Social Engineering Honeypots - Raf Tomaszewski

all right that works now okay right so um first about me uh I was recently working in defense industry I moved to that security company uh with the difficult name like someone smashed the keyboard uh and I worked as a sock analyst um and I came up with an idea about social engineering hyot because social engineering attacks On The Rise recent data shows even um the involvement of tax is up to 85% and obviously we are in the Cyber secur industry we're supposed to secure systems protect people from my perspective it seems like we're kind of missing a huge service so what is a h secure mechanism designed to lure attackers by simulating a vulnerable system or in my concept um

social profiles like uh LinkedIn Facebook WhatsApp Etc right the benefit of this concept honey I'm sure you're familiar but let me just rewind that for you is just to detect the fact use the analyze the intelligence we get from those observations to protect better um so deception in security it's usually deception is something that hackers use most of the time and I think I think we just should adapt and match the techniques like if they're using it it's easy it's slow hanging improv why shouldn't we and it will definitely benefit us in the long term so when I was researching the topic it was interesting to me how we got decrease in time to compromise Over The

Last 5 Years From some it depends which data you going to look at was going to be something from around 100 minutes down to 5 minutes and which is which is a huge challenge right because we don't have much time to respond we need to be quick and you know uh when the bridge happens when there's like an incident every minute counts and we if we can get more time to respond we can slow theack down that will benefit us significantly at the same time you can see like the same graph is going the other direction the rise of social engineering how much um how many social engineering s have been taking place and um again depends who you're going to ask

about the data you're going to get different results but undeniably on the right it you just kind of deny it and then when you combine those two graphs is it's pretty obvious I mean I'm not saying that correlations means POS there's different factors included like for example I've seen statistic that does apparently three four more times zero days attacks involved which is a bit strange because um the problem is people measure zero days differently so it is same there obviously rise cyber crime R cist crime as a service in general nowadays and um you know if you're a criminal you're a criminal because if you would be a hardw working person you would not choose a crime you

know uh you're choosing crime because you want to pick up the easy way and um in the easy ways for example stealing credentials like why B with zero why B with I don't know implementing some B in the open source software you can just steal the logging from someone from Facebook whatever um social engine that so I do believe we need a more robust robust and Inter interdisciplinary approach so what we used to do what we do as a industry we do get this hero complex like dou 07 sophisticated you know gr encryption so on well at the end of the day what criminals do they don't they go for an easy way to compromise a system if they can just log

in why would they bother with you know why would they bother with wasting so much time of their own if they can just compromise the system by logging in going to Deep Web back web or are just soci um engineering the employees of the organization in the wrong so we tend to go to extremes when we approach and either we're going to go like once a year click through done don't care about it you know I got my um assist done are we trying to turn them into cyber security expert themselves which is ridiculous that's our job we are the Cyber Security Experts so so where's the Middle Lane approach what are we going to do with that and um

that's where I came up with an idea of social engineering honey and it's very simple uh it's very simple and that's why I was really surprised when I was researching for this uh talk and was interesting in this I was really surprised that no one else can of really spend time to develop and it TOS to help us protect organizations in this way from this kind of thread it was like I said 85% it's a really long really big number I'm not saying we're going to stop 85% attack this way but if you can just at least slow them down or stop some of them it's already a win and it's very easy to do and what it kind of requires is a

shift from that mentality of cyber Security Experts you know sophisticated algorithms Blinky Boxes Etc that's all important but the basic measures are the most effective patching systems making sure the end users are informed that they know what they're facing that we just covering the basics basically that's why cyber um that's why cyber Essentials was a such a successful program in my opinion anyway when I was building um proof of concept um the WhatsApp Honeypot um I apologize I do not have data on the usage of it but if you go on Twitter LinkedIn you see how much PR are just coming from and um and they come in this way because it's so easy to automate and explode Etc

well at the same time we are we should be using the same tools like if it's easy for them it should be easy for us obviously so we should Leverage The the same techniques that I using so what I've used is a work business all to get is spin like 50 a month Ian inde depending it varies right but the cost is very very low and I'm looking at I'm saying it will cost you nothing basically as an organization and at the same time it's so easy to maintain because it's mostly automated obviously I'm not saying this is like a it's not like a golden solution to all social Eng attacks that's not the point but if it

