Catching More Files - Spotting the Adversary with Honey Techniques

all right is this on can you guys hear me yeah all right let me restart my timer here and we'll get started uh so thank you for uh for sticking it out toward the end of the day I appreciate it uh thanks to the organizers for having me uh it's always good to come back I actually grew up right around here I grew up in Henrietta just a couple miles away uh this hotel uh I think I mentioned this last year but this was the site of my high school senior prom in 1995 so real weird Vibes right now I'll try to fight through it it's good to see they haven't updated the carpet that's

nice um so my talk today is called catching more flies spotting the adversary with honey techniques uh and this is not going to be a a deeply technical presentation but it's going to be more about uh some free and open tools that you can use in your environment as part of a larger strategy to catch uh malicious activity and and potential adversaries so first things first who am I and what am I talking about uh my name is Matt Gracie I'm a senior engineer with security onion Solutions uh has anyone heard of security onion it's an open source project all right awesome um so I mostly work in in Professional Services and support I do

some training stuff as well uh before I started working for security onion I was a blue teamer for about 15 years I did defensive security in a whole lot of different places and a whole lot of different Industries I started off in higher ed which is probably why I like free and open source products so much because when you're in higher ed you don't have any money uh I also organized the bsides conference down in Buffalo so if anybody wants to uh to talk about that you know feel free to pull my cat after the talk what I'm going to be talking about today is um using deception engineering or honey techniques as a high fidelity early

warning indicator that there is something uh malicious going on on your network so what do I mean by deception engineering traditional detection engineering is writing alerts or writing detections around known malicious activities right around indicators of potential compromise things like an IP address that has been linked to a C2 or things like a surcot rule that catches malicious traffic if you see a Cobalt strike Beacon you know that there's probably something bad going on right so it's written around these sort of universally recognized malicious activities that you want to raise an alert because you know that's a sign that something nefarious is going on Deception engineering on the other hand and this is kind of a kind of a

fine distinction but deception engineering is something specific to your environment so instead of a generic rule that recognizes malicious traffic that says hey you know here's something beaconing out to a C2 you should probably investigate this deception engineering is building traps into your network into your environment that are particular to your environment that will appear to be uh innocuous traffic or innocuous activities to an attacker but that you will recognize as being signs of something that's a miss right so you're kind of like uh who's the kid in Home Alone anyone remember what's that yeah who's the character Kevin right you are Kevin from Home Alone right Joe pesi as always is the bad guy so you're building these

trip wires and traps all through your environment so that when he trips over them you know it makes a lot of noise and you recognize that he's there one of the guys who wrote the book on uh honey techniques and honey pots and I mean that literally his last book was called intrusion detection honey Poots uh is Chris Sanders right uh you know if you've been doing this for a while you you've probably run across Chris by now and I really like this summary of how honey techniques and how deception engineering works if you know where someone will look so if you know where the attacker is going to look and how they're going to try to take

advantage of your environment you can control what they're going to see and that's what we're going to talk about how do we put tempting targets into the path of an attacker so that when they grab them we get an alert if you put something valuable there you can control what they think if they're doing reconnaissance internal to your network and you can control what they're going to see you can probably control the path that they're going to take or the credentials that they're going to take advantage of when they get there and if you can provide an opportunity if you can make something look vulnerable when it's not if you can make something look tempting so that an

attacker will grab it then you can dictate what they're going to do what's the uh what's the old security aphorism right uh it's easier to be an attacker than a Defender because Defenders have to get lucky every time and attackers they have to get lucky once right that's sort of the the old saw you've heard that before okay I'm sorry I'm having a lot of lot of trouble reading people's Expressions today for some reason it's weird um but what this does is that kind of turns it on onto their head sure the attacker has to get lucky once they have to get their initial access they have to get into your network but after that they're basically

stumbling around in your house with the lights turned off right you can set all the traps you want that's what deception engineering is all about figuring out a way to instrument your environment so that when they're stumbling around in the dark you can trip them up I'm sure you've seen this before this is the sort of list of miter attack tactics the phases of miter version of the killchain right so where does Deception engineering help us out well it can help us in a lot of the early phases wow that is almost unreadable I apologize um if somebody is doing reconnaissance we can instrument things on our border so that even if they're not valid targets they might be

