DeceptionOps: Automating Deception Tech - Andrew Waite

Andre that's right one second is the laser point of going to work is the next question okay there we go I mean so I walk around far too much um H why I don't like getting St by keyboard and those lights are really bright that's going to get confusing why are we here uh as already been mentioned we're here for deception technology um and it's a oneone conversation uh the purpose of this talk was not everybody's come across deception techn techology in a way we can implement it in a business case um and I'll discuss some of that some of the reasons why I think you might want to and some of the reasons why typically

you don't get to do it in business because we don't always get to play with the fun stuff even if it is one of our favorite Technologies and I'll touch on slightly a bit of infrastructure as cord in the hope of it might provide one way that we can do more of this stuff to help um defend against our adversaries um and I'll try and combine the two warning despite the uh pun that there might not actually be any profit at the end of it unless you like listening to me talk in which case I'll keep going forever Lord Dave likes pulling people off stage so I'll try my very best to do it uh another disclaimer

both of these topics are 101 I'm not going to be dropping any Elite level knowledge we're not going to change your life too much with this unless you find you really really like it but hopefully we'll just spark some ideas that you can take away play with and just get hands on with some of this technology some more uh so that's the content with the talk who am I I'm not just the idiot that stood on stage uh my name is Andrew currently in my day job I work as a cloud security engineer and if you want to hear more about this I spend far too much of my life on Twitter uh talking about all of this stuff as well to the

point where there somebody in the audience has already decided whether or not they can turn a drinking game to see if they can get drunk by the number of times I say the word Honeypot on a presentation I think possibly that's a good way to end up catatonic in the back of an ambulance so I definitely would not recommend that one so I should do my best um but before I do any of that I want to take advantage of standing on a stage at bside Newcastle um to address an apology and a point to G of H does anybody remember this um was anybody here for our first one there's some hands up I've got to say as as a

northern gent stood in a pair of shorts I would kill for a freezing cold skate park right now cuz I boiling in this uh facility uh the point is if we zoom in slightly this this was the end of the keynote um you might have noticed this wrinkle on the keynote primary stage this is a reason why this is the only conference I've offered to help out you should not give me power tools so for everybody that was speaking to that event I apologize for the Dreadful setup of the stage um that's got nothing to do with this talk I just want to take um advantage of a couple of seconds to get that guilt out and finally unburden

myself so apologies to anybody that had to present with that absolute Abomination uh sorry uh so with that out the way um deception technology for me it's not going to change the world everybody in security loves a silver bullet we can put in this one new shiny toy go home everything secure with the black guys can't do anything we know it doesn't work so we always talk good game of Defense in depth but often what does that mean um you seen this jumping ahead of myself so this was the part that wasn't planned I've noticed uh from talks both yesterday and today lots of people have mentioned M and the attack framework itself has been mentioned

quite a bit it's been around for years a bit that's less commonly known I've given the game away slightly there is a m defend framework which does exactly the same thing as the attack framework and Maps defensive technologies that the blue team can use to try to defend against Technologies and for the purpose of this talk if you zoom in slightly there's a full column given over to sorts of deception Technologies where we can put some of these techniques in place as part of that defense in- depth model to help improve our overall defenses um I've I've mentioned it this is M framework as a previous speakers mentioned this is um American deep state if you don't want to

get there um other models are available um does anybody recognize this table at all can't see a thing with these lights no possibly not rather obscure paper um this from a paper about 10 years ago released by loed Martin was potentially responsible for starting what turned into complete uh marketing buzzword Bingo of the term killchain uh trying not to get too put off by the marketing side the paper itself is actually quite good uh and the same way give some time over to deception Technologies alongside the rest of your defensive stack so that that that's um deception Technologies when I was starting my career too many years ago that I care to admit when I'm stood on stage especially

if it's been recorded I I came across uh deception Technologies for the first time in the case of Honey pots please don't take a shot um and I thought this was the coolest thing in the world uh for some reason it just made sense to me I thought this could really be a game changer I thought this was brand new Cutting Edge we could really do something about it and I had talk to a couple of people and somebody said if you like a newts what you need to do is read this book has anybody read cooko egg before plenty of hands up it's brilliant I'm not entirely sure how I managed to miss it for those of you um

that haven't read it I I honestly fully recommend it but very short over story Cliff our hero of the story who was working on his University Systems like a lot of us do in the dear job went off to investigate some weird activity on his systems as part of that he deployed some fake user accounts some fake data that he thought his adversary um sort of threat hunting took a hypothesis put some data out there that he thought his adversary might be interested in so he get a better idea of what they're up to and in the end I'll try to be quick found a foreign adversary that was trying to sell the data that was stolen

