Active Defense and Cyber Deception: Dirty Blue Team Tricks
Adam Hassan / March 2024 (828 Words, 5 Minutes)
Transcript:
Active Defense and Cyber Deception Dirty Blue Team Tricks
What is Active Defense? Passive Defense Defending by creating barriers Waiting for the attacks and then blocking them Active Defense Taking the initiative to find attackers Dynamically respond to attacks
*Note that you need to do passive defense before you do active defense
Why do Active Defense? Current Strategies are not working Every time the defenders get better, attackers will find a way around it We need to do everything we can to get ahead of the attackers
How many Security Vendors do you know?
None of them are infallible…
Everyone can be hacked
In the news…
Bill Text 2.2 As a result of the unique nature of cybercrime, it is very difficult for law enforcement to respond to and prosecute cybercrime in a timely manner, leading to the existing low level of deterrence and a rapidly growing threat…
2.6 Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes.
Bill Text 2.9 Computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside.␋ 2.10 Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.
AAA Annoyance Make it hard for the attackers to hack you This will get rid of “opportunistic attackers” Attribution For more targeted attacks Slow them down so you have more chances to detect them Attack Hacking Back Not really legal. Still fun to think about␋ “Poison, not venom” Lay traps inside your system, but don’t attack theirs
Current Detections - What should could I be alerting on? Commands being executed Network connections being established Programs being executed New users New groups TGT or TGS being requested Files being written Files being accessed SMB shares being accessed …
Leads to a LOT of false positives!
What can we do about this?
Option 1 - More specific rules
Option 2 - Trick the attacker In the real world, we can probably kick out an attacker when we discover them Probably by quarantining machines
If we can trick the attacker into doing suspicious things, we can detect them more easily… and then kick them out
Dirty Red Team Tricks
If the red team can play dirty, why can’t we?
Enter… Dirty Blue Team Tricks
But first - Honeypots
Let’s go through the steps of an attack
Our Modified Cyber Kill Chain
Portspoof
OsChameleon
OS no longer found!
Dropping Traffic From the adversarial cyber tradecraft book:
Tarpitting Traffic From the adversarial cyber tradecraft book:
Adversarial Cyber Tradecraft Class! Targeted towards freshman & sophomores Open to all undergrads Perfect way to prepare for Cyber Defense competitions Learn to defend by thinking like an attacker Lots of practical exercises
WebLabyrinth Trap a web crawler
Mr. Clippy IDS (IPS?) “Hello, according to PHPIDS it looks like you are trying to pwn my site. Would you like some help with that?”
What would an attacker do if they saw this? Is it bad to get them mad?
Canaries Canaries used to be used in coal mines to detect dangerous gasses
Adopted by security professionals How can we detect something early? Image from: https://share.america.gov/english-idiom-canary-coal-mine/␋State Department / Doug Thompson
User Honeypot How can I detect password spraying? Statistical analysis of logon requests OR Check if someone logs in to a fake user Image from: https://danielchronlund.com/2023/08/01/microsoft-entra-id-honeypot-accounts-with-microsoft-sentinel/
Detecting Kerberoasting
Kerberoasting Background All services on windows (File service, Kerberos Service, Database Service, Backup Service) have to have a service account These accounts by default all can have their ST requested An attack called “kerberoasting” takes advantage of this Image from here: https://tryhackme.com/room/attackingkerberos
Kerberoasting Honeypots Example taken from @rastamouse
Detecting LLMNR Poisoning
LLMNR Background When your windows computer can’t find a resource (machine, network share, etc…) it goes “does anyone know where this resource is” And it will believe any response it gets!!!
This means you can just respond to all LLMNR requests with your own IP address to get machines to connect to you.
LLMNR Honeypot Send requests to a DNS resource that you know doesn’t exist If you get a response, someone is poisoning LLMNR
IppSec video: https://www.youtube.com/watch?v=h_cWWL-yyb0
Detecting SMB Relays
SMB Background If an SMB share is writable, an attacker can write an “SCF” file to it
Once a user browses to the file, their computer will try to load the IconFile from the attacker machine
Writable SMB share Honeypot Make a fake legit-looking SMB share that all users can write to Important: Other users should not use this!! Wait for an attacker to write to this Once they do, you know that the user they are using is compromised Bad attackers might try to write to all shares:
Every attack has potential for a honeypot This doesn’t mean put honeypots everywhere Be strategic
See my slides for more info on Windows/AD hacking: https://hackback.zip/2023/10/02/Windows-AD.html
Honeytokens
A practical example - It’s not Malachowsky Hotel What if we sent unique emails to every person?
A - Attack
“Poison, not Venom”
How to detect phishing sites? What do attackers do when they want to pretend to be your company They clone your website and capture credentials from visitors
What if we put code in our own website to detect when it is deployed?
Red v Blue The blue team has… ???
The red team has… Onion Routing Anonymous Proxies SSH Tunneling User-Agent Masking Taken from Hide and Seek, Post-Exploitation Style (Shmoocon 2013)␋https://www.youtube.com/watch?v=VJTrRMqHU5U
Works with: HTML Java Applets Javascript PDFs & Emails through iframes … https://github.com/lanmaster53/honeybadger
42.zip
Resources https://www.antisyphontraining.com/live-courses-catalog/active-defense-cyber-deception-w-john-strand/ https://adhdproject.github./ Offensive Countermeasures - The art of Active Defense by John Strand Adversarial Tradecraft in Cybersecurity by Dan Borges https://hackback.zip/2023/11/09/Purple-Teaming.html