Deception for the Win in 2023 and Beyond

and our last Talk of the day Mr Tim CRS is going to be talking to us about deception for the win in 2023 and Beyond let's welcome Tim hello hello everybody thanks for uh sticking it out and uh you brave souls who are missing the oent talk that I really wanted to be in but they they put us at the same time so I guess I'll have to catch it on YouTube so it's all good so if if any of you have heard me talk before you have probably heard me talk about deception uh it's becoming more and more and more important in my opinion and my goal today is to convince you of that um

and to to hopefully make it a lot easier for you to leverage in your environment to protect so what is deception deception is a broad broad set of TOS in in my references at the end hopefully all of you have already read Chris Sanders great book on on honey pots and all of the other sorts of deception that is one form but that's actually not my preferred form um probably relevant to the conversation uh for those of you are not aware my day job uh my team defends mandiant you may have heard of mandant uh and you know know there's some folks that just don't like us uh for some reason uh matter of fact the group

that's uh fortunately recently hit MGM they uh they in particular have been on uh on a hunt for some of our folks and so when you've got uh an environment and I would argue any environment not just uh a kind of higher Stakes ones uh like ours there's uh what we have found a different way of kind of conceptualizing our defense and and we've taken to calling this layer defense so what is layer defense you're probably immediately going to oh defense in depth and Etc no it's it's not that it's it's a different kind of a a way to think about how do we defend our organizations so step one I want to make sure everybody's on the same page I

ultimately believe that prevention will fail right if you're up against a sophisticated enough adversary they're going to bring tooling that is going to get past your defensive layers however I also don't believe that means you have failed yet now I would argue if if you know they've got initial access on my laptop we're now in a race Condition it's now a race between us as Defenders and the attackers can we eject them contain them stop them before they complete their objective right before they deploy that ransomware before they steal our intellectual property or whatever the heck they're intending to do right and so this is where the concept of a layer defense comes into play so think of it this way or this is

how we think of it I should say maybe layer one is all of our standard controls right all of our firewalls and our intrusion detection all of that great stuff that we use day in day out as Defenders to defend our organizations that's our layer one defense now if like me you believe that a sufficiently skilled adversary is going to penetrate layer one that's where Layer Two comes into play and the whole concept here is simply that layer two is all about your controls to know when layer one has failed so that you can eject that adversary from your environment does that make sense right so simple concept here this is nothing to you know against the the one way or

the other right in that layer defense right layer one all of your you know your zero trust architecture all of these other things that we all know and love uh at least if you're a Defender and then the layer two things like behavioral detection uh anomalistic activity detection these are all great ways you know to figure out all right how do I know layer one has failed so that our Defenders can find that adversary and get rid of them before they beat us that's the whole idea and one of the best ways to do that consistently and getting better and better and better is deception and so with deception in my case the whole idea here is really

simple here's my environment I seed out a whole bunch of what we mostly call Honey tokens and I've created a hostile environment for the attacker right we as Defenders have one advantage over those attackers and it's our space we should know that space right that home field advantage so to speak we can leverage that against those attackers because all we need them to do right is bump into one of these and We're Off to the Races and of course the bage here for us as Defenders is the attackers have needs right they need access credentials if you were in Fernando's talk earlier right he showed a video of a ransomware actor on privileges looking for files

with pass in it right and just looking for passwords so they can move laterally they need to figure out the infrastructure they need to figure out where our domain controllers or whatever our Central root you know authentication uh mechanism is in our environment they're going to need things like or want typically things like documentation right we see a ton of threat actors go for things like our internal Wiki documentation our our cuz CU what do we do we pass post passwords up there and all sorts of other things that help them to figure out how to get to uh Fernando really described it well right that they're trying to find the data that is interesting to them uh Ergo

are crown jewels o PowerPoint crashed let's see if we can restart pardon the technical difficulties this is what happens when you run a Microsoft product on a Mac Oh wait did I say that out loud I got I got to all right so attackers needs all right so this is what then we use against them so part two I mentioned I have two two objectives for today one I'm hoping to convince you that if you are not leveraging deception in defending your environment then you've got a gaping hole you've got layer one but you don't have Layer Two you don't have a way of knowing that your layer one has failed right um so honey tokens