to the KGB again cutting edge bleeding edge if you've been watching the news this might seem fairly familiar uh this was back in 19 1986 the technology that I thought was cutting edge this guy was doing it at a time I was still crawling around in diapers um so unfortunately yeah it wasn't that Cutting Edge I said I love this book give it a read I love everything cliffstone um there's a few pie if you interested to take a look the one thing you might want to take some credit away from him as part of this work when he put these triggers in place this was before a lot of uh Network defensive technology was in place one of

his traps he had connected up to a pager of anybody's old enough to remember those things so that when his adversary was on the network he would get a notification in real time and the guy might have invented Honeypot Technologies but it seems he's also invented the on called peder so try not to hear him too much cuz um I think we've all done that before um so I'll skip really quickly over that so I don't get them too much plan so what's our options for defensive Technologies um the Frameworks I've shown before there was lots of different boxes I I'll try to add some value to some of those now this is the point in the talk where I'm

at serious risk of overrunning my time slot cuz I could talk about this forever and keep coming up with more ideas so I'll try to keep these brief I'm going to try and start off with some of the less technical ones the easiest ways to get involved with deceiving our adversaries which ultimately what we're trying to do I'd imagine everybody in this room is going to be aware that somewhere out there we're responsible for systems there's bad people out there trying to do bad things we want to stop from doing bad things uh so we'll start off with an easy one and I can't see a thing with these lights who can tell me what a

robot's uh txt file is

exactly that with the emphasis on where they can't go um deception Technologies if you looked at a robot txt file and a you were pentest you saw that we've already seen some of the talks from yesterday of using some of this information to play with uh financial markets and make some nice profit if I'm a pentest to seeing that I might just want to go and see what the Q4 releases are going to be that they don't want Google to know about the defensive side if I've got a monitor looking for any bad people looking for those directories they probably having a look around um my robots txt file looking for things I don't want them to know about that helps

flesh out some of the activity they're doing and might point me to other bad things that they were doing but it all all already slipped under the radar um similarly if you're on a system might be compromised surely nobody would be stuffed enough to leave an Excel spreadsheet full of domain admin passwords lying around on the desktop oh yes word um mentioning no names um similarly you could populate that file with some usernames that are active on the system that don't actually get used and again you can look for activity on some of those gives you some indication of what people are doing around on your network I said this is the point where I'm at serious risk of

overloading Cu I'm going to add in another example which wasn't on the slide deck but it came to mind uh watching the previous chaps talk that one of the discovery phases really quickly you've all just seen it was abusing the r protocol to look for other systems on the network uh one of the oldest um honey pots that I'm aware of did something similar sat on the network looks for Ops requests if a genuine system claimed that op address uh what the tarpet does is it just lets it go if there's not a system on the network claims that op address it says yep over here that's me and then starts responding to the people looking for

those systems really really slow slly so absolutely every system on a network if you do an map scan responds and says there's something there starts going really slowly and slows your adversary down it's not the end of the world any compet and pentesters you probably see this quite quick work out what's going on and work around it but it's another hurdle I've got to get through it's another opportunity for The Blue Team to identify something's going on and start looking further uh so with that I'll get back on script um conversation from yesterday again I do like a bit of audience participation can anybody tell me what this little bit bit of HTML um is liable to

provide it is it's a form specifically it's an admin form uh you can see we have a username a password and it's a fairly basic form primarily CU I'm not developed by any stretch I store list from W3 schools as an example but if you edit it uh you might see a little addition of a hidden field next to the form with an admin that equals false now I know very few pentesters that are going to see this AR going to go ooh that looks interesting what happens if that turns true uh perfect example from yesterday uh I forget I'm Dreadful with names I forget the chap who did the talk gave an example of authentication bypass

very very similar to this changed to success of false to a success of true and bypass the authentication so most penders to see this automated toing like H zap bur s I'm going to look at that give it a chance see what happens again anything that came through of the form that had admin of anything other than false probably means someone's doing the shouldn't cuz it's a hidden form and a human a normal user should never see that field should never interact with it so it gives us another trigger that we can see what's going on you on get more investing this is where things um take a bit more time to set up cowry and I'll get the C in a bit