something that an attacker would enumerate and then we're able to raise an alert and say hey somebody is scanning our border somebody is trying to find their way in you know get some intelligence on that if they're looking at things like lateral movement right we can put traps around accounts around credentials so that if they're poking around and they compromise some credentials somewhere when they try to use them we get alerted to it we can do the same thing with this privilege escalation phase right if they're trying to move up to an administrative account or a super user account of some kind we can build fake ones and then raise alerts when somebody tries to use them if they try to move

around the network using uh various escalation techniques we can build trip wires Here There and Everywhere right our whole goal here is to make them uh waste their time make them double guess themselves make them very hesitant to do things that appear to be harmless right we're not talking about those Cobalt strike beacons going out we're just talking talking about using some stolen credentials to log into a DC but we want to make all of these very highrisk high alert uh actions so that they're never quite sure whether their footing is secure so it sounds like fun and it is there are some prerequisites in your security program that you really need to have in place before you start trying to

deploy this stuff though so I just kind of want to step through these and talk about you know where you need to be um for one thing you're going to need an asset inventory I know it's the number one control in the top 20 I know it's something that we're all terrible at but you need at least a rudiment asset inventory because you need to know how to make things that look real but are actually booby traps in your environment and you need to know how to put them somewhere where your actual users won't stumble over them right you need to be able to make these things uh plausible but unless they are in a spot

where your users won't get to them but an attacker will they're not going to be very good High Fidelity alerts if bar from payroll keeps tripping your your honey pots it's not going to work out for you you're just going to waste a lot of time with false positives you need to have some centralized logging in place and the reason for this is when uh um a honey alert goes off you need to be able to figure out where it is and why a lot of these are um alerts that may go out to a website or some other Clearing House right so you may not have the actual IP address of the workstation where something was

tripped you may only have your border IP address you need to have this logging in place so that you can say okay this fired at this time I'm going to go back through my workstation log and figure out what exactly happened and where right you need to have that context so that when you get these alerts you can investigate them otherwise no matter how high fidelity they are they're not going to do you any good right you're just going to say well something went wrong in my network somewhere so that's not going to be great uh you need to have some sort of alerting function right when these things fire you need to have some sort

of console or some sort of uh sock or some sort of board or slack Channel or email list or something so that people know that it fired otherwise you know no one's going to see it happen no one's going to investigate and then finally you also need to have an incident response or an investigation plan right and ideally you want to drill on this you want to practice you want to make sure that you know how to hunt this stuff down if somebody used uses a particular account right to talk about one one potential hunting technique if somebody logs in with a particular account you need to have the facilities in place to say okay

I know where they logged in from I got the alert that they logged in I know how to investigate it and I know how to figure out where that login came from right you need all of these components in order to receive and take advantage of the alert if you just try to jump right into you know scattering Canary tokens whatever across your environment and you don't have any of this stuff in place to provide larger context uh it's going to be frustrating for you right so you need to get the fundamentals in place first so the first uh variety of Honey technique that I'm going to talk about are Canary tokens uh Canary tokens are an open-

Source product uh the project is at Canary tokens. org it's run by think canary Canary tokens are really nice because they're simple uh they're easy to deploy uh it's all set up as a hosted service if you like if you're not comfortable with putting all this stuff into the hands of a free hosted service all of the backend stuff is up on GitHub you can download it and run your own um service layer that receives the alerts from these Canary tokens the setup is very simple uh this is just a screenshot of my browser I was getting an AWS key token right so all I do is I put in some information about the token you know a reminder of where

it's going to go or where I'm going to deploy it or what it means if I get an alert about this and I put in an email address or a web hook then uh I log in and if you're familiar with AWS you know what a credentials file is I get a credentials file with a set of valid AWS credentials in it then I can take that credentials file and I can put it somewhere in my environment where an attacker might see it but where a developer is not going to right I could put it on somebody's uh workstation in accounting or marketing or something like that somewhere that it will look like a tempting Target but my

