How to Defend Against Penetration Testers And Win - Paul Asadoorian

school so I don't really know how this talk kind of start actually I do it was a I was looking at open source tools that you can use in the enterprise and it somehow morphed into how to defend against penetration testers so lately I like to start my talks off with a story they kind of influenced me to give this particular talk who here has a hero or spends any time thinking about who their hero is just a couple of us it's kind of a fun exercise to do and I think what sparked this question was someone asked Tom Brady who's his hero and he said his mom and stuff like that which is really

cool my hero is my grandfather passed away actually when I was writing wrt54g ultimate hacking and my grandfather one of the reasons why I called him my papa was he's my hero is because he told me the story one time when he was going on a boat to go to war and when they were on this boat there was just a transport wasn't my my papa's job to be on this boat it was just a transport everyone's getting sick with dysentery if you don't know what that is like do yourself a favor don't look it up like just take my word for it it's not something that you want and not something that you want any

more details other than like bad food makes you sick okay I was like up last night I'm like I should probably look like the exact oh my god not a good exercise to go through so the captain pulls everyone aside he says look we're used to new people to run the kitchen because obviously whoever's running the kitchen beforehand had no idea what they were doing and now my papa being of Italian descent although my last name doesn't say it I am mostly Italian my grandfather was a hundred percent Italian and he was like I gotta eat like eating is important when you're Italian anyone here Italian like can vouch for how important is eating in your world

like it consumes much of your day right so he was like I'm not letting this stuff happen so but being the leader that my grandfather was he told the captain look he's like so the captain's like you need a volunteer no one is volunteer I probably get I'll do it but there's one condition now I can't imagine that Papa knew the captain very well and the captain probably didn't know how much of a pain in the ass my papa was sometimes love them to death most inspirational person in my life pain in the ass um so these two are like meeting for the first time and the captain's like really okay you like you have demands for me that's

interesting because I'm the captain and you're just volunteering to run the kitchen and pop was like alright I'll do it you got to give me three guys and I get to pick the men on the ship that help me oh and he was like well okay then you can do it so my grandfather grabbed three people he said the first thing I had them do was scrub that kitchen from top to bottom with bleach he's like and then I started cooking he's like I learned to cook for my mom it was awesome they had this big steamer thing we made pasta in it I was like what you thinking we use a dishwasher we made like big vats of

pasta it was awesome he's like at like 11 o'clock at night everyone's just chilling out he's like I had a ham and cheese spread out because eating is important right and by the end of the trip the captain's like he won't you stay on and like help me how and my thumb's like no I got to do this interpreter thing he spoke four or five different languages so his job was to be an interpreter he's like I'm doing this interpreter thing but he proved that he was such a leader that the captain of a ship whose job was to get men into battle wanted to have him on there as a permanent staff that's the kind of leader and the reason

it influences is talk that you have to be in order to build your network defenses to defend against penetration testers because let's face it they have the advantage the advantage you have is if you can be a leader in your organization and lead people to do the things that I'm about to teach you in this talk you're going to make some Penn trusters really really frustrated and I know because I didn't necessarily tell them the whole theme of this talk but I called up all my pentester friends and I was like hey so like tell me about how you break in like this way it's from a talk I'm doing like they're totally thinking I'm giving a talk about like

how to be awesome at Penn testing and then they're going to watch this video and probably be really mad at me for a while but that's okay um so this is me the most important thing recently is I have serious hacking days those that saw Dave Kennedy this was something that he did and this was my serious hacking day maybe though there will be more this is my disclaimer I made talk about things that might offend some people it happens sometimes so if I do the get over it and then so I will talk about how I did actually come up with this talk and then we're going to talk about the practical stuff Active