more detail but um it is essentially you've just seen from the previous talk set me up perfectly uh as I keep said SSH can be used for all manner of things any Linux system and Men is going to know how to use it any competent pentest Who attack it is going to know how to abuse it calry well we'll get to that it's a c honey pot for um taking advantage of people interacting with it and we all like uh serverless World Cloud micro containers micro workloads all the serverless stuff so I've got an example of a uh honey token for AWS Keir which you can use to look at uh attacks against the cloud rather than

traditional things so moving on so what what is C detail it is it's it's that SSH demon of a Linux server uh s SS should gives you command level access into the box and C we essentially fakes that system so what can you do with that it does an awful lot of things one of the most basic ones especially if you sit one of these out on the internet I've got one running now if you put SSH open to the world without a firewall it's going to get attacked uh for my purposes it gets attack very very rapidly very very frequently and gives me lots of things uh to get me distracted when I should be making teeth

for the kids and instead of playing with honey Poots uh basic example you can see what usernames and passwords are being used by real attacks in the world uh you can see H come on wrong button uh you can see from file name this was just last week this was just one day's worth of data it's running off the end of my screen this isn't usernames and password combinations that I'm pulling out of things like the rocku database um all the talking tools this is things that's been used in the wild against my system and I suspect all of your systems as well uh so if you want to do a password um check against the passwords

you've got in your system it probably makes sense to make sure that these combinations definitely aren't in use from a researcher side uh like myself it's interesting to take some of the more interesting ones like for example looking at the top 010 cdy gibberish I'll be honest when I get home I'm going to be putting that in Google to see what default password that is for some system and to see why suddenly so interesting uh to my adversaries and from a business perspective if it then becomes a platform that's default for a particular application particular Network I'm then going to see if that particular service that particular device is on my network and more importantly if the admins have changed

it from whatever the default password is um one of the things I like about cry um originally keyboard before was rebuilt is if you guess the right password it will give you a shell restricted you can't do everything but for from a users perspective you you get on at which point we can then start seeing what our adversaries are doing uh when I started doing this far too long ago as I've said the one thing I found really interesting is that human attackers on a system really can't type they make more type ORS than me when there's somebody watching me which is um impressive but you also see things like this um you can see the dark

rear um of sort of this block here this is lots of Linux bash commands chained together all in one go really good indication that the attacker in this instance was a b there's not a human of the keyboard nobody's sitting typing that out by hand all the way and there's a bit of Automation and to a limited extent the uh K SSH process will let it do what it wants in this case it's gone away this attack is gone okay I want to get some more attack previous uh previous talk on fireless malware using that drop it to make the second payload in this case k will let that connection go it will take the file and it'll do

absolutely everything with it with the exception of of executing it but then I've got a copy of that Fess payload and in this case this was the Fess payload which went off to get more attacks and very very brief analysis I'm not going to go through any of the reverse engineering for any of this spend about 30 seconds on my sofa uh last night to make sure I know what this was it looks like this is a copy of the marai botn net that's still bouncing around trying to attack things um and if you want to play with all that and c I get fascinated every time I install the system I find the added new feature by default it fix uh

SSH it can do FTP SMTP all manner and number Services as well but it provides a system on your network which you want your adversaries to engage with one it distracts them but anything interacting with this system you want to take a look at cuz it's probably someone doing something nefarious and for my side I'm a strange geek um it's fun I spend far to much time watching Bad Guys attack systems that I don't care about so that's the S this one I said very briefly I've got some keyless unot I'm going to do this really quick if anybody that was a Defcon 44191 a few months ago uh you've already spent uh got got a

full 30 minutes of me explaining this so really quickly what it is Keir AWS terminology if you not use AWS it's essentially username and password you generate one you leak it somewhere on the internet see if anybody wants to abuse it uh we're not entirely crazy you give it a policy that gives it no permission so we can't actually do it anything all it does is it means that when someone tries to talk to aws's platform with this key AWS Associates that key back to me so I get the visibility of what's going on instead of just their sock leave out the guts using various Services monitors all the logs and ultimately we try not to give Cliff

too much uh grief at this point it fires off a message to the phent to tell us that somebody's abusing that key um as you can see in this instance there's a fair few moving Parts I took me the first time around I was working this Al by hand it was a good few hours poking boxes randomly did making sure I got it in place and it took a bit of time to build um but the end results are quite good so hopefully with that very brief overview of some of the options that you can get in deception technology I'm hoping I've generated one a bit of interest and potentially a few ideas for where you could take some of this