how does this work well part of what I'm releasing today is a simple little open source tool because honey tokens can be really difficult to manage right let me let me back up slightly so if this is the situation we're trying to do each one of those little skulls I represented on my diagram is potentially an individual honey token so that can be if you want to roll your own now there are some really great commercial products out there if you if you got bigger budgets I'd highly recommend maybe go look at a Calo or some of these sorts of things because they simplify a lot of this but obviously not all of us have these budgets and in my case

they're just great research projects right I just love you know Di in building them and figuring out so the the way the honey token process works is pretty straightforward so here I've got a document okay and you notice I've got a little a little uh uh let's see if I hit the right button here come on maybe I'll do it at my laptop see if it does better there there it goes so notice the little nope then it show it there we go I'm clearly not functioning well on technology today uh the simplest little honey token uh and they're used today on you a lot for Email tracking purposes are little one pixel by one pixel transparent

images trivial to Bild you know throw that in any document today right and that makes a call back to my little back end that that I'm open sourcing today what that does is writes out a really easy to parse so you can integrate it into your sim so hopefully all of us here are security onion users we can easily pull that in uh to set off the alert right the goal of the of my my thing it is super simple I I'm really hoping some of you who are way better at python than I am will pick it up and and take it a lot further than I have taken it but there's two things we want to do

all of those honey tokens we want to be able to know where that honey token is placed so that let's say that that document is open because it's sitting on you know I don't know I'll pick on somebody in the audience like Jason here Jason's got this clear text you know uh password document sitting on his desktop adversary is you know gotten onto his laptop because blood level in his caffeine system was a little too high you know and he clicked on that malicious link and so they open that document so that they can get the passwords out of that because you know uh Jason conveniently call it passwords doxt or whatever right well what that does is that hits over to

the the web file we want to know that's from Jason's laptop because as Defenders we want to go know where the adversary is to go step on them right to go eject them out of our environment so that's what uh what I'm releasing today so it's honey honey H honey token HTTP it's been a long day uh obviously out there on my GI Hub and it it's does this by really accomplishing two things and I'll I'll do a demo here of it in just a second so it creates a simple little catalog file okay so what happens is it's a web interface that just runs as Local Host you don't need to run it as admin because running

things as admin on critical servers is not really a good security practice so you point all of these various honey tokens and I'm going to go through a whole bunch more approaches to accomplishing this in just a minute but you point these to that right and then it looks up the honey token based upon the incoming URL and then that's how we know oh this was Tim's laptop or you know Blakes laptop or you know critical domain server whatever it is that we've placed place this on right so let me do just that I'm going to little video here to walk through I can find my so what I've got going here are a couple different windows so up in the

top I'm going to do a get download of the of the uh honey token HTTP I've got the get page up here uh on the side here standard you know do a get clone bring it down

you'd think all these years I could type faster than that but what do you do I could speed up the video but then it that's cheating I feel like all right so I I'm just doing a quick cat out on the file right standard practice right it's showing you all of the command lines and we crashed again goodness all right well well let me I got the file

locally um some key here's thing I wanted of course this completely customizable because all of our environments are a little different right you've got the output filed and what I'm showing here is it's simply just standard HTTP receipt what I wanted to do is just make it really robust it looks up in the catalog file and uses that to figure out which token uh it is and so now I'm going to show the the token files right the the idea here being is this is our token catalog we just give it an ID you can use whatever you want where it's at and what the alert message you want to fire uh in your sim when you integrated it into

your sim okay and so I'm just going to tail the log file there created the quick log file the log file is what you'll ingest with your sim right locally on your host and then we'll fire up some of them so there's the different command line parameters you can obviously run it on whatever host name and Port you want specify which catalog file you want and of course what output file you wanted to log to collect into your sim really simple python project here nothing fancy but what this does is lets you easily create a simple naming convention that works for your environment so that you can do it so I'm hitting the the running honey token HTTP and you can see