Directory defenses Network and data segmentation default credentials canary accounts dark space and analyzing app on that bomb trap network traffic okay so I tend to ask a lot of questions so I got to ask my pen tester friends that like why or penetration test so successful Jason why yeah because you're the most awesome pen tester in the world right and so obviously the answers I got to that question were well people don't patch stuff they use dumb passwords and I'm the best pen tester in the world like Jason Street but not quite that good and you should bow to my exploits and expert coding skills right like awesome I'm like all right I'm asking the question wrong maybe I need to ask a

different question so a better question turns out get you slightly better answers so I started asking the question and this was totally based on Jabra from Praetorian so I quit the seed in my head to start talking about these things and so he asked the question of his own organization and said hey what in all of our hundred pen tests across 75 customers what led to complete Network compromise and he got a specific set of answers I extended genres researched like unscientifically and I started asking all my friends and I'm like I asked one I'm like and he was like you know windows authentication is really a hot mess once I'm in I can pretty much

roam free in the internal network and people used on passwords okay we got to seeing people use dumb passwords they get it so then I started asking more of my friends to do penetration testing I asked Joel McCrea and John strand and I went back and I asked Jabra again when I saw him and I asked my good friend Larry Pesch used on the podcast for me for going on 12 years who leads a pentest team today not only was the experience based on the Penta that they do but their teams as well and they all pretty much said like boiled down to pretty much two things like authentication sucks and no one does segmentation properly I'm like well

those are kind of interesting themes I should really dig into like why people don't do these things and make penetration testing harder because lo and behold when I started digging into Windows authentication other than making we want to drink a lot made me think like these things should be easy to fix but they're not so I started asking like customers aren't really fixing the critical issues and this is something when I was doing penetration testing that I would notice I'd say you know here mister customer here is your report you know see you next year for your next pen test and then I give them a new report and I'm like wow there's like not

a lot of differences like what were you doing the Holi were you on vacation for the whole year what happened there like you know like stuff and things and this IT project and you know we have to like make money and stuff so we had to do projects that help us make money and did nothing for security so I think so why did you pay for a pen test in the first place if you weren't going to fix the things that are in the pen test like you totally could have put that money to the six things that were on a previous slide that you could do to protect yourself and I can tell you those things for free

don't tell my 10,000 friends I said that but I can tell you those things for free so why don't people continually get better over time and some of the themes that I get when I'm working with customers I'm a nine faculty member and I talk to all of you and we're at various conferences and venues and I interview people from the field is you know that a lot of people will buy stuff like hey we have this problem we got hacked or the pen tester came in and said you suck at this so we'll buy something and not necessarily the right way to go also what I notice this is a theme I'm going to come back to ineffective

communications in leadership yes you will security people understand the problem however we have to communicate that problem to someone else in the organization to get them to do something that today may not be part of their job because they think security and Security's problem kind of interesting so this is the wrong answer and this is the endpoint security space as defined by that analyst firm that starts with a G and nothing anyone knows what I'm talking about well but this is a lot of times people say I have a problem my endpoints people are doing phishing attacks they're putting malware on my endpoints and then it's spreading to the rest of my organization and then they have how do

they have domain admin already this is really bad and a lot of people think that products specifically endpoint products are the answer they're really this is the wrong until you've done the six things that I'm going to talk about today this is the wrong answer fine if you have endpoint protection and you're making it work that's great you still need to do those six things before you go out and seek out an endpoint protection vendor they are not going to solve these problems for you they are just really like it's a needle in a haystack problem for these endpoints attackers are morphing all the time more and more morphing these attacks and you're not going to spot all

of them unless you do some fundamental things to improve the security of your network okay so commercial tools can help but it's good to have goals in a plan like I said this is some of the building blocks for making your network secure is to do these six things and like I said commercial tools can help that's fine but let's have a plan and let's do these six tips okay number one this is by far the number one thing that everyone talks about this could be its own to our talk in and of itself in fact when I started bringing in some of my pen tester friends one of them is John strand he's like you know we should do a

webcast I'm like this isn't going to fit in one webcast I'm like this is two webcast and I started rounding off the list of issues he's like yeah you're right then he's like to understand everything you really should take a six day class with Jason Boston at cents I'm like dude you're probably right that is probably the only source you can go to today that I know of where you can get all this information so if you're a defender today if you're a penetration tester today or want to be a penetration tester you're going to want to learn Active Directory like a lot so these there are five things based in Active Directory I mean one is a password policy which is