mindset to help defend some of your networks to get some better visibility to me I think a lot of this is a no-brainer I hope every every body else does as well I seem to get excited people when I start talking about this that do quite like the idea so what's stopping us one it's time old world the first C uh honey pot I built it took me several days build a new Linux system um yeah my boss isn't going to be too happy if I'm playing with that if it's not on a g Sprint so there's some time involved there is some expense you're running a system old world if it was old fashion

chin these things get expensive and fundamentally we've got high priorities you look at that big table of all the the defensive controls we should be putting in place including that you've got patching antivirus firewalls all the system hardening stuff that we should be doing and as much as I love this technology in all honesty if you've not done any of that if your antivirus isn't up to date if your patches are missing although prob 20% patching is Good from uh previous talk which was a step that somewhat scared me uh but if you're missing the basics deception technology you're probably not quite that maturity yet and that's one of the problems we'll get it's that return on investment

what's going on and biggest problem I've seen management Buy in um I'm speaking of this technical security conference here trying to explain what this technology is hopefully I've not lost anybody yet um but equally it's not a technology everyone comes across this audience isn't too bad you go to management you go to the SE suite and you tell them that you want to pay money to deploy your system that you purposely want the bad guys to attack hack and crack they're going to look at you like you've got three heads uh and it's not the easiest of sales pitches especially if you tell them that you want to take time out from doing other things and

spend their money to do it um it's an interesting sales Pit and the ROI is just not there and one of the biggest ones I've seen whilst as an industry we always talk about defense in depth defense in depth is good there's no silver bullets everything I feel we need extra I've never once come across a regulatory or compliance framework that says hey you need a honey pot you need some deception antivirus patching all the stuff that everybody does do the orderers are going to be really hot to go yep you need to do this I've never once had an order come to me where where where's your honey now I say that slightly Su in Che I'm I'm sure if

there's any um ISO 27,1 people in the audience my own compliance guys say the same thing well it's absolutely in the framework you have it as a compensating control and that's fine but you've got to Define that as a control it's not something that's mandated which means management have to let you do it so that's a lot of things are stopping us but I I don't want to be too negative because I like playing with fun toys I hope everybody else does as well so what if we can change all of that and disclaimer yeah I'm not going to do all that management buying for this doesn't matter what we do technically is is going to be more interesting and I'm

probably not changing the uh compliance guys VI the world either but one of the bits I found to deal with especially the concept um the blockers of not having enough time um to do some of this we've all got busy day jobs and the expense of running these things get them up and running get some value out and get them down I don't know why I'm I slide to that is which you might you might have got to guess is leveraging infrastructure Cod it's nothing new the Ops guys have been doing this for many years lots of you possibly doing this as well um but equally especially from security people I've seen a lot of

security people that they know their operations team use infrastructur cord but there's some security people don't actually know how to use it for security tooling so hopefully I'll try to explain a bit of that so really how what what is infrastructure's code it kind of names itself it is code that defines your infrastructure um and the key Advantage is is it's it's repeatable from the the K perspective I said the first one I built took me three days playing with Linux box to get it up and running getting all the patches in place getting all all all um the requirements in place recompiling it it it was a mess but eventually with going down the infrastructure sad route once

you do that work once the deployment of that thing becomes repeatable and the click of a button as we'll show a bit later on you can do that thing again and again and again uh which makes it automatable and as much as I like playing with shiny toys I am also inherently lazy um I don't like doing the same thing over and over um that's sisifus pushing the rock up the hill that's not what I want to do I want to do one thing once and then play with the goodies and now that I've got this in place and I can share the links later for my car honey Poots if I want a new

one I tell Terra to go and give me one and it just does it I love infrastructure Cod I love automation ultimately I love sitting in a hammock reading a book instead of building the same system I've spoed three times the other advantage of it is is um is because it's repeatable it's the same thing it it should be less errone once you get it right once you've got no chance of making a mistake um the example I showed earlier with the ad key so the first time I did it by hand made a few changes it was quite a manual process simple enough process but lots of manual steps plenty of places especially when you distracted phone

call odd tweet I need some coffee the dog want letting out forget where you are miss a bit just let the automation take care of it and do it all in one go I one of the block has reduced costs one of the things especially from my side um as a individual researcher for myself a lot of the stuff I do especially in the Honey Pop world that's not tied directly with work is it's all attached to my credit card um I'm sure everyone's aware of various horror stories there's one I believe sitting in this room yep there is of potential really really nasty AWS bills I don't want to call you out but if you stick your hand with absolutely

