Detecting Ghouls & Ghosts in the Wires

cool all right well my name is Michael Le welcome to bsides and uh let's just get into it so this is a little bit about me um currently a US Army veteran um dead 24 years like it says up there and then you can kind of look through the rest of the bullets but you're not here for that so let's keep it moving so what are we going to talk about today all right here's our agenda all right we're looking at detecting Ghouls and ghosts in the wires which is just my version of attackers right how do we find those attackers that are hiding inside our networks test test yeah maybe maybe bring it a little

closer is that better I don't know these things been giv problems all day maybe I just use this test test test test test all right how's that all right okay so agenda right all right so what is attack or dwell time some of you probably already know what attack or dwell time is you've been in security for a while but there's usually one person here like a spouse a friend or someone that has no idea what that is so I'd like to explain it in a story right imagine the laptops that you have in front of you or maybe you have at home or a family member just imagine that device it could even be a mobile phone

or an iPad and one day it gets hacked but you have no idea that it got hacked two days passes by a week a month and then the FBI kicks down your door and confiscates that device that's when you find out you've been hacked well the time between the initial intrusion and when you found out that's the attack or dwell time all right so if you want to look at the more formal definition that's what's on the board now why is why is that important to us why do we care about attack dwell time do you think it's a good thing to have an attacker or hacker inside your equipment for a long period of time or a

shorter period of time all right which one makes more sense shorter right all right so most of what I'm going to be talking about today is how do we get that dwell time as small as possible all right so we have some companies out there right we're talking about breaches and attacker dwell time that go out and perform instant response engagements Mion pretty much company out there that's doing that there's a bunch of others that do that and they produce something called the Mandate mtrs report every year and in that report they say that of the thousands of engagements that they perform right so they go out respond to instant response incidents that happen and the average time the average dwell

time that we just talked about in that example is two weeks right think about that two weeks that the adversar is maneuvering in those networks and getting after whatever it is that they want now there's a little bit of a skew in those numbers because 63% of all of those incidents are third-party notifications so let me say that again it's not that the Defenders of that Network are identifying attackers right they don't get breached and the security team finds out about it it's usually thirdparty notifications so the FBI kicking down the door telling you that your laptop's been hacked it's some other company saying hey we see your IP space maneuvering in our networks right

63% is third party notifications so if you take that out that dwell time is really a lot higher and then you have to remember this is the average this is not like you know every single company out there this is the average there there's some people that's at the right far right of that spectrum and there's some people at the far left right think about your organization where are you in that Spectrum right if you're a people manager your security team where are they if you get a breach what's what's that rough dwell time I threw another one up here just to kind of show you how bad it gets right so we have another company that does

instant responses and they had one client that had attackers in her network for two and a half years right so it's pretty bad out there so when you see the 16 days right and you're like oh we're getting pretty good because some of you might know about a few years ago the average dwell time was six months six months imagine your laptop your phone your your your parents computer at home imagine a hacker in that device for 6 months or 2 and a half years right the famous quote I hear from a lot of people is I have nothing to hide right but if if you give someone access to your device for two and a half

years six months a month and they just observe everything that you're doing even though you have nothing to hide there's probably some stuff that you'll expose that you don't want them to see right things like what you're posting on Facebook your passwords to your bank account what your 401k has what kind of Trades you're making cryptocurrency uh secret messages right like all of that stuff even though you say you have nothing to hide you probably don't want someone observing all right so what can we do what's out there to help us reduce this attack of dwell time what's going to get us away from the two and a half years and down to something that's respectable

um I mean what is respectable what's a reasonable amount of dwell time right if someone hacked into your computer right now what would be reasonable as a dwell time zero but is it realistic right we don't we don't know what that is yet so uh I'm going to show you a couple vendors that have Solutions out there right some of you may work for some of these organizations you may have some exposure to them but um you know these are the companies that are saying hey we have some solutions for you uh for this dwell time problem or whatever it is that you have right so the problem we're trying to solve is dwell time being too