I've got an alert uh a message that fired and then of course you can see that it logged to the local thing now in this case because I'm using the browser the browser the get fave icon. IO is just a standard thing that's done on as part of the get process when you actually do it from the honey token you won't get some of that extraneous noise but then if we go up and we go over to the catalog file here a second should be coming up momentarily Mo this out of the way so now I'm actually going to put a token or a legitimate token in there notice that it fires the alert token

access from Tim's PC right um again I designed this to be really simple to integrate but what I'll say is if you pick uh you know fairly straightforward naming convention um you can really simply deploy this um and um uh let's just say I've spoiled a whole bunch of red team operations at mandat um which Evan and team didn't appreciate but hey it's our job as Defenders to stop them so it is what it is all right so let's talk about types how do you use these where would you put these out here well as I mentioned the simplest one is a web bug URL token approach right so key there is it's a unique URL okay the

honey token HTTP will accept any URL basically what it's doing is it's using the URL that's called to it it to figure out it just looks that up in the catalog and that's how it knows which token is called in so that makes it really easy to to run most often I would suggest just use a one one by one transparent so uses for these you can throw these into email uh non-l web pages we may have thrown some of these in Kevin mandan's email just in case red team started looking through Kevin's email um hypothetically speaking um what about accounts simple right create an account in AD or whatever Source you're using right I would optionally recommend

scripting a simple little local login right uh that's an easy way to call out the honey token piece of this right then I would suggest disable the account and of course enable alerting on attempted login or you can use a spefic specific honey token with this as well right tempting administrative accounts lateral movement detection um embedded Secrets right I uh I like GitHub code laying around that has embedded secret code in it that refers to these right or our forementioned you know password file sitting on Jason's desktop any and all of these right are just a great way to go what about AWS tokens again super simple to do right so this is the format for the is uh the AWS cred

file right you just set up um you know the uh secret access key Etc and you put it in the AWS credentials uh in home directory scattered around your environment you can again put this in uh you know local code reposit repositories internal code documentation is a great place to put some of this stuff right because these are the things the the places that the adversaries are going to find this stuff uh coup config uh we're seeing a ton of targeting on kubernetes k8's infrastructure right so again we generate a kubernetes account create an access conf config file disable the account alert on attempted access really straightforward to set this up still with me folder tokens this

one's kind of a fun one this is an old call out to good old windows uh and their mechanism so the key here is you've got to create this uh desktop in with this shell class info um and the simp simp EST way to alert on this one is to monitor DNS calls for it uh that's the simplest way I found to use this one you can throw those out all all in all sorts of places so on and on and on the key here is we're trying to create a hostile environment for the adversaries we want there to be enough seated around the environment that the adversary is very likely to bump into it as they're trying

to get to whatever they're trying to get to right um the other beauty of deception is most of this has a very very low false positive ratio right when you're putting this out our our legitimate folks don't need to use this don't need to go looking for this uh if it triggers and it is one of our internal users then they're probably just snooping around learning something like that pretty easy to to sort all of those things out um there's very very few things that can't be turned into a honey token and this is where in particular some of the commercial options nowadays really shine uh I I've seen things like uh fake AV right so

again if you watched Fernando's talk he he talked about them using a tool to disable the uh the antivirus and that was actually the initial clue that went them searching for the the bad guy and so again some of the stuff can can feed that out and immediately uh alert right these are just some other things that we've tried that we've had some fun luck with we didn't really get any good results out of the QR codes but it was it was interesting to play with anyway uh GitHub actions is a fun one you can you know if you've got some Repository that you're using as honey tokens you can easily configure some GitHub actions

for you know downloads and things like that on those uh repositories for instance uh of course custom binaries I love I love to uh set up all sorts of stuff so how do you you you've decided all right Tim you've convinced me how do you go about doing this well if you want to use honey token HTTP it's pretty straightforward step one figure out a naming convention just pick some sort of a naming convention that you want to use for Distributing your honey tokens uh what we typically have done is we'll use uh kind of a prefix that's based upon the type of token right so if it's a web bug that we're going to put in documents

and stuff like that will be wbore to start the the naming right and then we have a system ID that we use which we tend to keep separate from the actual system because you do want to be careful uh especially your more sophisticated adversaries you got to you know the trickiest bit of this is you want this to look realistic right you don't want it to look fake or an obvious lure don't make it so obvious um but think about where they're going to need to go right this is where in particular I would recommend planning out especially your first round of Honey tokens where you go all right here's key data that would be incredibly harmful to

