Honeytrapper: The Attacker Strikes Back - Dónnan Mallon

hey hey guys uh this is a holly tropper the attacker strikes back and yes it wasn't obvious it is a Star Wars reference uh so a quick here am I uh I'm a I'm going by the way uh I'm a c TI Analyst at Italian um I an interest in all things forensics in TI ironically um I like getting involved kind of this cyber community like you know doing talks and compe and stuff but just movie buff as well um so uh the agenda for today is kind of few things so recap like kindal honey pots are those are familiar with it or need kind of a refresher um we pack your strikes back so you know when honey pots maybe get

abused for the various purposes and when the good guys wins you know it's not always all negative you know there's some uh benefits to Honey pots hav it and then Mario um hopefully some people read this and thought what's Mario got to do with this well you're going to find out and uh finally the rules of deception which has kind of going into how deception is pretty much the foundations of a honey pot so a quick recap so what's a honey po so um firstly it's not honey but it's a Honey Pop and uh yeah and so realistically a honey pot is like kind of like a bait like or SL a lure and to draw Packers in so it's kind

of like at the setion tool use for like a detection purposes so it's meant to mimic something that you would think this looks real it's not um but the doesn't know that and so it's designed to be T compromised and name it on purpose um depending on course what the type which I'll go into um in later slides and we separated three primary types so you got your honey token which is H your typical like data piece so like a work document you know Excel sheet with passwords and not passwords and honey service like mimicking the service of like SSH FTP and name and then honey system kind of like mimicking the operating system like a Linux uh or

Windows you as well and then there different levels activity so you got low and high so low is typically your uh kind of detection purposes where it's high is more like there's a bit more of a risk where it draws a lot more attention to the attacker side of it where it's meant them they make all like kind of the internals of an operating system is like from The Grind up where like those kind of just meant to be like not really mimicking too much of like what an operating system is and more just like your tokens and start as we so and this kind of is a just we diagram just kind of show you how Hy works so

you can see there's two different types of honey so ones like um external facing I kind kind of research B so and these are the ones that they're kind of a bit Rusty if you want to have inside your network cuz these the ones that have all the ports and Clos the attacker doesn't notice because they're you know everything gets scanned in like every second of every day so like you know when they you start seeing something get exposed like you know start probing it attacking it and you from particularly from an intelligence person like myself this is valuable cuz you can start start to see exactly what your attacker is doing what what Xbox

they trying to throw up and I kind of build a profile of like you know what are they trying to game and especially G locations because you get like dozens of like IPS who probably like firing out up um and you know this is low into activity so like you know this is kind of like an endo like a machine with a honey PO on it and containing files that like and make certain pieces of information this is more like your detection purposes so if attacker's going around um uh proping things or some high breach like in uh initial access to your network and you come across honey pot um even by the time you know they realize

it's a honey pot it's too late you know you attack of them you're like cool there they are you can put them out um with high interactivity as well it's a again it is a bit of risk because you are um basically letting them compromise things left right and center but I'll go into a bit more detail and why that's a big risk and okay so the attacker strikes back um so this is kind of like really where the honeypots kind of are a bit of a dfall so the P gains up hand so kind of this like separated few pieces so placement honey pots and you're not working Le the four consequences so again you know know we've seen the last

diagram about where it's being stuck on and plac wise it might be poor like oh you don't want to sit right beside a the main controller for obvious reason um cuz otherwise you know you're let the attacker pretty much get closer to the keys of the k um when the deception games fails you know the tror will be hard tror movement so you know if you feel the if if attacker if you feel the deceive the attacker or they might know it's a honey pot then you know then bother and just go off you know it's going to prove difficult for you when you're trying to um actually detect them and then you know when honey pots AR to

