learn to defend by thinking like an attacker Lots of practical exercises

WebLabyrinth Trap a web crawler

Mr. Clippy IDS (IPS?) “Hello, according to PHPIDS it looks like you are trying to pwn my site. Would you like some help with that?”

What would an attacker do if they saw this? Is it bad to get them mad?

Canaries Canaries used to be used in coal mines to detect dangerous gasses

Adopted by security professionals How can we detect something early? Image from: https://share.america.gov/english-idiom-canary-coal-mine/␋State Department / Doug Thompson

User Honeypot How can I detect password spraying? Statistical analysis of logon requests OR Check if someone logs in to a fake user Image from: https://danielchronlund.com/2023/08/01/microsoft-entra-id-honeypot-accounts-with-microsoft-sentinel/

Detecting Kerberoasting

Kerberoasting Background All services on windows (File service, Kerberos Service, Database Service, Backup Service) have to have a service account These accounts by default all can have their ST requested An attack called “kerberoasting” takes advantage of this Image from here: https://tryhackme.com/room/attackingkerberos

Kerberoasting Honeypots Example taken from @rastamouse

Detecting LLMNR Poisoning

LLMNR Background When your windows computer can’t find a resource (machine, network share, etc…) it goes “does anyone know where this resource is” And it will believe any response it gets!!!

This means you can just respond to all LLMNR requests with your own IP address to get machines to connect to you.

LLMNR Honeypot Send requests to a DNS resource that you know doesn’t exist If you get a response, someone is poisoning LLMNR

IppSec video: https://www.youtube.com/watch?v=h_cWWL-yyb0

Detecting SMB Relays

SMB Background If an SMB share is writable, an attacker can write an “SCF” file to it

Once a user browses to the file, their computer will try to load the IconFile from the attacker machine

Writable SMB share Honeypot Make a fake legit-looking SMB share that all users can write to Important: Other users should not use this!! Wait for an attacker to write to this Once they do, you know that the user they are using is compromised Bad attackers might try to write to all shares:

Every attack has potential for a honeypot This doesn’t mean put honeypots everywhere Be strategic

See my slides for more info on Windows/AD hacking: https://hackback.zip/2023/10/02/Windows-AD.html

Honeytokens

A practical example - It’s not Malachowsky Hotel What if we sent unique emails to every person?

A - Attack

“Poison, not Venom”

How to detect phishing sites? What do attackers do when they want to pretend to be your company They clone your website and capture credentials from visitors

What if we put code in our own website to detect when it is deployed?

Red v Blue The blue team has… ???

The red team has… Onion Routing Anonymous Proxies SSH Tunneling User-Agent Masking Taken from Hide and Seek, Post-Exploitation Style (Shmoocon 2013)␋https://www.youtube.com/watch?v=VJTrRMqHU5U

Works with: HTML Java Applets Javascript PDFs & Emails through iframes … https://github.com/lanmaster53/honeybadger

42.zip

Resources https://www.antisyphontraining.com/live-courses-catalog/active-defense-cyber-deception-w-john-strand/ https://adhdproject.github./ Offensive Countermeasures - The art of Active Defense by John Strand Adversarial Tradecraft in Cybersecurity by Dan Borges https://hackback.zip/2023/11/09/Purple-Teaming.html

© 2024 Adam Hassan