us if this was ransomware all right what's the access paths to get to those data so you can make sure and set up some trip wires on the path to those right um and then uh I would definitely start with web tokens just because they're the simplest uh it's super trivial to to generate one by one transparent pixels and uh throw those into documents you know throw those into uh you can even throw them into the templates you know so that if you've got groups creating they're already uh in there's lots of things uh then step two is I would absolutely go for account tokens right now the trickiest bit with the account token stuff is you you don't

want to just create the account you also need that account to have logged in in in places right because think about how the most common way they're going to get these creds out is they're going to scrape them out of memory right they're going to get on my laptop pull all of the locally cached credentials in my laptop so that means you've got to have some of these credentials locally cached uh but that's fairly straightforward to do with some Modern tooling you know yourm type stuff your you know so on and so forth so account tokas and then third I would suggest what I mentioned earlier right figure out what do you think are your Prime targets you know if

ransomware is a concern I would focus on things like what are our operational Key Systems in the environment again what are those access paths to those um and and take some of those those sorts of things some additional resources I mentioned this earlier as always Mr Sanders does an amazing job always writes great great books this is much more detailed than obviously I have time to cover today he also covers much more of the depth and breadth uh full honey pots and stuff like that also I highly recommend go take a look at Canary tokens. org um they've got free resources to generate these tokens for you um and of course you can then quickly modify them to work with uh HTTP

uh honey token http um and and get that integrated in uh so again if you're if you're learning that's a great way to start and I kind of slammed through that really really quick yes questions so you mentioned

yeah yeah

access so you have [Music] computer

y absolutely yeah no no that's a great question so so his question is I'm going to paraphrase it slightly right can we use some of our layer one stuff like you know say you're using crowd strike or or any of these sorts of things right you can absolutely abolutely use those to monitor the layer two stuff right the the whole idea here is really just when we're planning out our defenses where we've found this so useful as a construct is when we're thinking through completeness right all right because layer one right our standard defenses those are critically important whether you take defense and depth approach or zero you know uh trust or whatever that's a distin thing and then we think

of our Layer Two just from the perspective of how do we build controls to know when layer one is failed now you can use layer one to assist with that for sure right I I would argue your sim is part of your layer one if you're even just doing the alerting through that right um and and some of these other ones like behavioral detection are a really great one too that you can still do with your layer one stuff but you're going to have to build some custom signatures right so like uh let's give a specific example you know part of what really got uh my team thinking about this and focusing on this is we saw a

defense industrial contractor um back uh last fall uh Chinese thread actor group ed three Odes three distinct different Odes and deployed a malware framework that runs uh natively in the hypervisor uh on ESX so of course we're like holy smokes how do we Kevin mandia is taken to calling these the Apex attackers right how do we and and and they're being very intentional we're seeing a lot of intentionality right think about all of the work done great work over the last last few years over around EDR and maturing a lot of our EDR so now we're seeing the threat actors being intentional to avoid EDR how do they avoid EDR well that's a talk all by

itself but one of the key ways is they attack through systems you can't run EDR on so in this case the first oday was against the external internet facing firewall okay I'm not going to name the organization to preserve the maybe blameless I don't know but that got him resident in at at the firewall air then from there they deployed another oday against core switch which allowed him to move to the core switch and then from the core switch they deployed an oday against ESX which allowed them to get into ESX unauthenticated where they could then deploy their malware framework that could inject malware into all of the uh virtual machines running under that hypervisor

so in that instance right there was no EDR anywhere that we could have deployed you know if we as Defenders are trying to defend that but if you've done like we have done and you've gone all right let's look at all of how admins access the firewalls and build custom behavioral detection around that use because while the attackers um you know can access those devices they are going to use them differently than our legitimate people do and it's actually pretty simple to build some behavioral detection around those systems it goes now now those tend to be pretty high false positive but again you're not going to deploy those everywhere you're going to deploy those over some key critical systems that you

might think might be the the main types of pathing that that an adversary would use in these sorts of instances right right and so that's another great way which you can again use a lot of that layer one but the reason why I become a fan of this thinking about it as layer one and Layer Two is just buckets of type right so at the end of the day I want to have a ton of stuff in the layer one and I I you know all of my standard testing to make sure that's working as best as possible but then I also want to as intentionally go through and say well how do I detect all of the key ways that