figure right you know we can leverage L limit and this kind of goes more for higher interactivity honey pots and mainly because it's the the attack surface is quite large um and this kind of goes when particularly like um without anything you need to make sure it's like it's like an isolated environment so for those that dealt with Mal War you know that if you're running things in a soundbox you need to make sure it's isolated so things don't skip like through memory or the network and same thing with honey pox is like you need to make sure it's like isolated enough if it's not then you know the doer can realize like well cool I can

use this and actually climb up the chain and then you're basically screwed and then you know as a result about there you cens files may be exposed you know depending on where you might have actually put sent actual files in your Honeypot you know when you're instead you're meant to mimic it like you put fake data you know that kind of happen um and then you know as a result just give them like better ways actual tra um so like kind of like the rest of for the rest of H pots you know I not identifying the honeypots man on touch again you know uh the attacker will be just uh realize like oh it's a honey PT

because it's poorly configured or not poorly configured uh the deception of it is kind of just like this is clearly a Hy pop you know it's like you know you're set a trap up for someone in a jungle you know clearly you put a big NE on science and Spike trap I'm like they're not going to really fall for Spectra right you know pointless the tax always work it's true um you know it's it's again I wouldn't say honey Poots are like you know the only line defense you should have you know should always paired up with like an ADR or something um you know I've been times where um kind of like the kind of draws on the

third point where uh scanners vulnerability scanners or penetration tests uh can kick off honeypots which is always kind of why you need to kind of add like the IP of the machine stuff to like you know uh like know the dresses that way things don't like get picked up but cuz from a sock perspective I guess the working one um you start you start see saying for honey pots get flaged all the time because scanners ready to cck it off but you know they're dormant machines noway so they are they are working as they should be but for like the wrong reasons and then this kind of like lead like last point and the attacker cre so so

once they kind of like a honeypots been fingerprinted the attacker can literally just create like take exploits the divert from the actual exploit has taken place and then you know you're even more screw because then you're trying to focus your attention on something that's actually not a threat to something is actually threaten their um back door you know same way with the Doos attack sometimes you know sometimes attackers will use as a smoke screen because everything's dying and then they'll do things in the background you're not paying attention and some concept there so um so it's but you know um you get one the good guys win so you know there's a positives to honeypots as well

um not like entire negative so um number thing to uh waste time resources so and kind of going back to the high interactivity uh Honeypot that we seen in a diagram that's actually a good way using of resource exhaustion so you know again you know attackers have limited resources depending on who you're dealing with you know compared to AP you know yeah you're kind great there but um you know honey pots can just drain the resources left right and center and then you know at that point they don't have a lot to throw back back afterwards and rces the 12 times so you know how long they're actually there within the network or this and that you know if

they're picked up really fast and like they' kind of like lost that game a we bit and then you know Bri line defense and detection so again you know it's it adds that extra line of detection for you when you need a bit more visibility within your network cuz you know organizations highight msps because there's too much to kind of handle on their own you know they need extra help honey pots are kind of like that too and you know again providing intelligence like went over earlier it's uh a good way of like for an intelligence anal like myself to kind of understand you know what your threat L skip is who's like who's your um what's the kind of

like audience you know is it like AAR coming from like Iran or China or Russia or like um USA for example like you know who what's kind of like the general geolocation and and you so um moving on that there you might be wondering what's just got to do with Chris Pratt um it's not um uh did play Mario but yeah in all series like Mario um what do you think just got through Mario well when I started like thinking about this stock I was like since it was a bit bit of plant themed I was like oh Mar's actually got something to do with this and funny enough it's actually it's actually on your badges

there um so quick disclaimer and I know probably Nintendo won't care but such thing the Nintendo ninjas they like to the copyright strike things that might mention their products and stuff um just in case the SK get flagged they're all they all done the stuff so yeah that's just a quick uh disclaimer so cool so we've all played Mario like like majority I have or know who it is um we're all familiar with of work tyers so you know the thing that you can Traverse different worlds back and forth and sometimes jump over right so I'm real familiar with the piranha pum or this gu called py um and when you get those two together you get the p and