somewhat active directory the other four things are really deep heavy meat-and-potatoes Active Directory issues and what I found is that talking to all of my pens because I call them all back up and I asked them about this specific thing and I'm like when we talk about those specific issues I was like so you can just like disable the past the hash and the answer I get on all of them when I'm like well you can just like disable those NB NS protocol is like well then there's like this thing and then it depends on if you have this in your environment and it like my brain wanted to explode and I wanted to go

back to drinking again because it was just so confusing to work through all those issues I think I've distilled it down for all of you so let's try and go through it this dude is so excited about Windows 95 I've never seen anyone more excited about Windows 95 in my entire life you must be a pen tester because it plays into discontinuing the use of LM right stores your passwords super weak format now you can do a group policy setting to make this go away in your environment but and well the users have to change their passwords and it depends on this that and the other thing so yeah you can do that now if you do that you

will have combated compatibility problems in your network with things like Windows 95 and Windows 98 who here has Windows 95 or when no one wants to admit Amazon I'm not raising my hand no way no way you know you know who you are all right we'll find you later you have it in your network but the Macintosh clients those are kind of interesting too so it can break a lot of stuff which is why people don't do it but you need to be able to do this your environment you don't want LM hashes floating around your environment it's really really bad oh and there is a Microsoft help thing on how to like prevent that kind of Microsoft is

actually pretty helpful in having articles that will help you do this so use this slide take a picture of it go to your Windows admins if you're not already the Windows admin and say hey can we do this because this is important also this was important so we should do it right also it makes their job better because it means you'll get rid of Windows 95 and windows 98 and Macs yeah I'm beautiful everyone is Linux and the latest version of Windows great all right configure Active Directory to prevent pass the hash attacks so in this case obviously I don't have to crack the password hash I can just replay it on the network now I read is it on the next

next slot in there I've read harm joins articles I talked to all my friend about path the hash and every time I talk with the most scenario I'm like simple like if you do this like you're good and they're like well there's like this one case if you've got this that and the other thing and I'm like oh my god so you can disable LM and ntlm altogether right which essentially means all your Windows Active Directory authentication is using Kerberos is anyone doing this today and it would know of anyone doing this today I know some of my pen tester friends they they've encountered networks like this ok so that's kind of interesting I mean I've probably breaks more things

than just disabling LM but the other recommendation from Microsoft to prevent against passed the hash is to implement this thing called laps it's the local something privilege and privilege thing which basically you're giving the thumbs up so you read the 40 page document that accompanies laps and did the two or three we how long it take you to implement it a couple of weeks so that but that's significant I mean that's not just a group policy setting you're pushing out and you're done it's a to two to four week process from what I'm told to implement this in your network this is I mean props to you thumbs up for doing that this is you're going to

your windows admins and you're like I need you to like put some other stuff aside that's like making the business work like that you don't need that and we're going to implement this thing called laps and they're like what why do I need a unique administrator password and every single one of my workstations and you can just tell because Paul said so now obviously because of past the hash right it's a common method used by pen testers and the attackers are like to get into all of your systems but it's pretty complicated I'm more of a Linux guy but a two to four week project is not insignificant and it's you have to read and plan and implement it so that's

pretty much the recommendation to get rid of pass the hash not insignificant in your environment so then you're like okay well if I do laps and I'm Kerberos only like I'm good right I'm awesome and then John strands like wall no there was like this one time at Derby con when Tim Medina gives presentation about capturing Kerberos authentication and cracking the hashes now what Johnson was the hashes are not as easy to crack but the defenses for this really suck so Tim actually did the research and said that you can capture Kerberos and you can crack it and the defense is like basically he just should have put two words on the side like you're screwed

like that's basically the defense for this from what I surmised the defensive is there but it's not very good what's interesting is like no one really knew what to was talking about and John picked up on it and Tim was getting rejected when he was submitting his talks to various places and finally John had to call up people that ran conferences and was like no Lee can you just listen to what Tim has to say so and the example he gave was it was he called Dave Kenny he's like Dave you got it and I don't know if dad had even seen Tim's talk at this point Jones I gave you got it you got to hear Tim's talk