developers aren't accidentally going to try to submit anything to AWS with it and then you wait if that AWS account is accessed then the email address or the web hook that you put in during uh instantiation time will receive an alert the alert looks like this see it says Canary token triggered the channel by which it was triggered the time the name of the canary token that long sort of Unicode string there the reminder that is the note that I put in there when I created the token the token type in this case AWS Keys the IP and because it's an HTTP token token the user agent so to trigger this token I created it I downloaded it

to a Linux machine and I tried to use it with the AWS CLI tool to enumerate S3 buckets right I did like the most simple possible Recon task with these credentials and I immediately got an email the AWS ones can take a couple minutes because it has kind of filter through the AWS pipeline but um you know again very Swift very high Fidelity alert I put this somewhere and someone is trying to use it no one legitimately should be trying to use this so that means that there's probably someone in my network doing something that they oughtn't to be either a very curious employee or more likely a pentester or an adversary of some sort so that's AWS keys right that is a

pretty simple straightforward use case but there's a lot of different Canary token VAR uh varieties available you can use AWS Keys you can do the same thing with Azure so there's an Azure analog to that where anybody trying to access Azure services with the credentials that you've provided will raise an alert there are a couple of different varieties of office documents that this is available for uh they use a tracking pixel technology so when somebody opens up a Word document or an Excel document it tries to pull down an image from the canary tokens web server which recognizes it as hey somebody just opened this document and send you an email or send you a a web hook a

slack Canary tokens can be set to trigger on DNS lookups so if you have unused IP space in your network for example and you want it to trigger if somebody starts trying to do reverse lookups against it you can do that you can instrument specific Windows exes so if you want to uh put something on your system that will trigger every time somebody runs Powershell or runs who am I or runs net user right stuff that you would not expect your normal users to do but you want uh visibility into it if some adversary is doing it as a means of lateral movement you can set that up as well uh the web redirects I

think is one of my favorite ones you can set up a canary token for a non-existent service on your border like say you want to stand up you know vpn.com and then it will capture information about the browser the originating IP The Source geography Etc and then redirect it to wherever you want so it can act as sort of a harvesting agent while somebody is trying to do reconnaissance against your network and you'll get all that information in the alert from the canary tokens They just added the ability to do credit card numbers which I thought was pretty cool you can set up a perfectly valid passes all the algorithmic checks credit card number inter leave it in with actual production

data or leave it in a spreadsheet on somebody's laptop and if anybody tries to use that credit card number and actually charge against it you'll get a canary token alert right that will tell you that that data source has been compromised that number is being used and the last one here uh which I think is really cool uh wire guard profiles so you guys are familiar with wire guard sort of a VPN is platform right so so you can create a wire guard profile that's a canary token so when somebody attempts to connect to it using those profile settings it'll raise an alert the neat thing about this which I didn't really appreciate when they

rolled it out is you can put a wired guard profile on a computer yes but you can also put it on a phone so if you can generate these for people and push them out via your MDM solution or have people manually install them on portable devices this can be a really good High Fidelity indicator Ator that somebody's phone has been compromised now I don't know about you but over the course of my career that's been a really hard thing to a certain right we don't have nearly the level of visibility and Telemetry into people's mobile devices that we do into their laptops and desktops and and VMS so um you know this is a really good

indicator if somebody uh has compromised their phone and they're trying to use it as a pivot point or they're trying to use that wire guard profile to access your corporate data data that something is a miss and somebody's phone just got popped right and again all these Canary tokens Can Be freely generated at Canary tokens. org uh if you would prefer to run your own infrastructure you can totally do that there's a link at Canary tokens. org to their GitHub that has all of the backend services available you can run it in your own cloud or in your own data center but if you generate a bunch of these Canary tokens especially if you're uh thorough and methodical in

the tags that you put on them so you know exactly where they are when one fires and if you've got the logging infrastructure in place in order to investigate the stuff properly this can be a really great way to just kind of scatter traps around your network uh where your users will never notice it but uh somebody enumerating your data or trying to Pivot or laterally move through your network is bound to trip over one or another right so super super handy set tools uh does anyone have questions at this point no all right uh there'll be a link at the end I'll I'll post the slides too so don't feel like you have to take uh