fine these things terrify me running something in one of the clouds forgetting to turn it off and at the end of the month getting a horrendous bill cuz I forgot that's the kind of thing that keeps me up at night that's the sort of thing I really don't want to have to explain to the misss that I can't pay the child care for the kids because I forgot to turn the server off infrastructure code all goes away you finish your project you finish your Ting at the end of the night you run that destroy command everything that's been deployed VI infrastructure is code gets destroyed via the same system it tracks it all for you my memory is atrocious I

don't have to remember that I just need remember to kill the project I was working on uh helps keep my credit card bills down and if you're doing it as an employer it helps you keep your cost down as well uh as a brief short hands not necessarily an infrastructure score but in your network how many people at some point in the career have had a random box that's sat and then uh dat the center that nobody quite knows what it does nobody remembers who puts it there but nobody's quite got the steel balls to turn it off because nobody quite knows what it does um I've got at least a couple of hands I've got a lot

of very nervous faces that aren't willing to put the hands up but same sort of thing you build everything as infrastructure Cod at the very least you've got that documentation history of what's there it means that you can turn it off if you need to means if you've got the infrastructure cord if turns out you really shouldn't turn it off you can deploy it back but it also keeps a record of exactly what that configuration was I said use the example of the carry uh installation for myself it took me three days to get that working by the time I got it working I tried that many different things to get it working I had no idea what I'd done

to get working um and it was almost as long to do it the second time round so keep everything documented makes life easy um infrastructures cord there are almost as many options for infrastructure cord as they are for languages for writing any piece of software and for any devs in the room there's lots of arguments um lots of options of course there's lots of arguments everyone's got their favorite uh if you come across with this things like anable one option pumi Chef there's native tools if you want to stick with a particular platform like aws's cloud formation um the cloud development toolkit is actually one of my personal favorites at the minute I love the

concept of it just because it lives inside of other programming languages you don't need to learn another Syntax for the infrastructure code in my case I can iide infrastructure code AS python you might prefer typescript and it leaves it that close to you without learning something else um for my infrastructure code I use terraform I'll I'll debate the pros and cons separately as to which better than others I'll be perfectly honest I used terraform because when I started looking at infrastructure as cord that's what my operational team were using that's the people I could go tap on the shoulder to get some help with when it all went horribly wrong um so I'd love to tell

you there's a wonderful technical reason for that it was just where getting the most help to get it up and running but for the purposes of this it serves as an example um infrastructure Cod this is some terraform um I feel this is part of the deployment of that AWS key in this case it's creating the policy that says go away um if anyone looked at this if you don't have terraform hopefully it's fairly readable if you've got any experience of any um sort of object oriented type language it looks a bit like a class we Define a thing in this case it's a user policy and we give it a name we set some variables um one of the

powerful bits of his you know when you looked at that there was lots of moving parts for setting up something even just something as simple as a user key lots of different components interacting you can all be self- referencing so if you don't know what a particular things is going to be at the time give a reference in the cord let terraform work it all out and it just does it for you um for the purpose of time I'm not going to go into too much detail but that's example of what it looks like and to us if I can work this out fairly quickly you don't have to be too much of a genius to work

this out so go and have a play especially when the one big bit I will say for um terraformers hash cou doing an absolutely fantastic job with the documentation manual uh and I never thought I'd stand on a stage and say some document a was good I hate documentation generally I hate reading it i' most definitely hate writing it and I most definitely hate watching documentation as a video um for people that do that can get yeed in the sun um but terraforms documentation is brilliant usually I look for the thing that's ering quick look in there scroll up and down a few lines get the answer get it fixed that's one of the few

places where without being too insulting I will just say rtfm uh so if you play with it and it's relatively straightforward there's a core worklow which if you use other infrastructures Cod platforms as well it it's fairly similar but I'll stick with the terraform one for the example first thing you do initialize your directory if you play with Source uh uh repositories you get your um subversions things like that very similar just sets it up say Yep this directory I'm going to deploy some terraform to it then we write the code that might be writing something like you've just seen or just cloning somebody else's code and reusing what they've got the bit that for me

makes infrastructure score cuz I'm a tinkerer I play with new things I don't always know what I'm doing when i'm started it's got the concept of a plan you can write some code you can run a plan it'll look at your code it looks at where you're trying to deploy in this example I'm using AWS but you can talk to other other Cloud providers are available gcp Azure digital oce wherever your kit is if you're on Prem you can get providers for VMware uh for example or dock repositories if you contain a list so you can work with whatever you've got and it will map the thing you've just defined as code with the work environment and it will