high and you've probably seen them implemented in EDR right so that's some kind of agent that sits on the box and monitors what's going on so you download malware and that EDR is going to say Hey you downloaded something bad and it quarantines it and does whatever else it does with that uh you have your sim so those of you Splunk elastic uh uh any one of those platforms right it's going to aggregate all of that data we had some machine learning and all that that that fancy stuff you put all your data in there and then your analysts look at that and um turn on the data then we have IDs IPS and you have file Integrity

monitoring and one of my favorites is honey pots and honey tokens so these are the things we use to help us reduce dwell time but they're not good enough why aren't they good enough well I was talking to a friend of mine and I told him I said if I log into Veronica Veronica's computer right let's just pick a a random user I take Veronica's computer I use her credentials and I log into that computer is that going to generate any kind of alert no right because I'm using her credentials and that's that's the Gap that a lot of these tools have is they're great if an attacker uses some exploit or they bring their own tools

and it goes off because it's not a part of it's not Microsoft sign generally but if they're using you know Microsoft sign binaries or living off the land if they're using your credentials guess what it's not going to trip anything up so what then can we do that's where I have this thing called ghostbusting and we're going to we're going to unpack this right um if you're a fan of uh Ghostbusters you're familiar with something called a spectre detector um what's on the screen isn't actually the Spectre detector it's a pke meter which does the same thing right it detects ghosts um and so what is that that boils in boils down to something called security event ID

4663 right so write that down make note of that um this is something you can go back on Monday and if you're a security practitioner you can make use of this and we'll talk some more about that so for for this talk our Spectre detector is 4663 all right that is object access Audi in and what that is is in Windows built-in is free you don't have to pay any extra money for it you can turn this thing on that says I want to audit specific files and it's a two-step process and we'll talk more about that all right so what can we audit we can audit the registry there's a ton of stuff we can audit I'm not going to list

them all but the registry is a great one um the one we are going to talk about is files and folders and I'm going to go into a little bit about why we're going to audit files and folders as opposed to something else and I found a blog post by Tren micro and they talk about trickbot it has a module that searches for specific files and you can see on the screen what it searches for right so we talked about files and folders why we need to audit them we have malware that has of functionality to search for specific files all right here's another example um and I have a story for this one so I was a part of an engagement a

couple years ago and um the adversary was able to get privileged access to the network because they were able to get access to an admin's computer and on that computer he had they were using last pass in the environment and he had a last pass or sorry key pass database on his desktop that was not password protected so of you probably used to last pass or bit Warden right so key pass is something similar to that so as a part of their password hygiene they used keypass he happened this person happened to have it on his desktop not password protected the adversaries got into his computer pulled down that keypass database install keypass on whatever

system they had and then had all the keys to the kingdom right so this particular campaign they were looking specifically for keypass databases right and you can see why cu because if they find it and it's not pass or protected they can get a lot of your credentials so we're seeing a trend right interaction with files and folders same thing here another another malware campaign the first portion they're saying hey I don't want to search through files and folders or any of there's nothing there's nothing I need in those directories but I do want to look for documents uh pki files I do want to look for images right some people have pictures on their

computers um the center for Internet Security has a top 10 malware that's out there and for q1 session manager was the number two malware now it's not important like why it's number one or that it's number one I just kind of picked this out to show you that that particular malware has a feature and functionality to interact with files and folders so there's a module called get file that allows you to grab files that are on the system and we'll see why this is important as we uh go on further all right so the Uber hack some of you probably remember have heard about the Uber hack um and this one just rang home for me when I saw it because

there was a security researcher that got a hold of these guys and said hey can you tell me more about this attack and what you did and a curious thing that happened is you know of course they used the MFA exhaustion so you know social engineering that's how they got got in there but once they got in what did they do they looked around they were searching looking for stuff right doing the reconnaissance and they found a file share that had Powershell scripts and guess what one of those poell scripts had hardcoded credentials right so hardcoded credentials inside powerwell scripts that were accessible to this random user that they were social engineering why was that the case first