take pictures of them all right another helpful technique that we can use is honey docs or honey documents right you build a file you put it on a file share you name it something like payroll data or employee evaluations or Q for fiscal plan right you can even do this with a canary token spreadsheet you can take one of those Excel spreadsheets that was generated by the canary token site put some data in it stick it up on a file share somewhere get the hash of the file if you're running Zeke in your environment or you're running some other network monitoring platform with zek like functionality preferably Zeke uh you can just take that hash and put

a Intel rule in place that will alert you if that file is moved or accessed right so you've basically just set up a big fat Target and like the tweet from Chris Sanders said if somebody sees that they're probably going to try to open it they're probably going to try to retrieve it they're probably going to try to do something to it so you make it look as innocuous as possible and then you build a bunch of controls around it so if anybody touches it you know you get alerted they don't necessarily get zapped they just get some fake information but you are now alerted that somebody is accessing that network is accessing that file share and is trying to pull

down data that they should not be looking at right if you want to you can even layer these techniques so not only do you create it as a canary token you write a Zeke Intel rule so when it moves across the network you know about it you can also use your EDR platform or cismon or whatever you're using in your endpoint logs and write an alert for it there too so if they see this file hash being written to dis anywhere you'll capture where it came from you'll capture where it was written to You'll capture all the user information around this data being uh pilfered right and you'll know right where they are and right what they're

right what they're doing with your data really handy technique another one is using honey creds or honey credentials you create a domain account you name it something like web admin right something that sounds very highly privileged you can even create a uh an active directory group to put it in right something that's not quite built in but you want to name it something like Apache administrators or something like that give it no valid login hours so the account can't actually be used for anything it just sits there looking tempting so so tempting then you put the credentials into a honey do somewhere right somewhere that an attacker is likely to see it but a user is not so

you put a spreadsheet on a developer's desktop you put it on a file server uh you put it in your last pass Vault sorry um you know somewhere that's going to be very visible and um and then you can just build an alert around that so if you see anybody trying to log in with this account if you see anybody trying to authenticate with it raise an alert again if you've got your centralized logging in place if you've got got your investigative capacity in place once somebody does this you should see the Windows Event fire that someone's trying to log in with this account and you'll know exactly where from if you want to get really fancy uh there's a technique

I found where you can actually just seed the credentials into memory using run as right then if somebody comes along later and they run mimic cats or something else to try to dump out the process memory and get that password uh they will be able to retrieve the information and use it to log in not suspecting that this is just a fake account that you set up to trap them but rather thinking oh this is great I logged into the web server there's this web admin account that was logged in I could steal the password for it and just go nuts right again our Point here is to build traps we're trying to build uh

things that will tempt an attacker that will look like innocuous activity but will actually alert us in the background that something terrible is going on that we need to investigate two more that I I found when I was uh doing some research for this talk uh these both came from NCC Group which I thought was interesting um so these were honey techniques that were built off of thread intelligence that was being being used in the wild one was the windows process killed Canary uh which watched the service and process table in a Windows server and and alerted when a certain number of services were killed why is that useful because a lot of ransomware starts with

killing off Services right it kills things like the volum shadow copy it kills things like the EDR service Etc so they said if you monitor those particular services that get killed by this variety of ransomware then you will have an early warning system before the ransomware even executes you'll see those Services getting killed and you'll know that something nasty is going on right again you're not looking specifically for anything malicious you're not building something that your regular users are going to run a foul of but you're taking the thread intelligence and you're saying doing this thing that normally would not raise an alert will because we know that it's something bad the other one was the windows

uninstaller Canary which I thought was really clever so there was another variety of ransomware I think it might have been rayu but I'm not I'm not positive the Link's at the end of the presentation um and the first thing it did was it ran a script that said okay uninstall crowd strike uninstall Sentinel one uninstall um you know what's that one Blackberry makes now silance uninstall silance uninstall Defender right run all of these uninstalls so they said well what if we just create a dummy process and we call IT Crowd strike and we put it out across our Fleet it's not actually going to do anything it's not going to hurt anything having it out