has another layer layer of security why we not going to do it like what are we doing so step by step U obviously I'm going to share um the code and how I did it on Twitter on um you know um feel free to approach me if you like to know how I did it was super easy and um I'm going to be completely honest with you um I used p with it and um yeah I could do it myself in the week but with ch I just do it in half a day right I'm just saying I'm not an engineer anyone can do it that's so easy and I cannot understand why we what we are not implementing any

kind of measures when it's so easy and it offers another layer of protection a significant layer man step by step do WhatsApp account video class and work and open very cheap very efficient C is very simple again canot r on CH Sol um it was making some mistakes I had to look at the documentation tell how to do it where going but you know the day it took me half a day I'm not an engineer I had some basics in Python that's it if you're going to dedicate someone who is an expert or professional that H they can take it so much further and you guys you can take so obviously AI is not really

reliable but still if you spend some time you can promp especially with ch gpp 4.0 I know AI know everything is there now and I'm sorry that I'm AI again it's so easy that's that's that's the benefit and the logging features you can scen up like for example you prompted you're a receptionist you got this kind of credentials the sh you don't want to theot but eventually it's not about teaching AI not to give credentials we want to see what happens how post exploitation pH looks like what happens when you know how they approach uh people in the organization with the contracts um so you can you know buil a lot of things in there you can uh make

it escalate cases to the live agents real time um or you can just lug it for the purpose of it and use cases so most basic obvious actionable current intelligence for your organiz organization right your organization I'm not saying about oh there's 60,000 attacks in a month or whatever no your organization are they being scammed using like Amazon vouchers or whatever then you can go to the you can go with some actionable intelligence to your employees to people within your organization and how to them look for this particular thing is very simple and that's what actually we should do do not make end users are cyber Security Experts they don't want to be cyber Security Experts we want to be those

people uh this is our Ro to defense organization and I think this is one of the ways this is the direction we should be aiming some um so the way I think about it should be almost like a wether forecast like at this time you're facing this kind of attacks watch out for this that's it right so obviously we're going to create some fake profs some fake engagement going to like pretend there's an employee is joining maybe someone's leaving maybe someone just likes to share a little bit too much information on social media and that's going to be done leverage for intelligency hopefully some attackers will um get this way and use it but um there is some there are a couple

steps we can take it f depends on the organization and what should go is well um at the most basic level uh we can design the AI the profile to build to dish out the credentials like credentials or H so at least whenever someone tries to use those credentials they is going to be blocked immediately forever basic but we can go further and we can spin up a hot and even we can spin up a whole infrastructure and see how um attack goes using the credentials what they going to how they're going to act then we can depend better using this uh intelligence dis know yeah that's already closing not um so in my opinion we do uh need a polyat

approach and cyber security quite urgently and I don't I'm not saying everyone should be a polymath that's unrealistic but U having everyone involved everyone on board and people from we need that interdisciplinary approach just like on the graph like cyber security is not just catching hackers and drinking C it's so much more as compliance assessments r ation patching Etc cyber Essentials programs like this have been hugely successful exactly because of that reason they cover the basics we have the tendency to having more blinking boxes milit great eqution good water you know for um snake salesman sales woman it's great leverage right but in in reality what the most suc is during the basics right you want to

you can call it like zero trust you can cover it call it design um secure by Design was basically doing the right job when you start criminals will always go for right and it's cool that we're playing agent 007 super sophisticated algorithms that's toct everything but at the end of the day it all comes to people who Analyze This will go for the easiest way the easiest path the easiest game right they're not ambitious people they just want to get we can c patch people and um we need to realize that people are people people are the machines and we need to get up get off our high horse and um and talk to them