of all you shouldn't have hardcoded credentials but they didn't have right a spectre detector in their Network all right so those of you that like miter um I just threw this up there for you so file and and director Discovery is that's the number that they assigned to it and uh here we're going to talk about the ghost busting steps so the first thing you got to do right to mitigate the F and folder Discovery or help you detect these adversaries that aren't tripping your EDR is you create the object access gopo and we're going to talk about what that looks like I'm not going to Deep dive like creating gpos um but I'll give you

like a point you in the right direction and then we're going to have to create decoys right you have to create something some people call them honey tokens that's going to get the attacker's attention something that when they get into your network like those po shell scripts right that they're going to look for and that's going to trigger them that hey someone was here think about your house if you leave your house and come back you're probably not thinking that someone broke in because the doors doors intact windows are intact but if you come back and the doors kicked down and the window's broken that kind of tips tips your hand at someone broke into

your house right um same if someone hides in your house and they just eat one cookie a day maybe they take uh you know some bread out of the refrigerator or wherever you store it you're not going to notice that but if they take the TV you'll notice that so what can you do inside your house that's going to let you know that someone did something in there right and that's kind of the idea so maybe you install a hidden camera maybe you sprinkle powder all over the ground when you go on vacation and when you come back you see those footprints on the ground right that's going to let you know that someone was

there and if they see that and they try to clean it up you still know someone there so that's kind of the idea we're doing we're using with this uh process all right and then of course you got to deploy those decoys does no good if you create the decoys and you don't put them out right those of you that go duck hunting you use the decoy Ducks doesn't do any good if you leave them in the truck right you got to put them out on the water uh and then we have to apply the ACL so there's a unique thing with uh with Windows when you apply the ACL you can't then copy the file somewhere else

you have to apply those acl's after you've deployed them all right so here you go you can follow the breadcrumbs so on Monday morning or whenever you go into work maybe you work the weekends uh follow the breadcrumbs at the bottom and all you got to do is turn on success and failure for audit file system those of you that are in the government and you have to adhere to stigs you end up having to come here anyway right you still got to come into this window but you don't turn on that particular set in it's a whole different setting that you turn on and so that's step one all right so step two you got to

create your decoys right because turning on that Global audit policy does nothing you got to figure out what decoys you're going to use you can even audit files that are already in existence so if you have Powershell scripts or anything you're trying to protect you can audit those files you don't have to just create decoys but it's going to help you detect those adversaries if you're going to create those decoys so like I talked about the keypass database you can just create a keypass database file and throw that somewhere in your environment and turn audited on and if someone interacts with that file then that's an indicator that something's going wrong right that's some kind of

anomaly um think about it this way if you have a laptop or your personal computer and you put a file on the desktop that says my passwords and you never touch that file because you know hey like I know it's a trap it's a trick and then one day you go in there um log into your laptop and it triggered some you know some alarm that you set then you're going to know for sure that someone messed with your laptop right that's kind of the idea here so you figure out what makes sense for your organization I'm not saying to create a keyp pass database if you're using last pass then that doesn't make any sense

right figure out what makes sense for your organization and then use that um private keys right Windows has SSH built into it right now right so you can you can create some of those that are fake and see if the attacker tries to steal the private Keys the reason that's important for those of you not familiar is if you use if you have the private key you can SSH into another machine if it's not password protected you just basically have free access to that machine uh if you're using um VPN technology right there's usually credentials in those files or certificates so these are just ideas you can use another good one that uh attackers like let's say you

have brocade or Cisco you can create a backup file that's called brocade backup. zip and passer protected and the attacker will try to pull that down and boom they just tip their hat and it doesn't matter that they know that you know whatever they downloaded was a trick or a trap the whole point is to reduce that dwell time right always go back to reducing dwell time because now you know before it gets to two and a half years that someone touched a file they shouldn't have and then of course AWS CLI if you've used it it generates this AWS file on on Linux and on Windows uh fun fact on Windows when you put that dot it

doesn't necessarily hide it right it'll still be uh look like a normal folder how many decoys do you need I don't know you have to think about your organization what makes sense um in some organizations they have this thing called key terrain so maybe you put some decoys on your key terrain maybe it's your DC and your admin window the admin workstations what I don't recommend is if you have you know 10,000 workstations that you try to manage 10,000 decoys if you got the automation the Manpower the technical talent to do something like that sure but you got to think about what scales for you all right so how do we how do we get