give you an idea of okay I'm looking at this to make the environment look like what it is you've described I think I being the to um the ter form the infrastructure scor I think this is what I'm going to do and it will tell you what it's going to build what it's going to create what it's going to look like and it does all of that without actually making any changes so you can verify that it's doing what you want to do without touching anything uh when I'm playing in my own environment that's not the biggest end of the world if you're playing in a corporate environment knowing what it's going to do before you

go and break production is slightly important and I find that rather useful once you're happy you apply it and it goes off and does all the hard work for you um in this deployment example it took a few seconds as opposed to several hours of manually pushing the buttons even when we knew exactly what we wanted to do thus saving us time and as I've already alluded to when you when you're all done hit the destroy button everything goes away no more big credit card bills for Andrew everybody's happy um there's a couple of other steps you might have guessed from the gap there's automatic formatting in there which is just nice makes my Corde look like

everybody else's cord makes it look like I'm somewhat confident cuz it looks like a decent developer order um and there's a validation step in there the checks that the syntax right silly type those things before you get it's not 100% foolproof it's quite uh it's quite possible to write some infrastructure code that passes validation passes the formatting the plan says Yep this is what I'm going to do and you still end up with a problem once it starts making those API calls but believe that's a problem um for later not for this use case if you're interested in some of this you can get ridiculously complex I've purposely tried to keep it the examples I'm using quite straightforward the

Carri uh installation is just using terraformers code to deploy one box to get exactly what I want uh the AWS example is just deploying one AWS key to watch those but the world as youer terraformers Cod operations teams use this to deploy all manner of services all over the world and you can get quite complex and for our purpose is some of this quite easy if you hopefully have generated some enthusiasm that you want to go and play with this yourself which is great go off right complex use cases brilliant if you just want to see what it can do and just use the power of deployment via infrastructures code without having to write any of yourself

there some good projects talk yesterday which I loved um talking about war gaming and using real world examples to get Hands-On training across teams new starts different things perfect example there was a question came out at the end of how do I do it how do I get the lab do I need to pay money to hack the box for example not necessarily um there's great project quite like called the Cyber range which is a terraform project which will deploy all of these things which you can't quite see these are all target systems lots of different windows boxes um couple of the standard box things like met exploitable if you've come across that platform loads of

attacking systems so there's a c box you can play with again all automated some logging stuff if you want to practice defending and it will actually deploy a load of Honey pots to um let you play with as well and if you get the project in literally one command it just runs if you want to play with it it's completely open source uh go to get get it running and with a couple of commands that you've got to sign up first to get access of some of these images but we'll we'll leave that as side but once you once you get that in place you're going to run one command which will deploy all that for you when you're done with your

testing you can destroy it all it all goes away uh one word of warning even if you do just run it and destroy it inside a couple of hours was that still has an impact on your credit card uh cuz it's deploying all that much you can get targeted and just deploy one or two systems at a time rather than everything but it gives you an idea of some of the more complex use cases that you can get out of infrastructure is cord um so with that I said I'll try to be quick hopefully the point of this talk I said I'm I'm not dropping any Elite knowledge I'm trying to introduce some of the areas that I find fascinating

that I'm try to spend some more time with and hopefully I'll manage to encourage everybody else to try and do the same thing so if you would like to know more V alluded to if you do want to play with infastructure code honestly if you've not used it before go speak to your operations team find out what they use they can help you in exchange for making a coup of tea more than likely uh that's much better than pick a minor choice if not terraform is not bad I've said the documentation is really useful it's not a bad place to start even their learning site which I'm normally quite critical of is also really good if the

honey pots and deception technology is more your thing definitely go and speak speak to the honey net project uh they've got some great resources on there some great platforms themselves and just ultimately it's a team of great people um if you want to know more speak to uh hosting there if reading's your thing honeypots I both love and hate uh the this this book that Chris put together I love it cuz it's brilliant gives me loads of information it's also if I was ever going to write a book this was the book that I would have written with everything I read but nowhere KNE was good as Chris did um so if you interested go and read it if nothing

else Chris is a thoroughly nice guy H go help you SS numbers I'm sure will'll appreciate it uh another book um primarily from John strand if you know uh Black Hills information other Security Consultants out there with this book's brilliant covers off Honeypot Technologies as well as the tooling which John's created over the years to do this sorts of thing uh things like artillery reader uh some really good things word of not has been discussed a few talks the concept of offensive Technologies hatting back the book goes into that which makes it absolutely fascinating I am not a lawyer um if you decide to hack back against a van um don't come looking for me to help um but

the the book the book itself is fascinating and I've already mentioned the cook egg definitely give that to read if reading is not your thing and tying the two together if you look at Chris's cookoo's egg decompiled course it's freely available it's absolutely brilliant essentially Chris uses the storyline of the cooko egg to explain and introduce technology where you could move the events that happened in the 1980s into modern day technology that you can use today to take those principles take those ideas and Implement them in modern technology i' definitely recommend that given a go and on the off chance you've still got any interest in learning what the ID on S just talking about uh all the projects