the word pipe so this is kind of the funny thing where I thought that's a honey pot because it's a g of deception you don't know the war pipe you're about to jump over is real or not honey pots are that kind of the same thing so you know they try to mimic something that you think this looks like a password file it's not I you pretty much been like scre so you know same way with uh and honey plots you know the pants pretty much a uh good way of saying U yeah you're Street um you know as an and you know forther the kind of add to the further plant clean of uh PID and I thought well

a Venus SL trap's also a honey pot cuz you know it pretends to be something that it's not why insects and stuff don't know that we all know it's clearly aous plant you know by the time they land not there it's too late you they've been tra sashed and yeah and you know you also got like uh further kous plants like this one here where um it acts like you know kind of a water like a food source as well traps and insects there too and yeah you got two other real life honey pots right there um so yeah um so kind of I adding further on to that so we got the uh rules of deception so

we're all familiar with this B horse here oh God it look a lot better my SES um so we're all familiar with the to horse um and uh hom uh but you know Greek SN scking snuck into a wooden horse giv gift offering to the city of Troy and you know the uh the Greek SN out and you know ransac and pretty much turn the city upside down but they don't know that and that's where deception really plays like funny enough this is like a really good example of very much just High deception really works so um you might be thinking yourselves why does um this action really work so this was a kind of like night from I've

been kind of researching part partner three with Honeypot since I've been in Le and by Chris Saunders highly recommend reading it um this kind of gives like a framework from Barton wheelie from 1980 so he kind of um developed this idea deception from showing um hiding the real and then showing the false so the guy the idea is to show that you want to make them think that they're they have something they have and they don't and then hiding what actually is and like that's that's like the core fundamentals of what a honey pot is because at the end of the day you know even talk um what attackers do how they leverage it inre it deception about

its core is literally what the Honeypot needs to do in order to actually work deception feels then the Honeypot is useless like it's the whole idea is the hold of it's either to destruct the attacker use the resources up detect them and work out their intelligence and needs to work in order for you know you to make sure you're not being compromised as a company um and you know at the end of a day you know the idea of deception is that you have to believe that the the target has the advantage and when of fact you're two steps ahead so it's like you playing a game of 40s you know you know that your

moves before the opponent does so kind of further breaking down on this um about hiding so you know hiding is when hiding specif specific features are hidden with particularly within a Honeypot so this kind of mainly serves as detection purpose things are further down the three uh three parts so masking this kind of involves reality being Heading by blending with the background so the overall go in visibility or is thece to something know something is there and repackaging so you know that occurs when reality is hidden by new wrapping so this differs from masking as the goal is for the see from knowing something when in fact it's not actually knowing as Soul nature so again you know

clear you can see something there but you don't know the actual intention of it and you know finally um dazzling so this kind of like be like encryption or officiation you know the idea of like hiding you know thousand is you know when the qualities of a own object can change to kind of actually what it actually f is so we're all familiar with like off station you know attackers use it as a good way of um trying to hide what they're doing you know hindrance for researchers but more like um so that we know that way they're trying to clear up the track more for aive purposes and you know this is usually more The Last Resort compare

until the either two other options feel or more as a backup any you know but showing so this kind of the opposite the hiding you know the goal for onas is to show something the attacker U to interact with fine with interaction is a big thing like again you know low and high interactivity you know interaction needs to work in order for detection to work uh you know s will be able to properly low them in and so firstly mimicking you know involves like you know selecting the character another reality and creating um a carbon copy of it you know mimics like what it actually is inventing to the creation of an alternate reality rather than mimicking an existing one

good way that there it was a Tren horse you know they believe that it was a gift when actual thought we all know it was not and there a good way of scking them in it worked you know for the Greeks Santage and then you know finally decoin so you know the method of uh distraction enticement or deterent to misdirect someone away from something else so and kind another good deception framework was a see doing think so like this is kind of um kind of a military strategy they typically use but this is more um further built on honeypots themselves for T deception so see so the attacker needs to see system system Services whatever on the honey poot and so that