these uh decoys out there right I just mentioned 10,000 systems maybe 500 systems how do you get those decoys from whatever system you created them on out into your Enterprise environment because most of us work for some organization and you know we're looking at how does this scale well you can definitely use gpos to deploy files right um but what I'm going to show you is how to use Powershell and the simple way to do it you create a new session just like that um and then you copy it from your system out to the other one this is just an example you can you're going to have to come up with something more robust than

this but I wanted to show you an example all right and then here's the uh you know here's the naive way you just go to the file right click it uh hit advance and pop into the auditing settings and make sure it says audit everyone success and failure it's not going to say success and failure here but once you toggle those settings it shows up like this all right don't recommend this way but if you have one system like your personal computer you can do it this way uh if you want and then call it good and so here's the programmatic way this is the way I recommend you can just you uh get the ACL uh it's a built-in

command lit make sure you uh you use the dash audit and you're going to need to have privilege access or administrative terminal to use the dash audit switch um and then what you'll get is this audit audit uh flag at the bottom that'll be empty so that means there's no audit set all right I'm going to show some code that's kind of why I had this slide in between don't worry about trying to read the code there's a QR code if you want to go to the gist to pull it up but what happens is you you you uh create the audit rule so everyone success and failure because what we want to do is

when that adversary that's been in your network for a month or two when they touch a file right whether they have access to read that file or not you want it to generate an alert and so that's why we're doing everyone success and failure this includes computer accounts it includes accounts that that aren't uh actual personas right so it doesn't have to be an actual user account it can be a system account or a service account anything that interacts with that file is going to generate a 4663 all right and then we add that audit rule to the ACL that we got from the file or the object and then we set it back on the file like I said there's

a QR code if you want the gist because I don't expect you to be able to read the code from from this far um fun fact Android or iOS if you take a screenshot you can then scan the QR code from a picture so if you didn't know that now you know all right so what what does it look like when we go back when we go back now you see that we have uh let me go back you can see we have the everyone success and failure now where we didn't before and so that's what we're trying to do so if you want to validate that you actually have it turned on when you run that

command at the very top all right so doesn't work on here but if you look at the very top that's the command you want to run to check all right so here's the fun part adversary uses RDP um I was told that there was the RDP talk uh earlier this morning so bad guy sees you have a RDP uh publicly accessible to the internet for some reason by the way you shouldn't have that right RDP should not be publicly accessible because you increase your attack service and things like this happen so adversary sees your RDP is available and connects to it and maybe he fished Veronica or James he got some credentials from somewhere and they're

legit credentials for that organization and he logs in well guess what EDR isn't going to go off I don't care which EDR you're using it's not going to say that hey something bad just happened yes there's a few of you saying well you know user Behavior analytics and geolocation well guess what my experience a lot of people don't have that turned on that's why we have two and a half years of dwell time and the average is still two weeks right so Tacker gets in what does that look like logs into your RDP gets access to your system and he's looking at this AWS directory why is why are they looking at this directory well if you're not

familiar with AWS CLI the API keys are stored in that credentials file that's why they care about it but we created our decoy because we're trying to find out if there's bad guys in our networks and uh you know whoever's account got compromised now this attacker is using that that account to look at these credentials that we strategically placed because we use a AWS CLI so when in Windows if you don't have an extension Windows is going to say hey I don't know how to deal with this file I don't know if it's a PDF I don't know if it's an image I don't know what it is so how can I open that and most of you have seen

you know the right click open as so this is kind of what's happening and when you open it with notepad you're going to get an alert in your event log so this is the Windows Event log viewer and it's going to say um which user so I just use some random user I created it's called Vana then it's going to say which file did interact with so think about this we created a decoy file that was an AWS CLI credential right the credential file the attacker logged in over RDP using an account doesn't matter which account and it interacted with this credentials file that they should not be interacting with all right so that already if you're doing your alerting