we'll set up a call come we'll go through it and Tim gets about halfway through and John says Dave goes hold on stop stop stop stop stop you mean to tell me that that is possible in terms like yeah here's a guard you're in and it in Tim saw cave was given a derbycon and it's like a thing now which is really depressing because it's kind of like we're screwed when it comes to defending Active Directory so these are the two articles by harm Joy extremely brilliant yes question yes you are correct really long service account passwords yes it because it does is the only service accounts that it is attacking or is it regular user accounts

as well yeah yeah yeah it is that's the other well there's this other use case yeah and that's what we get into right so hangzhou has some awesome posts i mean like everything you ever wanted to know about past the hashing and all the nuances are there if you want to go read it and whenever i talk to someone about past the hash they'd be like so did you read harm joyce are i'm like yes yes i painstakingly tried to read all the details in both of his articles in my brain hurts now which is why I'm calling you to get like the 30,000 foot view and they're like what you really need to read harm to us I'm like I get that I

get that okay so I'm telling all of you go read the articles now at the end of arms your second article pasta hash is dead long live local account token filter policy he says it's also worth noting that lapse effectively renders everything here a moot point that's good to hear right we know we have a path it's not the easiest thing to do there is a project some communication involved but we can do that yes oh here we go the well is that your but you're absolutely right I did read that yes so again thank you for backing up my point that we're all screwed when it comes to Active Directory security which is really the

point of these types okay now implement a password pop-ups

I tried to put something funnier up there other than implement a password policy which in and of itself is funny and that certainly seemed to trump it so we can you can give a whole presentation about password policies right but what a lot of people will say is actually a lot of what I used to think was well if I have multi-factor authentication the password doesn't become as critical right because I need something I have in something I know so there's something I know is only part of the equation so it's not you don't have to have an a 40 character password except as we move into modern technology with apps and web applications and api's and all this

wonderful technology I run to the situation where I happen to lose my phone long story it's painful it hurts I got a new phone it's really expensive anyway I lose my phone so I'm putting LastPass back on my phone I have two-factor authentication enabled for LastPass and when I put it on my phone it just is all just give me your password ah yeah you're good you don't need the second fact you're on a phone like what could go wrong I'm like I just lost my phone I want that's where I want the two factor authentication and what I've seen in the industry and what I've talked with people about is that two-factor authentication is great

except for when they just leave it out for convenience such as on a mobile application so you can have a really great multi-factor authentication scheme going except when they put the mobile app for whatever service it is it doesn't ask them it doesn't ask them at all question

ya know there and that's why I didn't spend a lot of time because you're absolutely right the question was what's the minimum length I would say over like 15 characters or more to get around some of the issues with the previous hashing depending on what you're using because of all the backwards compatibility you know outside of that you're right it's I mean 2 bit yeah are you in Active Directory admin ok ok you're doing good you have another question alright I'm ok

gotcha gotcha so 14 is a mess the highest minimum see we're all screwed because I like to go one past the highest minimum good lord yes but the minimum yes thank you so those are some of the gaps with two-factor authentication and we just had a great discussion about minimum password length so thank you for that the other problem is so basically this can be surmised as software trying to be really helpful right so if I can't find the proxy server to be able to browse the internet so I can go to youtube and watch videos adjacent street and stuff like that my network in Active Directory likes to be helpful and give me some

kind of automatic proxy discovery right if let's say I connect to a website and it takes authentication or a file server that takes authentication the protocol likes to be really helpful so that I like sends my credentials to places so that I can authenticate and it's trying to be helpful it turns out trying to be helpful in these situations goes into all the technical details and all these protocols that essentially means that my password hash is going across the network in some kind of hashed format depending on the configuration in a number of different things it can be LM it can be ntlm v1 or I think even v2 over the network in this case

right and using the tool called responder and a bunch of other things this article from Praetorian is probably the best one that I've seen that walks you through both the attack and the defense for this I thought Jabbar did a nice job with that he does really good this one is also good on this topic it's like the number like pen testers and how like you used to think they get on the network and they do pore scanning of vulnerability scanning now they just come in on the network they run responder they grab a bunch of hashes and then they're breaking into all of your stuff that's like the dirty secret now in pen testing is that really