way they know that it's it's actually real and uh previously when I talking about honey pots I done one develop one with CI so it's kind of like an open source honeypop where you can mimic the likes of a fin file system on Linux um you know from it was very basic um but I showed like you know what c you can log everything that teers do you know if they're trying to like create files or run exploits you name it but you know at the end of the day exceptionally works until when you look at something clearly this is like a real file structure otherwise you know if you're fake put in fake data it's clearly fake it's not

going to work and think so the attacker must think that the honey system service or token was worth any value so you need to make you need to present it in a way to make sure that it's actually uh value of it so you know that goes for like placement and stuff where is it actually placed nearby you know that might clearly get indicate like this looks kind of valuable you know from uh an outside perspective and to also add though you also got Insider threats as well so you know there also a threat as much as like external attackers so you need to make sure like you know when you're putting these things in X mind of people know about

where they actually are instead of everybody because that might end up triggering false positives like we went over earlier and then do you know the attacker must do something that creates an interaction with the honey poot you know interaction is just everything needs to make sure it's interacting with it and yeah that's just anything but as the wise words of an opal once said once you know your target is tricked um oh it didn't play no well you know he says it's a trap you know so yeah but yeah that kind of wraps it up yeah

thanks those are some few resources there um so that's the book that I lar kind of inspired by that book right there the c music from C he kind of was one of the first pioneers of Honey pots and it's kind of a well famous known thing about how he needs he seen unusual activity one day and when I was working in the schol network and develop what what we known to become a honey and then this code here is just kind of like a list of Open Source honey pots um I swear it's not trying to fish you or whatever just in Cas it's paranoid but yeah um any questions yeah

um I I couldn't I couldn't tell you I couldn't I'm not really I'm not cly averse of like every single honeybot there is I mean like that um that does I believe that GitHub does actually detail you know what's all different types of Hots you know research purposes and stuff if you want to have a like look at it um I couldn't really recommend it one because there's like just so many variations of them to be honest yeah there's a good one to start with to play with a lot of them they come preconfigured it's ACD um it's by Black Hills information security and you don't want to deploy it you want to put it on a VM and then it's

got a lot of the honey Pops that you can find on the list but they're all ready set up with testing and Sample scripts you can do it right there also as well and sure does actually list like every pretty much like publicly like honey out there because because they all exposed they are like out there as well so there's usually some kind of lot of like a Maps where like there usually like a lot of Honeypot activ Tes I think believe America is kind of like the largest am M honey Poots um exposed to the web but yeah I think it's I think it's more for the purpose of trying to make sure that

when you're you see something there you know you know it's a Honey Pop any other questions yes how would you

[Music] um St making sure that they uh we's say you trained in it because then it defeats the purpose of honeypop and it comes inti threats you know if if you're teaching everyone like oh don't touch this as a Honeypot you know someone decides to become disgruntle or whatever you know youve ruined kind of the deception tool so it's it's more um making sure like I think it's from the side of um more when you're setting these up to make sure that it's in a place where users should typically interact with or permissions that kind of go to so you know making sure it's isolated well enough as well to kind of uh go to that but yeah but then again

it's like it sometimes might be inevitable because there is the false positive side of it like I went over like with f Rel standards and stuff you some users may end up accidentally go into one you know without realizing or there might be some like if somebody truckers are corate Hy it's because that's that's

comp yes of these have [Music]

I believe it's a mock API I know you can I know you can actually uh think it's Canary is like a good one not to like sales pitch them but them in my career as well they um they actually have like a a site up Source toly actually you can mess around with apis and stuff and whatever for tokens and stuff for purposes like that there so so yeah you can you can mimic it to be like think a second real life guy and stuff I believe um hopefully first in it but I believe we can mimic it um any other questions