I've discussed live on my GitHub uh you can go find it on inanity or find me on Twitter uh under the same username and you can get everything from there um so I do have one call of action um if by any chance I've done my job and you think this might be of interest please go away and try to play things but the beauty of infrastructur code is once you get something running via that platform it's just a code template from there I say for me I can redeploy my things all the time it also means that if you were to write something and give that code to somebody else they can do the same thing

if we share all of these deployment templates together it means that we as an industry have access to a huge range of different tooling um that we can deploy without without those time constraints without necessarily those expense complaints and increase the defenses collectively of all of us without needing to do everything out of ourselves um good good old standard of standing on the shoulders of giants if you create any share I can guarantee from experience doesn't matter how bespoke unique something you've released is somebody on the internet will be trying to solve the same Challenge and they'll come and thank you because you've just saved them two days worth of development so if you can if it's not if it's not propriety

technology and you can share from uh your employer please do I love playing with everybody else's code I say I'm lazy i' much rather be sitting in a hammock if I can deploy your code rather than spending a couple of days rewriting the thing you've already worked out um that makes everybody's life easier all around um so with that as shall pause are there any

questions got you guys well trained I don't even have to tell you to applaud anymore this is awesome hello dear how are you not too bad little bit grossed out fam earlier um so I I get that you're talking about like infrastructure as code in terms of Honey pots but honey pots in general make me nervous and I'll tell you why y so um I've got two examples from the past say 10 years which I think that's too too many of when this has been done re like really badly so um I didn't work at this company myself but um this really excitable guy in a blue team got Authority I can't imagine why but he got

authority to stand up um this server and like we can learn loads from it it's going to be amazing blah blahy [ __ ] blah he puts it on the internet um it works they get loads of attacks but he didn't properly segregate it cuz he didn't have the support so the company actually got got infected with various different threat actors nothing in serious no APS um they weren't a massive Target but that person you know like yourself really excitable like you know advocated for it but he he got authority to do it and yeah so anyway there's that um and then an experience I had at a company I was at they had um a Honeypot database

that had fake information in it now okay great a threat actor got it or a group got it and the group didn't know that it was um fake information which is great but neither did the Press so when journalists got a hold of it they were like oh this is so and so's data and they were like oh no it's fake and they were like we don't care it's going in the [ __ ] newspaper mate so it just makes me incredibly nervous so how can um how can we get senior leaders on board with stories like that floating around yeah uh brilliant points all around um I think you just perfectly explained why it's ridiculously

difficult to get management buy in for this sort of thing um your first example I'm going to be slightly slopy shouldered and suggest that's a pepac problem rather a honey honey pot problem uh where previous already said sorry no arous pepac problem exists between keyboard and chair um that's probably not how you deploy one of these things but there's some very important points to that I'm speaking you'll notice my employer wasn't mention any of this the stuff I've described here this is stuff I do as a personal capacity uh all of the honey pots that I expose to the internet for these sorts of attacks I do as me completely unrelated to an employer if I was doing this from an

employer's side I absolutely would not put a honey poot live on the internet I'd treat it as any other resource and that gets fire all the way it doesn't get a public IP address left internally which makes it really boring because there's hopefully no attackers on the inside of your network and nothing happens from the honey poot from a return investment side it also makes the uh the value the noise ratio on that honey pot immensely valuable cuz if there's something on the inside of your network that is porking that honey pot you probably want to know about a pretty Dam quick um one of which it might be a compromise and as just been shown with

looking around looking for all those systems in the previous talk of just to see what was on the network it's going to pull up a Honeypot as well from my experience and obviously deploying honey Poots in professional settings I've not got really any any interesting War Stories I don't have any wonderful marai scripts from doing those scenarios I do have example of some new really enthusiastic members of staff that have come in and within 24 hours started abusing their network access just to Parke around and see what they can get it's quite from a blue team perspective it's really handy SC came and worked for you as well all right okay it's good to know who these people are really quickly