they're just exploiting this particular vulnerability not necessarily the W pad vulnerability where if you create a DMS entry someone can't step on it but using these other legacy and newer protocols that are essentially exploiting the fact that software is trying to be helpful so that you can log into stuff so that is these two articles talk about the defense to that group policy again to turn that off in your environment that's something you're going to want to test that's also another project that you're going to want to tackle with your Active Directory environment it does especially NetBIOS naming service right have the potential to break some backwards compatibility with other Microsoft operating systems so ok so this is the

protection against mini caps many of you probably familiar with the in-memory attacks this is a well again this is the well but so you can do the to a 7 1 1997 and put this group policy slash registry change in place or use group policy to make the registry change in all of your systems but the problem with that is the well thought is that if I gain admin rights to one of your workstations I can revert that change in oh by the way reverting that change doesn't require a reboot so if I'm an attacker I get a man on one of your systems I revert the change then I have to wait I don't need

to it doesn't need to be an administrator that's machine an administrator just needs to log into that machine then their credentials will throw to memory then I can use mini caps to extract them so while there is a fix for there are limitations to the fix good good good good interesting so it apparently this fix doesn't work on Windows 7 in certain circles in both are like the critical 5 things that I think everyone needs to do in Active Directory we've already heard from people in the community that are like yeah but there's like a different thing these things are not easy it requires planning it requires working together as a team with your Windows administrators I can tell

you that I could probably stop the presentation right here and you would stop most pentest I mean not Jason because Jason is like hiding under your desk like but I did all those things Paul said but Jason still under my desk look most pen testers would like stop and just want to cry like right here at this point okay so let's go on to network segmentation which it's kind of interesting so this comes from the analyst firm the source of the G and I just want to point out their advice or someone's advice not the analyst from the source of the G on network segmentation are you ready okay don't over segment okay that's good good

advice don't you shouldn't over sit and don't understand either because that's that's bad that's bad okay thank you thank you for that that's fantastic I'm like I want to try and do better than that now I'm sure this article in all fairness like goes into more details I hope it goes into more details than that but I wanted to go in a little more details about network network segmentation so this is what ID in the wrong way and this is oftentimes how I see network segmentation is we take these blocks of systems and we put them in their own networks right like you're not done yet that's just networking that's about segmentation and we've got like wireless

networks and remote offices and conference rooms and Printers in one segment we got like our Windows stuff in here like the important stuff like Active Directory and DNS and DHCP and then like we had this vulnerable stuff there was a bunch of stuff that was just so vulnerable we had to put it all by itself like put it in the corner shove it over there like no one will see this it's fine and then IT administrator workstations and then I got like all this Linux stuff I don't know what to do that so I just put that in a segment that's good and then I got like all my user stuff it desktops and printers right so then I

connect this all the network and I put it in through a firewall and that firewall just allows a bunch of stuff in a bunch of different directions which means as a pen tester when I was testing a security company and gotten into one of their AI networks I was able to exploit a pathway into their IT administrator workstations because they needed that to exist so this is where people fall down with network segments because this can get really complicated right so my suggestion is to simplify okay and start with something simple I should have made this box red or some different color pretend this is a different color all your user stuff depth stops and Printers enable the

local firewall on the systems there's really no need for desktops to be able to talk to each other we're good we're good there okay there's no need for desktops to be able to talk to each other and killing that lateral movement right in your user desktop segment awesome like you're on the way to network mean it's not really networked it is segmentations micro segmentation in that area by all means do that okay um don't let anything connect to IT administrator workstations I mean your incoming policy for those workstations should be like scrutinized very very heavily okay so start there just as your user accounts in your domain or in you know Linux that have administrator

access to your entire domain and all of your systems those accounts should be protected as well their workstations should be protected as well you're vulnerable stuff like don't just hang it in a different subnet like that's like my we just pointed that and laugh at the security subnet you have to actually put some filtering rules in there and so they stopped connect to it that it shooting a printer is a great example there's like eight million protocols enabled by default on a printer I don't know why people need to SCP to the printer has anyone had a legitimate reason to FTP to a printer okay that's what I thought so why is it open on the firewall