properly should should let you know hey something's going on and then the cool part is it tells you which process interacted with that file and that part is going to be really important later on all right so so keep that in in back of mind we know which user we know which file and then we know which process so this is RDP let's take a look at metas sploit what does that look like if they're using metas or any kind of tool right that's going to allow them to inject into processes um or be a little bit more covert than RDP maybe you didn't actually have RDP publicly facing so what does it look like so if you're not

familiar this is my interpreter uh we're going to skip the whole how they got in let's just say they've got in they've got persistence they've injected into a process and because of this keypass thing that we mentioned earlier they're searching your entire C directory for anything that has the key pass database extension right they could be searching for anything else they could be searching for images um intellectual property just kind of Imagine in your head what's important to your org and that's what they're searching for and they got one result that typically doesn't generate a 4663 the only way that uh you know for those of you that want to try to implement this later the

only time it generates a 466 3 on a directory listing or you just viewing a file is if you create if you create the audit the object audit on the directory right so you can create the object access on a file or a directory when you create it on a directory then anytime you list that directory it generates the alert so there's there might be more false positives if you do it that way but if you do it on a file then just just list in the file doesn't generate that they have to interact with it some way so either downloading that file or open it and viewing it okay so they found the that you've

got one in admin tools directory and then what so now they're going to do like a directory listing maybe they're looking at some of the metadata like how old is this file what size is it so that's important right don't make it a zero you know don't create a bunch of files that are all zero like throw some garbage data in there make it look a little believable um because if they look at this and it says zero they're probably not going to touch it and you wouldn't even know but then if you look at the bottom of the slide the next thing they do is they download um the actual file that's where it creat creates that interaction that's

where that 4663 gets generated now what does this look like in the logs well you get the same thing right whatever user account interacted with it you're still going to see that um and it's usually whatever account they're using you're going to see the file so it should be one of your decoy files and then the great thing about it is the process now I called it demo malware just to kind of call out to it so you see it better but this could be explored ID exe this could be you know word it could be any process that they inject into if you're familiar with these type of tools you can basically inject into

any process you know calc.exe Firefox Chrome any process that's there that they have access to they can inject into that and it's going to show up here and you're going to know right so more indications that something is anomalous all right so what about power shell right we looked at RDP we looked at uh metalit what does what does it look like if they Ed use P shell because we talked about living off the land and things that fly under the radar and you know interpreter is probably going to trigger some some EDR something in your environment but P shell probably isn't going to generate anything so but what does that look like all right so before we get into it

just kind of set the stage so we've got a directory list in right and we've got the brocade configs and it's got some fake you know device configurations in there the attacker PS remoted into your system if you're familiar with uh Powershell remote in when you connect to a system the system name is going to prefix your directory path then we're going to use the Parell command expand archive this is kind of like unzipping a um uh a zip file in Windows you typically double click it and it's just built in but from Powershell you use this to extract stuff from a zip so let's say the attacker just wanted to extract it to see what's

there whether they did this or downloaded it it would be the same thing right you can you can any interaction is going to generate a 4663 and you're going to know that something something happened so what does that look like same thing again we've got the user we've got what they interacted with so your decoys but then we've got this other thing down here that's kind of weird so if you're not familiar any um any Powershell remoting activity is going to use this process that's the process that host that that hosts your session so if you see this process interacting with one of your decoys that means someone has winrm access or they use power

shell right so you've seen a lot of different ways of how you can identify um uh interaction with your system okay so how do we scale this right I showed you a bunch of Windows Event uh viewers and you're not going to go around looking at Windows Event Viewer how do we scale this out to Enterprise environments well not talking about the actual scale right I'm talking about scaling up so Splunk um just adapt us to whatever tool tool you have in your environment so if you've got arite if you've got elastic you know adapt that to that so first thing we're going to do is event ID 4663 right so Windows Event log is is what's storing all the events

from our Windows systems and then the event ID is 4663 so we're we're constraining the search to what we're looking at specifically and then we have all our decoys that we created so the brocade config the keypass the AWS CLI whatever it is in your environment that you've created as decoys that that's what you're going to be looking for so in Splunk you can create a Sav search and then you can alert on those Sav searches um I believe Caron black has the same thing is called a watch list right so you create this query you make it a watch list and then if this ever comes back then that's something you need to investigate uh and then what it does we

