Download as PDF, PPTX
![Thank You!
Questions?
Greg Foss

greg.foss [at] LogRhythm.com

@heinzarelli](https://image.slidesharecdn.com/deception-driven-defenseinfragard-2016-160220162255/75/Deception-Driven-Defense-Infragard-2016-76-2048.jpg)
![Thank You!
Questions?
Greg Foss

greg.foss [at] LogRhythm.com

@heinzarelli](https://crownmelresort.com/image.slidesharecdn.com/deception-driven-defenseinfragard-2016-160220162255/75/Deception-Driven-Defense-Infragard-2016-76-2048.jpg)
Uploaded byGreg Foss
Deception Driven Defense - Infragard 2016
The document discusses the application of deception strategies in cybersecurity, drawing parallels to historical military operations that employed similar tactics to mislead enemies. It emphasizes the importance of baseline security, the use of honeypots, and social engineering techniques to detect and mitigate threats. Key recommendations include real-world training, monitoring user behavior, and leveraging deception for effective defense mechanisms.
Technologyâ—¦
More Related Content
Similar to Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
- 1.
- 2. Greg Foss Head ofSecurity Operations OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
- 3. Diversion & Deceptionin Warfare Draw Attention Away From True Attack Point Mislead With False Appearance Gain Advantage Over Enemy “All war is based on deception” -Sun Tzu
- 4. Operation Mincemeat -1943 Operation Zeppelin - 1944 Battle of Megiddo - 1918 Operation Bodyguard - 1942 Operation Anadyr - 1962 ..and many more Diversion & Deception in Warfare
- 5. Operation Mincemeat -1943 Germans find British corpse from sunken enemy warship 1.
- 6. Operation Mincemeat -1943 Corpse holds Plans to upcoming attack in Greece 2.
- 7. Operation Mincemeat -1943 Germans move defenses from Sicily to Greece 3.
- 8. Operation Mincemeat -1943 Allied Nations invade Sicily 4.
- 9.
- 10. Apply this toInfoSec?
- 11.
- 12. First things first… Baselinesecurity controls! Warning banners are critical and assist in the event prosecution is necessary / desired.
- 14. Honeypots Easy to configure,deploy, and maintain Fly traps for anomalous activity You will learn a ton about your adversaries. Information that will help in the future…
- 15. Subtle Traps Catch InternalAttackers Observe Attack Trends Decoy From Real Data Waste Attackers Time Honeypot Use Cases
- 16.
- 17. $any-web-app Custom + Believable,with a Hidden Motive
- 19.
- 20.
- 21.
- 23. Honey Tokens andWeb Bugs
- 24. Issues with DocumentTracking
- 25. Issues with DocumentTracking
- 26. Issues with DocumentTracking
- 27. Zip Bombs AdobeFlash.zip 42 bytes 4.5petabytes www.unforgettable.dk
- 29. Keys to Success RealWorld Awareness Training Use a Blended Approach to Exercises Gather Metrics for Program Improvements Note: Never Punish or Embarrass Users!
- 30. Scope Social Habits PublicInformation Username Correlation Application Usage “Private” Information Examine Network Usage
- 31. “Free” Coupons! QR Destinationas training or phishing site Print > Place on Cars in Lot Rate of Connections Rate Reported to Security Track via internal IP address
- 32. Targeted Spear Phishing OpenAttachment Rate Open Message Rate Martin Bos & Eric Milam SkyDogCon 2012 - Advanced Phishing Tactics Beyond User Awareness Defense Success / Failures Response / Exploitation Rate
- 33. Rogue Wi-Fi Setup Wi-FiAccess Provide Fake Landing Page Get Credentials! Connection Rate Credential Submission Rate Report to Security Rate www.slideshare.net/heinzarelli/wifi-hotspot-attacks https://youtu.be/v36gYY2Pt70
- 34. USB Drop CaseStudy
- 35. Building a BelievableCampaign USB Human Interface Device (HID) attacks are too obvious. A dead giveaway that the target just compromised their system. h"p://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
- 36. Building a BelievableCampaign Use Realistic Files with somewhat realistic data Staged approach to track file access and exploitation
- 39. Webbug file openedfrom within your company network? Correlate using Network Security Tools to find out who it was Tracking File Access
- 40. Who Opened theFile?
- 44. Compress the PowerShellScript
- 49. You may wantto use a bogus email address, unlike I did here… I know, I know, Bad OpSec… Send email when macro is run
- 52. “Nobody’s going torun an executable from some random USB” - Greg
- 53. At least theydidn’t run it as an Admin But… We now have our foothold…
- 54.
- 55.
- 57. Red Teaming Not PenetrationTesting! No Scope Restrictions
- 59. Offensive Honeypots All ofthese tools have something in common… ● Configuration Management Systems ● Vulnerability Scanners ● System Health Checks They tend to log in to remote hosts!
- 60. Simulate SSH service Standthis up during internal penetration test Catch Credentials...
- 61. #!/bin/bash attempts=$(cat /opt/kippo/log/kippo.log |grep 'login attempt' | wc -l); echo "" echo $attempts" => login attempts" echo "--------------------" cat /opt/kippo/log/kippo.log | grep 'login attempt' | cut -d "," -f 3,4,5 | awk '{print "["$1" "$4}' echo "--------------------" echo ""
- 62.
- 63.
- 64.
- 65. Post-Exploitation Tricks Use Deceptionto: Elevate Privileges Access Protected Resources Pivot and Move Laterally Etc.
- 66. OS X -AppleScript fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
- 67.
- 68.
- 69.
- 70. Attack Security Tools ●Generate False and/or Malformed Logs ● Spoof Port Scanning Origins $ sudo nmap -sS -P0 -D sucker target(s) ● Block UDP Port 514 or disable logging service ● Capture Service Account Credentials ● Wear AV like a hat and backdoor 
 legitimate programs on the shares…
- 71.
- 73. Target IT Staff… It’sbroken. :-( I don’t know what happened… Can you fix it? github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
- 74.
- 75. Recommended Resources Red Team:How to Succeed By Thinking Like the Enemy Micah Zenko Offensive Countermeasures: The Art of Active Defense Paul Asadoorian and John Strand Reverse Deception: Organized Cyber Threat Counter- exploitation. Sean Bodmer Second World War Deception: Lessons Learned from Today’s Joint Planner Major Donald J. Bacon, USAF
- 76. Thank You! Questions? Greg Foss
 greg.foss[at] LogRhythm.com
 @heinzarelli