although there has been some research along those lines recently if people completely broke printer security which is interesting but so yeah filter that very very heavily and then like all your other stuff wireless networks and remote offices and conference rooms and more because there's always more printers don't let that connect like give them their own DNS and DHCP treat that as a separate Network why because Jason's probably done it a hundred times I did it when I'm pen testing you walk into the space the reception this is always very nice you'd be very pleasant you put on your Jason smile and she's like you can go wherever you want it's fine I don't quite have that I have to work out

a little harder and then I go into the conference room and then I actually was actually a Poland poking Pony Express you plug it into the conference room and you're like okay see you later and then you compromise the entire network like segmentation can help with that a lot provided you do it appropriately so okay so this is a better not saying it's the right way there are some tips to do some network segmentation your firewall rules should restrict more than allow between these and if you draw these much more simpler delineations your life will be a lot easier now if you want to go like full nack like props to you I mean there's

probably in black of information security I like I prepper John with questions he gets really tired of me asking for statistics like so how many of your pen tests like have an ax solution that's built in in it like really slowed you down he's like like like 1% less than 1% which is kind of interesting it just goes to show you how hard it is to do that in the environment but that is another solution as well that can help to this network segmentation thing and it's something that slows penetration tester 7 ok default credentials and I really think and I kind of have proof that I might be one of the only people like really truly

thinking about this problem because when I google search I find my own articles I'm like no I want to find other people's articles not my own so I am thinking about default credentials and when people think about defaults right they're like a it's a Linksys wrt54g router and it's got admin no password or admin admin and yes we all know it has a default credential however default credentials trickle down into your entire enterprise in fact we were just interviewing Alex Horne from an abscess and he said well I say P systems like pretty much the number one attack vector is default credentials I'm like that's interesting they exist on your printers they exist in other

applications they exist an audio-video gear because we have some of that in our studio quite a bit in fact and I got this really awesome HDMI router I mean it's a router right so I can take 8 inputs 8 outputs I was excited about I'm a nerd 8 inputs 8 outputs HDMI comes in I can say that can go to any number of outputs you can go to one output or more than one output like that's awesome I plug it into the net when it's got a network port we should plug it in let's see ok it's got telling it open all right I'm going to town it to it and like while I'm doing that look up with

the default oh wait there is no there is no password well surely there's got to be a way to set it no there's no way to set a password I like how why would you do that now someone can just tell them that you wouldn rican so that goes to show you how much security they put in place and you put thought into for this particular device so it's kind of interesting I wrote a script that is a web interface to let you know them change the images on all the screens and all that stuff and I'm like it's going to be just a lot like a Raspberry Pi is going to have multiple interfaces and

one's going to go to this device and the other side is going to connect to the network like I'm not putting this on the network and it's sad that we had to make those so not only kids systems have no password but I mean default passwords they can have no path - in these existing in web applications all different types of web applications that attackers attack all the time and have very well-documented default passwords that people just leave in place and the more complex the project the more likely the contractor comes in to setup like ASAP for example and it's like okay you know here it is I've been here for a year like you're all good I'm

leaving now as the like person being left with that project you're like you know we should go change like all the default passwords and stuff because now you get to send the person back to fix which you're going to break by changing all those passwords so the default password I think is a a problem on multiple levels for every single enterprise that exists today so much so that once when I was on a pen test that was awesome when I was looking for AI low and remote management systems which still exists today I'm not that old and you would connect to the device it would either have a default password or no password this is the management system

and you'd connect to the console and someone accidentally left themselves logged in as root on the console so a default or non-existent password on your management system just instantly led to a root prompt like that was pretty awesome I wish we could do that all the time it's a great party trick so the point is that stuff matters in your environment and pen testers are going to find this stuff and I'm like why aren't we finding this stuff why aren't we looking in our network for all these exposures and then I searched high and low for solutions that would detect default passwords and I really didn't I found some my own articles I didn't really find anyone have suggestions