we create a bunch of columns right we have host object name accesses project name all information that we want to know um about what happened with this alert and so the reason I highlight this is the the the columns are too wide and I wanted you to be able to see the data so I broke this up into two separate slides so the first one is these first three columns right so you've got all the hosts right because you're going to have this deployed to maybe your admin machines your domain controller so you got the host names on the left side then you've got which specific decoys you were using right that's the important part

what files are they interacting with this should be there should be intellectual property files there should be files that you know people across your organization shouldn't be touching and you should be educating your admins about this so you don't just deploy these in a vacuum you you can do things like let's say you've got a five admin team hey we're going to put this brocade zip file here or this keypass database file here or this password. text on the desktop and nobody touch it because that's what's going to let us know if an adversary is there don't make it super obvious that this is a trap right I talked to a buddy that said that uh some

admins uh created a honey token admin account and they called it honey token which what's the whole point of that right um so don't name your decoy honey token or honey file or anything like that just doesn't make sense um so in the middle second column is your decoys the other column is what access and and that's not really that important but you know we just want to see what's going on with that um it's usually going to say one of those and then kind of the meat and potatoes here is which account is potentially compromised right that's what we want to know that's the second column in this slide um and then the First Column is which process so if

you're using RDP and we interacted with um a file a lot of times it's going to say Explorer or if they injected into it um of course you you see po shell for power shell remote in and then your normal Powershell and then you know something that's probably going to be alarming is if you see administr in that list um and none of your admins touch that file you know then you probably got to ask some questions I think one of the challenges you're going to have if you implement this is users being afraid to tell the truth right Veronica's account gets compromised um and you go and you say hey did you interact with this file

in the system we see in our logs that you touched this particular file you know that person may say no um when they really did but they don't want to get in trouble so you have to deconflict like are they saying no because they think they're going to get in trouble or are they saying no and it's actually a no um because then you have to kind of you know say your account's compromised and this is why so you're going to have to educate your users um I don't recommend deploying decoys out into your environment and not making your users aware of what you're doing um honestly I think you should really focus on your

key terrain or whatever it is whatever is key key terrain for your environment um key terrain if you're not familiar is just the important systems in your environment right so that production database your production website um whatever important systems they went down your business your company would function that's probably where you want to put these decoys and then the last column is going to tell you how many times something interacted with that all right so now it's time for the

demo okay so what I what I have is a Parell script that's going to allow you to create all you're going to create all your tokens right or your your decoys you're going to stick them in some folder and you the great thing about this is you don't have to be on a domain joint computer computer so you can have some laptop that's off domain you create all your fun stuff on there um that you collaborated with your other admins or or whomever in your organization that's going to make this decision and you've got your your tokens or your honey whatever you want to call them right you've got these decoys I prefer the term decoys and you want to deploy them

out now so I've got a poell script that that will take those decoys that you've plugged into your configuration file and it's going to deploy them out to where you've said you want them to go so let's say you have 10 systems and you've allocated which one goes where the script is going to deploy them out um and then it's going to set that ACL on them so I pre-recorded this just so I didn't have to worry about the demo Gods um but I'll just kind of narrate as I go right so the um the module is called Spectre detector right um and it's got two commandlets or two functions that are exported and so this

is just going through how you import that some of you that's familiar with poell already know how to do this and then the next command I'm showing you what those uh command lets are that's built into that all right and they're they're basically install token and set file audit ACL so the set file audiate ACL if you just want to set the Audi ACL on one computer and that's it you can use that by itself um and then to deploy everything you use the install

token all right so I've got a demo directory that has a besides. text file just to kind of show you the example of how you use the set file audit