there it's basically just an idle process spinning its Wheels but if this ransomware comes along what's the first thing it's going to do kill the crowd strike process what's that going to do it's going to alert us right because we jumped in front of its process it's trying to kill all this stuff off and then we can raise an alert and know okay there's no legitimate reason why anybody should be doing anything to our fake crowd strike process we run Defender anyway but if we see a pro if we see a um Intruder out there who's killing these things off that's an excellent early warning system for us that something nefarious is going on right so those are the kind of you know

mix and match honey techniques that you can use in your existing environment uh one last possibility that I want to talk about is instead of using a file or using an account or using an AWS credentials file what if we make the whole server into a trap right so this is what uh what Chris wrote the book on last year uh intrusion detection honeypots so the idea is we stand up an entire fake server to act as a Target again there's no legitimate reason why any of our users any of the people who have a reason to be on our Network should find this but we can just spin up a VM stick it in a corner of the network

make it available to an attacker who's running nmap or running you know some reconnaissance tool to figure out what other services are available and then if anybody messes with it we raise an alert if someone tries to log into it we record what credentials they tried to use right so we're setting this whole thing up as sort of a pkin server if you will and just record what they do to it not return anything good and use it to gather information about the attacker now the difference between this and a research Honeypot is a research Honeypot is generally something that's run exposed to the internet at large right and the idea behind a research Honeypot

is to do research and figure out attacker techniques I stand up an mssql server I expose it to the internet I wait the 35 seconds it takes to get pawned and then I go through the logs and try to figure out what exactly happened that's a research Honeypot in this case we're talking about an intrusion detection honey poot we set this up inside our Enterprise Network we try to emulate another server or another service that exists on our Network and then we just wait for somebody to interact with it and try to figure out what's going on whenever there's any kind of interaction we raise an alert and then you could investigate and because again

your network is instrumented you've got proper logging in place you've got a proper investigative capacity you can go in and figure out all right who reached out who touched it whose account was responsible and so on um security onion the the platform that I support has an intrusion detection Honeypot node available this is something that we released I think last year um that's built again around thst uh their open Canary platform so when you install one of these intrusion detection honeypots and the overhead for these is incredibly small I mean it's like one processor and two gigs of RAM you could run one of these in a VM on just about every endpoint in your

Network and not even notice but when you install it you have a variety of sort of prepackaged servers that you can emulate you can say I want this to look like a Linux web server you can say I want this to look like a MySQL server I want this to look like a Microsoft SQL Server whatever you pick it will uh configure the ports accordingly expose them to the internal network uh things like Port 80 for a web server Port 1433 for a MySQL server to all intents and purposes it will look like one of these appliances serving to your internal network but really what it's doing is recording any attempt to connect to it and then raising alerts in

the Central Security onion uh alert console by default if you install this uh Linux web server here this is what it looks like it looks like a you know a Nas product with a login window in it right it does not have to look like this uh we actually support reskinning it with any HTTP you want to use uh I was playing around with that capability when I was prepping this talk and I just did a w get on some other Enterprise product uh copied out the login page stuck it in there and it looked exactly the same right so if you're using some other web product internally uh you know if you want to make it look like the login

window for your tenable scanner you want to make it look like the login window for for your sand or for some other uh internal product you can totally do that give it a host name that just about matches stand it up and just wait to see what happens it actually generates two different classes of alert by default um they're very interesting because they are unreadably small but they're very good alerts uh it will raise one class of alert if anyone uh next to the HTTP port at all so if there's any network traffic that touches Port 80 it will raise an alert and say hey somebody touched this that can be a good indicator that somebody is doing a

port scan or if you put a DNS record in it somebody might have done a Zone transfer me going through trying to touch everything trying to figure out what's going on um there is a second alert that occurs if somebody actually tries to log into it so if they go into this interface and actually put in a username or a username and password and they hit log in uh they'll just get a login failed dialogue obviously but it will record the username and the password that they used so if somebody is trying to use credentials to move laterally or to log into other services or to log into other web applications uh it will light up clear as day right here and