where do you is there a tool that there was a lot of ads from a product company that I saw that was interesting I really didn't find a good solution to discover default credentials because here's the problem you can't just take if you have a database of 5000 default credentials and you scan a network if I am NOT fingerprinting the device is I have to send all 5,000 of my passwords to that device and likely it's going to fall over and die or trip some kind of password threshold and lock people out of their accounts so I think that the real problem is not testing for the credentials the real problem is who's got the best

technology to identify all of the devices in my network on an ongoing basis and then have the hook to know which of those default passwords to send to Oracle si P gets these default passwords Linksys routers get these default passwords Paul's crappy HTM is router gets these two oh no way I don't need it for Paul's crappy HDMI router to have a question yeah yeah and that's a manual process and also that's just web servers yeah and web applications are a huge culprit of default passwords it extends beyond that so yeah so you can use messes to do this and I was like great there's like two blog articles out there on using methods to find default

credentials and ID over the first one I'm like I wrote that and then some I go to the other one I'm like no I wrote that one too so like I'm the only one thinking about this problem I actually while I was at temos if we should make this better we should get people the ability to not just look for default passwords but my whole thing was like I think everyone has like this list of passwords that you used on everything right like one of the companies I worked at it was let's just say it was football okay and you know the other company work that had this like this was always the default password until I said we should change

that but then you get to a router or switch and you believe the new password is not working oh that's the old password so I think in addition to no authentication default credentials we run into this problem where we have like our own list of default passwords that we have to check for on our network all the time because if you have 10,000 networking devices you might miss something so having this technology is important I don't find that the commercial products today for volt ability scanning and is this being recorded okay so never mind we're moving right along products today aren't and set up to handle this particular problem which is kind of it makes me cry a

little on the inside because no one wants to tickle me I guess okay so now let's move into a little more deception right that's what was before us more fundamentals now it's deception in Canary accounts and these are just really this is like free like I talked to the commercial vendors all the time and they're like hey if you buy our product we can make all your other products better it actually there are products on the market that can do that but you're going to buy a bunch of products and then you're going to buy another product that like make all your other products better this is like a free thing that you can do that'll make your products better and

essentially it means creating a fake account and you know this account and this isn't a new thing right but this is going to detect when someone's trying to send you a phishing campaign and let's be honest the number one way pen testers are getting in is where the phishing campaign unless Jason streets onto your desk that sounds really bad nevermind okay so you then you monitor this email for spam or other activity you monitor the domain account for any activity right like if it hasn't got an email it's someone using it to log in someone is it in the logs anywhere there shouldn't be any activity with this account because it's not associated with a real person at all

yeah good Jason yeah

gotcha did everyone hear that okay yeah to create a domain admin account it said to login hours yeah log make sure you said login hours to zero on a fake domain admin account that has the password in the description and then monitor for when someone tries to log in so okay that's good I'm glad my tactic is validated because there I don't find a lot written about this today five minutes okay so we're moving on to the next topic which is creating fake LinkedIn accounts now you can go crazy with this right because fishing is popular LinkedIn is the most popular one so what I did was I'd read an article about how to create fake LinkedIn

account or spot fake LinkedIn accounts and then I wrote these tips so like this is how you create a fake LinkedIn account so people don't know that it's fake so much because if you put fake LinkedIn and Google like all you get is how to spot fake legs in accounts I'm like no no I want to know how to create them and they're like well here's how you create them to like span people I'm like no I want to know how to create them so it looks like a legit user in my organization so I came up with my own list now be careful with stock photos because those can be traced use your real email address that points to your

honeypot account have other co-workers or people recommend the profile I mean we can really get out of control here right they create other social media accounts you're basically want to create a fake presence now the danger is and why I don't think more people do this is once it's been discovered you have to start over completely and that stuff can be a lot of work to make it look truly fake so no I would definitely talk to you every time I give a talk on offensive countermeasures of or active defense of some kind everyone always has that comment I am NOT a lawyer you should talk to your lawyer before you do anything I say because I don't want to