they might have bypassed those layer One controls so that I can game on right we measure our uh you know one of our kpis is uh containment time and right now we're running about 12 and a half minutes on average right the idea there doesn't give adversary very much time to hurt us meaningfully right well you can only get there if you've got really good process processes really good people and you know right that whole thing is predicated on you know that you've got a prevention failure that you can go chase in the first place I saw a hand over

here um you mean in terms of like the behavioral or the honey tokens um so that's just a matter of how you deploy the honey tokens I mean occasionally you'll get you know people are ious or whatever uh but 99% of the time it's red team that we're catching with the honey tokens uh so you know it's really just you want to be very thoughtful about you know you know this is a super simplified map but I would take the actual infrastructure and you know if you're using segmentation okay how is our coverage within the different segments and stuff right I I've got you know security Architects and people that are with way smarter than me that do all the

real work on this stuff just to be clear but but you want to that's why I really like the layer one layer two approach is because we are as intentional about figuring out where and how to place our Layer Two controls as we are layer One controls does that make sense answer it question in the back yeah so one the tokens just anation that made

not oh yeah that's a good call out note in in the slide that I covered that I specifically said disable account uh but that's a good call out too is uh is make sure that that account cannot be burned cannot be used against you that that was a good one Blake I think you had your hand

up oh that's a good question so uh Blake's question was when the the token is tripped are we in a watch and learn uh unless there's some really accentuating circumstances since this is all operational enironment we are shut them down uh we will LLY and and a lot of other organizations take this approach nowadays too I know you know when you think about the problem of breach prevention from the context of we lose when they complete whatever their outcome that they're trying to achieve right that and you really start thinking that through Blake you realize that look we need to know really two things before we contain do we have it fully scoped I.E do we know everywhere the adversary

is and and what they've done and you know two what are they doing you know so that that we can contain it using appropriate controls right then you have plenty of time to go back and do all of the all of the research Etc right I wouldn't recommend except in rare circumstances you know um I can at one point in my career I was at GE and we may or may not have been you know having some jousting with nation state actors uh this is 2010 2011 and the the CIO gave us permission to observe up to xfill if we saw what looked like xfill we cut it off right um and that was invaluable but that was a really rare

circumstance because one it's super risky right you can easily lose control on that scenario and they can evade you you know depending on your visibility Etc so you got to be super super careful with that so one that's risky and two the other extenuating circumstance there is this is the very early days of the nation state actor stuff and nobody really understood them and so we really had a critical need to figure out how they worked but short of something crazy like that um and I'd make sure that highest level executive you could get in in to sign off on now that's where though you know there's lots of great you know standup uh nonproduction

instance on your cloud provider of choice and build up some stuff there to observe you know actors yes sir so can I go on

that uh we do yeah we we don't currently take automated actions because I'm still a fan of having the human brain in the loop but would I feel comfortable in taking automated actions I actually would yeah yeah like like think about the honey tokens that we're deploying on end user laptops I really wouldn't lose any sleep on taking an automated you know uh action that just dropped you know local IPC policies on that on that laptop and and cut off access for instance right you still want to be careful there right because uh the biggest problem with the automated action versus a human brain analysis is you want to be confident on how they got

to that laptop that they aren't other places because what you might have done is just shunted them and and so I would lean against that but I would certainly consider it depending on on what the environment looked like sir I a question mention the uh have you explor G I am not no that's uh that's a very interesting thought I my only concern with that would be that they find a bunch of the honey tokens then we got to deploy new ones um it is a fair bit of work to you know unless you're using one of the you know the better uh commercial products it's it's a lot of work to deploy these manually but but even that

um to the gamifying point I can speak to that um you know your sock and a lot of these groups this is such a different thing than their normal sock grind that it's also a really fun project your for folks to work on that helps with the you know the sock burnout Stuff Etc right so I I do think there's even beyond the detection additional benefits thought I saw another hands yes sir in your experience with the deception accounts Etc yeah how much effort is build false person

fored yeah all that that's that's a good question so is much yeah yeah yeah so his question is how much effort is it worth it uh in my opinion it's worth a lot of effort um and and I think the trick there is to weave it into your normal processes right I wouldn't like recommend go hog tail into deception to start right go go slow start rolling it out you know Etc that's going to get you some of that age and then just seated over time so you know you've got your sock folks doing an hour a week on it or something like that right and so it becomes something interesting for them to sink their teeth