um not necessarily give them a slap on the wrist but just yep we're watching and yes we are most definitely going to pay a lot of attention to you um so there is some value there and in terms of yeah the press release that doesn't surprise me um the journalist that's got the story isn't going to care whether the theater is public or not um yeah I I wouldn't be doing that uh from the corporate side but from a individual researchers Ides I love that kind of thing there's a there was a spin angle there to turn around and say no no we caught that guy trying to break into our Network that's why he's got dummy data

but I mean so I mean that's it he look at it worked reputational perspective it's quite challenging is it to say yes it is our dat no it's fake promise yeah well but that's the spin the spin is the yes we caught them because they fell into our trap if somebody isn't able to stand up and say that then yeah it's going to be awful yeah but yeah and very few companies need to put a box out on the internet to see what's getting hit normally that's security companies doing research they to ex and as a perfect example if you do want to play with any of this without all the risks you've just done a perfect

job of explaining what they are uh keynote from yesterday uh I think it was R from Rapid 7 was talking about uh the projects which he said he's about to put live I I may or may not have seen some of that data had access before it goes completely public a lot of the data that I'm talking about yeah if you can get big name professional companies just giving you all that data um you can do it that way projects like that sorry been mentioned things like um Showdown sensus a lot of the time they'll have information that they glean threat intelligence companies a lot of the time they throw this out there sh it in

report charge you 100 grand for uh so there's ways to get getting the data without running the systems yourself um I'm a technical geek I like playing with toys myself I'll probably get my fingers burned at some point but there's a reason why I do this as me absolutely nothing to do with any of the employees I've done before cuz I like getting paid at the end of the day and I don't want to explain why the Seesaw is in front of BBC News next [Music] question uh con question and a comment um firstly uh last time I played with honey pots about four or five years ago go and at the time nmap was very good

about fingerprinting the services as honeypots has that changed do the honey honeypots now um better emulate the original service yeah the there there still that that's all there's always a bit of a sort of race you know there's the usual race that we have as an industry where we're chasing between attackers and Defenders there always changing exactly the same thing to some extent I'm not too bothered if my honey poot for the ones I deployed get finger that much cuz that's usually a confident human behind the keyboard that sees it most of the attacks RC the automated Bots which aren't looking for these things or very incompetent script kitties so it's not that much of an

issue if I was wanting to uh for cry I get quite lazy as I said I like my hammock by default it'll spin up air system default file system that comes as part of the project you can tell very quickly it is a c system but equally if you spend a bit of time there's ways of building a fresh file system completely unique takes away all of those indicators to make it harder to fingerprint um so it depends how much effort you want to put in depending on what you want to get out of it who your adversaries are you know if it's general research it's good enough if you're trying to trick in certain nation state

here I'll try not to name names uh then yeah you're going to have to put a bit bit more effort into it and take a bit more risk as you go ultimately if you're deploying a honey pot things like even the medium to high interaction honey pots like cry which have some controls if you want to run a honey pot that's completely undetectable you need to run a completely native system take all the risk with it whatsoever take all the training wheels off and I've been doing this for years now yeah I'm I'm not willing to go down and take that level of risk myself but it depends what you're trying to get out of the

engagement really thanks um and just the comment I'm also a massive fan of the Cuckoo's egg I have literally lost count of the number of copies I've bought of that in the last 25 years and given away as Christmas present to colleagues um if you really can't bring yourself to read the book If you look on YouTube PBS made the movie of the book in 1989 with Cliff stall himself starring in it and it's an interesting video yeah it's it's absolutely brilliant if for nothing else if you jump to I'm slightly concerned I think I actually know the time reference in this if you jump to about minute 41 there's a brilliant scene where the film

Chris explaining what he's doing to his then girlfriend as to what's going on this is the reference around sort of inventing the PED if this happens need to run away and the look of sheer confusion from the non-technical spouse I've seen a 100 times before trying to explain what I do to my Ms um it's worth it just for that section in my mind okay one last question if anyone's got

one one's uh slightly uh silly but can you enumerate Honeypot 10 times just for whoever is on the live feed doing the drinking honey pot honey pot honey pot honey pot um that's probably enough if you if you can manage to tolerate your alcohol like I can these days add that to everything else you're probably in a comoss so yeah please do not turn that in into a drinking game otherwise people will end up in hospital I think you underestimate the liver of some of the people that attend this that is quite possibly if we go for where the weird things go that is possibly the weirdest we have ever finished a presentation so I think

that's probably a good time to awesome thank you very much thank you