be held responsible yes what is your title Jason network security Ranger or something InfoSec Ranger something like that something fun or something related to a business function could be fine I think you know title really doesn't matter I don't think they're really going to discover it's fake because of a title more so like they Google image search your image and it's a stock image yes exactly yeah I love to open word attachments should be somewhere in their social network profile okay darkness are also not a new thing you define a knock you submit not in use you had some routes to it you put a sniffer on it or I used to actually monitor my document

with NetFlow that works too and don't don't put live systems on your dark net that's bad people the whole point is that there are no live systems on your dark net its IP space that you're not using there's a great article in there as well okay now but the dark end is just a foundation to do some of the other deceptive things you want some HTTP redirects right you want something in your robots.txt that magically redirects them into your dark net so you know when people are curious and going where they think they shouldn't be going you're collecting it you want to put some fake DNS entries DNS names that don't exist in your environment but

point to fake IP addresses in your doctor same with file servers also word macros that just ping back to your dark net so if you put a macro or some other kind of call back lots of ways to do that in Microsoft Word inside of your word document that just sends a ping request into your dark net you'll know that someone has opened this document that is fake you know maybe you say it's SSN dot doc and you'll know when someone opens it and put fake social security numbers in there okay so that's the deception technology kind of drive traffic to your dark net as always in my strategy it's a blending of the deception I've talked about before with

some of the darknet stuff okay now monitoring the darknet like I said net flow and darkness should then be integrated into your sim so that it's giving you context into your other monitoring tools whether it's sim security intelligence big data learning artificial you know what I'm talking about all those buzzwords whatever you're using you should integrate it to make it better okay now analyze network traffic I don't know why that image is there but I thought it was really funny it has absolutely no meaning to this topic whatsoever other than I thought it was funny bask in the glory of its outstanding humor okay next slide so math is easy and math really isn't easy but when John strand

explained it to me this is how we look at outgoing traffic inside of a network in our open source and commercial product that we're doing this is completely open source it's called Rita you can go download it so here's what we do very quickly because I probably have about two minutes left we look at four different criteria of the outgoing packets right these are packets leaving your network we look at the connection time how long was a session established between these two hosts and we start drawing some plot lines and we're like hey you know like this hose in your internal network has it's like cluster here and it was contacting the same host on the internet

with the same time of connections and it's plotted here and that's interesting then we look at connection interval how many different it was at once a day was it every hour was it every 10 seconds what was the interval and we plot the interval using some super fancy smart math machine learning type stuff and we say okay well the connection interval for this internal host of that external host has a grouping like that your groupings are never going to be perfect in a network there is jitter you're always going to have some like scattering but you're gonna look at groupings then we look at the number of packets well in the 24-hour period this host like the connection time was always

roughly the same the connection interval was roughly the same and the number of packets at send in that 24 hour period was also roughly the same and then the size of all those packets were the same and if all those factors match up we call the host infected okay now what's interesting is you also see this green is infected as well if in a 24-hour period I had one connection from an internal host of one connection in an external host my number of packets was like one in my connection interval was really short or really long or stood out in some way you're also compromised actually this is how we found malware in a lot of

organizations it's just looking at the outliers inside of our data the other ones that are scattered all over the place that's normal traffic right when you go to Google when you browse the web and do other things it's pretty random so we distribute this as a free open-source tool called rita we regularly do web cast on it and talk about it in more detail at conferences you need bro logs in order to do it bro is completely free Rita is completely free you can go to that URL you can download it you can analyze your traffic the exact same way that I just showed you in the previous graph except it'll look like that I

believe it has column headings now but that's basically that those are all those numbers that correspond to connection time and interval and all that other stuff and this right here is a confidence score that we built for you so we're 99% sure that that IP address right there was compromised okay so that's kind of fun in a way to detect attackers bonus tip communication rather than phrasing your question it's your statement to your Active Directory or other teams you must secure a patch harden all these things or else say how can I help you do your job more efficiently phrase it as you're helping not making them do something ok and that's it thank you

I put that in there cuz that's really funny defense kind of graphic okay I think is there another talking here