into you know and work on but but isn't a huge project per se I I would tend to balance it something like that other questions yes sir I

comw yeah

inees yeah well you know that that reminds me of a Technique we used back at GE incredibly successfully we had thread actor who was very very successful at compromising ad creds and so we actually did the reverse right so when if you look at the tools for pulling the creds we seeded a bunch of fake in there uh and then built some custom detection looking for those creds flowing Across The Wire because the only time those creds that we had added would flow across the wire is if we have a threat actor dumping the domain right um so you can go both directions with this just FYI and we had a lot unfortunately a lot of we we had don't one domain

admin got popped 25 times in the course of about 11 months so yeah it was interesting sir

yeah so his question for those who couldn't hear was what are thoughts on saturating them out there versus look I if I was going to use automation for it I would absolutely go for that path right I wouldn't do it manually that that I think would be too much work but if I built some tooling as part of my patch Management systems and some of the other where we could easily deploy some of that right uh I would think about that if I was going to go that way though that's probably where i' I'd seriously look at some of the commercial options right the commercial options um have are doing things like I can again I

can only speak to one particular one but a Calo they have integrated with Windows defense and crowd strike both and actually leverage those platforms to deploy a bunch of these things and so it makes it super easy to deploy these in a saturated fashion um and so if you had automation or something like that I would absolutely go that path uh but at some point there if you're trying to roll your own like I've been showing and you know with my little open source your amount of Labor probably will exceed what you uh could pay a commercial you know uh organization to get you yes

sir yeah yeah yeah well it'd be pretty straight forward to make this part of the bill process we actually haven't done that yet but that's that's kind of been on my road map for a while to hey we issue a new laptop to a user as part of the new laptop build process let's let's deploy token uh as part of that so I do think there's some some things like that that I would consider probably doing to that point yeah sure so I'm a fan of the CIS security controls from a perspective of is an organization do it Asal you can always certain money and yeah was at and then say do I have deception

coverage in those you gone down [Music] that wide but short you know tldr yes yes not specifically to the CIS controls we weren't doing at that but more as an exercise on how broadly how creative can we get on and and again you know my team and I treated this kind of as a research project of sorts right where we really wanted to try and explore where are they high highly valuable where are they not you know things like that um but a lot of that was informed because we do have the advantage of seeing a lot of real intrusions and a lot of real activity and kind of tailoring our our uh choices to some of that observability for

sure other questions this is why I kept the content shorter is because I was hoping it would stir more conversation than me lecturing at all of you that just not might preferred if there are no more questions I oh another question what maybe this is kind what

of yeah that's a great question when I talk about this to peers I find this is an area that a lot of people just aren't familiar with um I started uh playing with deception back in the early 2000s so I'm probably at a decade of using deception and obviously it's morphed extensively over time uh as I've continued to lean into this um but I think it's just a pathway that leads to all sorts of interesting you know kind of and and at the end of the day it's like I say that that's the whole layer one layer two it's a supplement right it's just there as a back stop for when our other stuff goes so so

uh oh yeah yeah yeah I right you could potentially right like again you want to think about this as you know our context we're putting this out essentially as bait on the things that we know attackers go for right um I I've never really put any brain Cycles into using it for Insider I I that's certainly not where I would take this because then you get into the into the very great areas of entrapment you know which is a legal thing and you know that's that's not the kind of work environment or culture I want to live in um and I suspect hopefully none of you do either that's I in sure reward yeah yeah no that's I it's definitely an

interesting thought I will put some more thought I do I do gamification can have a lot of positive uh benefits for sure all right last call for another question then I have a question all right so I have here A bash bunny to hand out uh for the question name one of the top tools for extracting cached credentials on a Windows host I saw your hand first mimik cats it is all right well thank you everybody for your attendance and hey before before we leave could I also get uh uh uh everybody to give a round of applause for we got a ton of volunteers you know um ger or geran um besides Augusta makes

no money right this is all a whole lot of hardworking passionate people put This Together ton of volunteers that have been working for months let alone all the long hours they put in today and uh I just you know couldn't be uh prouder of the work that they do for all of us as a community um you know so I would ask that we all give them a round of applause all right thanks everybody