ACL so the built-in commandlet called get ACL that's built into Windows Parell what you're going to notice if you uh saw from the previous slide is that that AUD audit section is empty so every file in your system system doesn't have audit end turned on by default so even if you enable that Global GOP that says audit end turned on it's not going to do anything until you do step two which is actually apply the the audit ACL and make sure you do success and failure right that's very important because if a computer gets compromised it doesn't mean the user they have has access to access those files and you want to make sure that you get an alert

whether were they were successful or not and here you can see um it's enabled all right so next up is deploying I've already got some pre staged decoy files there's about three or four of them if you pay attention to the right hand side of the screen once the credentials are input it'll start deploying all the decoy files out into an environment um and then you'll see one of those files pop up on that remote system which is a VM on the back side right so the windows terminal is my main computer so the desktop that I'm sitting at and then you can see um VMware in the background that's that system in the back so it

should pop up right there there there you go um so it's pretty quick pretty fast um it'll scale you know pretty pretty good if you're trying to do a handful of systems I haven't tested this on like 10,000 systems but don't recommend you doing it that way um and then here you can see if you want to double check that the settings were were uh configured when you go into advanced uh it'll zoom in in a little bit um you'll see that it's set for success and failure all right so what what's what's kind of the the takeaway from all of this right well attack or dual time is going down year over year from 6 months

to two weeks but it's really skewed why well 63% of notifications are third party so we're not figuring it out on on our own we're finding out from someone else FBI or some other company the other thing that's skewing it is ransomware and why is ransomware skewing the numbers because the motivation is to make you find out as soon as possible Right like I'm not going to encrypt all your files on your computer and wait two years for you to find out hopefully it doesn't take two years for you to find out your computer's been encrypted but the motivation is to notify you as soon as possible so your dwell time actually incre actually goes down because you

know faster right so those two things alone are skewing the numbers so it's really higher the other thing is just because the average is 16 days doesn't mean your organization is 16 days and just because someone gets an email attachment that triggers your fancy EDR that you paid millions of dollars for doesn't mean your your dwell time is two days you really have to look at do you have do you have you know purple team and do you have a red team come in and do an assessment how long does it take you to detect that the red team's there right you got to be honest with yourself and so this is a tool you can

use that we talked about right the 4663 turning on object access audit in strategically is going to help you right that's going to be that powder that's on the ground that the attacker doesn't doesn't see in your house so that's the first the first part the second part is uh files and folders right we've seen that malware from a lot of these talks malware attackers they're going to interact with files on your system they have to Data Theft what are they doing they're taking files and extracting them to some some C2 so they have to intera yes you might say well they've got my intellectual property now it's it's over well at least you know you know as Sony right their stuff

was was gone and they didn't know about it for a while but at least you could have stopped the bleeding sooner rather than later right maybe it took a month for you to realize that and a month is better than six months right it's still bad but the whole goal is to minimize the dwell time like they break into my computer I want to find out as quick as possible I don't want to wait for the FBI to kick my door down right and then have to explain like why my computer's doing things that I have no idea about so leverage that idea they have to interact with files and folders on your system and then lastly those decoys

right we call them honey pots honey tokens honey files be strategic about the ones that you're creating look at your environment what makes sense what would an attacker go after right we talk about uh threat modeling this should be part of your threat modeling like if an attacker got into your network what files would they want to go after and so they may not it may not be decoys that you're auditing it may be actual files that you're saying hey there's only three people in our or that should be touching these files and maybe your maybe your security controls doesn't doesn't prevent a normal authenticated user from touching those files so those would be candidates

for auditing and then inside your sim or whatever technology you're using you filter out those three users if you want and say hey anyone that's not these three users users it should generate an alert if you want to alert on the users that you do have then you're going to have to go into okay if they don't connect from this IP address than alert right so there's some more correlation and so that's really the that's the most important part is decoys strategically thinking about what you're going to create if you're going to audit actual files looking at who's actually supposed to touch those files and you got to do some work and it's going to pay

dividends because attackers are getting more sophisticated and it doesn't matter that you have your EDR and fancy stuff that's that's on that machine it's not going to detect someone that has legitimate credentials that logs in during the duty you know the during your work day um and there's nothing going on but them looking around right think about what you do on a day-to-day basis you're not setting off security alarms right so if an attacker comes in and does exactly what you're doing you're not going to know about it this is going to help you figure that out all right and if you want to connect with me here's my contact information but uh thank you that's my talk I've got

uh was it one uh one shark T all right let's see what's the question H uh who's the