in a way that they understand right don't educate them don't make them secur cyber Security Experts we are cyber security ex we you supposed to do his job don't make don't make end users do your job it's just ridiculous let's just um that was my whole point really you know we can take use what we have we can adapt like criminals are adopting we can adopt in the same way use low cost tools and change our ways make everyone involved and make security accessible that's it oh also uh feel free to test um the chat but it's very basic but you can just if you text this number uh with J driven you can test the chart board is very

basic going top 3.5 latest version um but it does have a hidden credentials so if you anyone of you can leverage this if anyone get those credentials I'm I don't know I'll take you out for dinner we're going to figure out something consider this as a capture the flag kind of challenge but but that's not the point um like I say I'm I'm not an engineer it it just came up in my head just observing the natural the landscape of cyber security industry at the moment and how people Anders are confused you know look at today C strike what's happening how many people are so confused at the moment they don't know what the is going on

right we should explain it to them in a way they understand right not so we look professional not so we are so amazing no how they can actually help us help help me help you right and I said thank you for your patience like can say

much thank you that's it oh sorry any questions yeah yeah did you identify any neack gtps using the sandbox no so yeah I'm going to be honest I just spin it up for purpose hope so just I don't come empty-handed but we do so I join that security company uh check us so now honestly uh researchers we're quite Innovative and we get some really cool things in the pipeline and hopefully next year I'll come with some actual intelligence and data I can provide to you how that worked how we implementing it potentially I honestly believe it's a good product cost you nothing cost you nothing how expensive are current systems right this cost you nothing and

how much even if it protects just like one five attacks it still worth it that was my

point SC so it depends I so when I was researching and I've seen people implementing this kind of concept as an idea into EDR or like on wide scale adoption which for me misses the point because it's about protecting your organization it's tailored to your specific situation and your employee someone is targeting your employees from your organization and even if it's just like you know one hit every month it tells you that someone's actually looking at your company your organization they're researching it checking out you know scanning if you will don't

see no I do I do absolutely but it depends how you define um scaling up oh yeah easily yeah absolutely yeah I mean I just I I don't want it to be mass production in a way like you know because that's what people get caught up and like oh we we did a massive research we got so much data about variety of attacks like yeah we know that we we already know that but what what is your organization pacing what you have to be afraid today this month this week thank you than just one more question so I think this is like really kind of cool because if you're in a situation where you do a lot of call

center stuff and somebody starts hitting that number with like spoofing attempts like you know Bank frauds and stuff like that have you thought about like what you're going to do with that type of info that like isn't directly related but is like um a fishing campaign for instance or smiing campaign for one of the banks like how are you going to let that bank know without saying hey I'm ra on the security research that's a good question I didn't think about it in this way obviously let me be clear this is a WhatsApp example but you can apply it to LinkedIn uh you know anything any emails why not you know anything and it will be just as

easy in my opinion early but I I'm going to be honest I do see it as like a very targeted uh kind of protection for you especially for you obviously if you're going to come across about some Val valuable intelligence of some new tactics you no one ever seen before yeah share it yeah absolutely I share it we tried we tried to research create identities and this information how much of this solution relies on getting that number out toing itting they I see so how do they get involved in the Hun is that what you mean put the honey out so that's why I'm saying that's why it should be targeted in my opinion obviously you can just put it on Twitter

you know get shared random places are like oops I I sh my phone number and you're going to get scammers about Roman scams of C things we already know that's happening for everyone you know I'm looking for pic protection specifically for your organization and also I would like to actually sorry I forgot to mention um you can use AI because that was the easiest and my pce but you can at the same time use actual language processing the thing is it will take no more time to find it and you know requires more effort but will be at the same time much cheaper um but yeah that so the concept is why is it I think when it's relevant

to you it's actionable and actionable is what I'm looking for yeah I don't know I don't want data for the sake of it so I put a report I'm like yay right we want something to actually that will actually help and users face day to day press and protect your organization at the end of the day like when they get approached tell them to send this number instead oh no so I see what you mean so the concept is you create Facebook LinkedIn all kinds of social media profiles and um so let's say I joined recently that's cyber security company um I had like two scam scam tent one I kind of investigated led me to um it was

trying to make me buy some apple cars you know gift cards um yeah thanks very much we got um we'll talk minut