you'll say oh okay you know this person obviously compromised this account over here so again really good indicator early in the in the killchain that somebody is doing something nasty that they're trying to do some l movement that they're trying to use stolen credentials to move around inside your environment um but it's easy to set up it's free it's super high fidelity and it does not inconvenience your users it's really a a win-win if you've got the time to put it stand it all up so uh in conclusion just a couple other tweets that I really liked one is from Swift on security right to defeat attackers you got to bring them down to your level and just beat the hell out of

them with it um absolutely true again we always say well you know the attackers only have to get lucky once no they have to get lucky every time we have to make them worry that every time they touch something inside our Network it's probably a trap right and by using techniques like this you can do that and it's free second uh David Weston who's a VP of security at Microsoft says don't play their game make them play yours right if they're going to come into our Network and they're going to start touching our stuff we need to make that much more difficult right and doing stuff like this so that we get warned right away that something

nefarious is going on it's a really good way to do that all right so uh that's all the slides that I have uh if anyone has any questions let me know um again I'll post these up in my GitHub later on uh if you want to follow me on Twitter there's my handle there's my email address um I guess that's

it oh when I post the slides there's the uh the links to the stuff that I footnoted as well all right any questions before once I close my laptop it's all over what's up like tokens like one of

uh not that I have run across it sounds like using log 4J as a token which I like if everything's broken anyway we might as well get some use out of it no that's a that's a really cool idea I like that um I haven't seen it but it sounds awesome anyone else I don't know if it's it's a question but um I was going to ask um when an attacker identifies um he has a choice to leave say Hey you know this is's or they can become consistent don't know that this a and then at the end of the day they find out that hey you know this is a trap you know I need to leave or

whatever Cas do you know of anything that

an well I think the idea is if you're if you're deploying these um liberally they're probably going to run across them before they really iiz it's a Honeypot right they're going to they're going to walk through the trip wire and hear it click like in every good 1980s action film um as for how they'll react to that uh I I suppose it would depend on the attacker I mean the nice thing here is with stuff like the The Window Service Canary or the uninstaller Canary is whether they stick around or not we've gotten an alert about this uh this nefarious behavior before they're able to really complete the compromise right we caught them partway through prepping

to deploy The Ransom wire they didn't actually get to do it so whether they try to stick around and we kick them out or whether they realize that something is up and they leave on their own either way our stuff didn't get ransomed

so yeah have you ever run into because all these scenarios require network communication to send the alert out like have you ever run into attackers trying to block that before like before like the process command before they start killing processes and saw anything where they would dat they try to block Network traffic out that would be indicative of a mar trip uh I have not that's an interesting thought but it I think it would be hard for an attacker to a recog that that's something that they're walking into and be uh kill off the network access that granularly right it it just seems like it' be really easy for them to lock their keys in the car think can with

their their s solution oh okay so you're saying just block responses specifically to than right well as the example that's where yeah yeah no I haven't I haven't seen that but it's an interesting thought yeah hopefully not too off the beaten path the credit card thing is really interesting to me do you have any idea how they would actually alert and Trigger that like there has to be some I I don't know how it works on the back end they just announced it like a couple weeks ago I thought it was I thought it was really cool so I wanted to put it in there

um okay so it it Happ is it like the the Clearing House level when they try to process the number c nice I wonder if the uh the bad guys have figured out the range

yet have not just at thisel if they have cred out they give you cred card number and they alert from the that oh interesting and there legitimate uses for these two because I think it's private that allows you to generate virtual credit C virtual credit card numbers that are valid credit card numbers but you can lock them down to certain vendors right or certain certain amounts yeah kind of these new virtual credit cards so it's I'm assuming a virtual credit card number that thinks is doing as well um that is just for them to use mhm yeah credit card numbers seem like they they have the same security limitations as Social Security numbers where it's like this is something you

need to keep secret also we would like you to tell it to everybody um so it's you know it's going to turn to shoot the horse on it's already out the barn right Val after the validation whether or not there's actually account previously there's like test credit numbers that if you're developing software that takes credit card numbers you can have a set of numbers that both generate a fail and set of numbers that generate so you can validate your s process nice yeah like like iar for

MasterCard level onto that to see if beyond the app if somebody is actually trying to valid that makes sense any any other questions all right well if you think of any I will be around thanks [Applause]