Phish-Back: How to turn the problem into a solution.

Okay, so we'd like to welcome everyone to our next talk at Passwords Con. Uh just by a way of reminder, thanking our diamond sponsors Adobe and Aikido and our goal sponsors RunZero and Profit. Then when it comes to the besides photo policy, a reminder that uh the speaker has said you can take pictures of him and or his slides. There's no need to record video. It's being streamed and recorded, but please do not take any photos of attendees or anyone else at the conference without their consent. So, just a reminder on that as well. So, our next talk is entitled Fishbach: How to Turn the Problem into a Solution. I'm going to try and pronounce the name

without destroying it too badly. And that's been going to be presented by Gaia Bjon. So, we'd like to invite him now. and yeah, enjoy the talk.

>> Thank you very much. Um, I'm extremely happy to be here today. Uh, and I will present you something pretty cool called fishback. How to turn um a threat, the fishing into a detection tool. So, let's do this. So, first of all, my name is Gutier Bjon. Uh so I don't think you'll hear hear a more Frenchy name than that today. Uh and I'm the CEO of Moken, a cyber security software company. And before that I've been um the head of cyber security operations for big international companies as well as a pentester for 10 years. Um and I'm here today to present you something um that came into my mind after a big cyber security crisis I had to handle when I

was a sock manager. um due to a stolen credential. Um and the results of this new strategy are so impressive that I I felt I had to share it with you guys. So let's dive in. So the the stolen credentials problem, let's take a look at the problem first. Um I I really think that password are the gold of the 21st centuries pirates. So why are they so valuable today? Because one, it's very easy to stole them. there is countless way to steal password and also that this is and still is the best way to get into a network. So let's see very very quickly how companies have tried to stop this leak madness um of password the

past few years. So first they tried to train their employees. Unfortunately most user aren't exactly uh interested in cyber security trainings. After that we tried fishing simulation thinking all right let's put them in real situation they will learn by experience but surprise have you ever met someone telling you yeah we have very very good results at our exercises me neither um and how the final solution how savior arrived with the dark web monitoring the thing that will save us all uh the idea was simple when a credential gets stolen uh attackers will share it and we will recover it before it's used. Um, but I've always seen it like this because uh people in front of us are not dumb. Uh,

and I think it has been a bit over marketized through the years. Um, my vision of the distribution of leak credential is more like this. I really think that some yes eventually ends up on dark web marketplaces but it's a full small fraction. A bigger part is traded quietly under the radar u between attackers in very private groups and the largest portion for me is never shared anywhere is just used in attacks. Those people again are not dumb. They steal a credential. They just use it. And even if you add MFA on top of this already impressive um stack of tools, stolen credential have remained the number one initial access vector for years. So I

really think we have a problem here. Um so I was in this exact situation. I got everything fishing campaigns awareness uh MFA all around and I still got breached by a stolen credential. And so after this big crisis um an idea sparked into my head for a completely new way to handle credential theft. So I'm going to tell you this story. >> [snorts] >> Uh it's a it's a true story that happened to me two years ago. So it all started of course with bad guys. They targeted just a tiny fraction of the company I was the uh edos for. So 12,000 users and they targeted dozens of users. Uh it was a very carefully crafted

fishing email of course. Uh and out of 12,000 people four uh sended back their um valid credential. just four out of 12,000. So with that in hand uh they followed a very very easy playbook, very classic playbook of red teaming or pent testing. They identified everything exposed on the internet and they tried to just connect everywhere with it. Unfortunately for them, I did my homework and MFA was activated everywhere. But unfortunately for me this time we opened a new subsidiaries in South America a few weeks later and the network administrator forgot to activate MFA. They discovered it in like 24 hours. They logged in and here was the biggest uh crisis of my life. Um so after the crisis was handled

uh I sat down and look at the attackers playbook and I was like okay it's just like me when I do append it's very basic every everybody is doing this what if I had placed a fake VPN gateway among the real ones at the beginning I would have known weeks earlier during their enumeration phase that they have stolen uh stolen credential uh and I would have been able to reset the password and that major crisis would have just been a minor security incident. Um, and seeing that nobody has documented this approach, I decided to give it a name. I called it fishback. Recovering your credentials the same way they were stolen through fishing, but attackers.

Uh, and now I think half of this room have this in mind. Yeah, man. Cool. That's just a honeypot. Uh, nothing new. Uh, and yes, exposing honeyotss to the internet is nothing new. We've been doing this for years, even decades, but mostly to uh do some threat intelligence to know what attackers are doing out there. But we have never done this with very very carefully crafted fishing defensing fishing pages uh with the goal of um recovering stolen credential and that's a complete different game. Let me explain you why. There is two major challenge to overcome if you want to work if you want it to work. So first the illusion has to be perfect inside

the corporate network. Attackers have u are in a hurry. They don't have much time to see if your server is a real or a fake one. And even if they start poking around to figure out if it's a fake or not, it's already suspicious. But in on the internet uh there is a lot of people trying to connect uh everywhere every time. So you cannot be sure that it's an attacker or not. and they will have weeks, months, even years if they want to figure out if it's a fake or not before trying to um to enter their precious stolen password. Uh which means your fake asset has to be extremely convincing. And the second

challenge is that and I think you all guessed it, the internet is a very very very very noisy place. So when you put up a login page on the internet, you will have millions of login attempts every single day and you only need the one that is interesting and this is very hard. Okay, so let's see how we do this. First, achieving the perfect fingerprinting. So what do I mean by fingerprinting? For those who don't know, it's a process of identifying the technology behind a system just by looking at small things it expose. So for example, if you want to fingerprint a Cisco, you go to the web page, you see Cisco, but that doesn't mean it is a

Cisco. You need to see the response time, the headers and so on. So this is basically the fingerprinting. And to do this, of course, you could do it manually, but nobody does this. Um, you could use uh very well-known tools like the big guy and map. Everybody knows him. Uh you also have very famous internet scanners like Showdown and Census and even Wapalizer uh for browser extension etc. And the game here is to fool them all to identify your fake page as a real one. So let's take a quick example with with Showdan. Um, Shoddan. So, for those who don't know, Shoddan is a mass internet scanner that makes basically a complete database of the

internet. Uh, not in real time, but I think every week um, and it ferrints every single page you find to discover the technology. And how does it work for Showdown? It's based on hashes. So it will make hash of the HTTP response, hash of the rendered page and also hash of the row HTML. So you may think okay if you do a fake page you just copy paste uh the pages to match the hashes and it's done. Unfortunately it's not working like that. For example, if we take the foret login page, the hash will always be different due to um um um the e tag sorry in the header which is always always random. So you also

have to replicate this randomness if you want to fool into thinking that it's the right technology. And if you just copy paste another one, you will have a duplicate of this thing that should never be duplicate. So it's obvious that it's a honeybot. And the fun part is that it's different for every technology. If you take Outlook web access for example, the ash will always be different. The HTML ash also, but the DOM ash will always be identical. uh and this is due to Outlook uh changing things in the header and and in the row HTML thing for each single uh platform. So the methodology uh has to be specific to every single tech. Um and I've only

shown you here a small tiny piece of one single fingerprinting method on one tool. So imagine the amount of research and finetuning you have to do to to fool all the tool. It's a lot of work. Okay. So now we have tools and scanners that believe that how portal is a real one. But unfortunately we are very far from done. Um building a portal that look like uh real and pass fingerprinting is actually pretty easy. After that, there are dozens of other way to get caught and you will need to handle things like mobile format, multi- language support, a very very a quick tip to discover if you are on a honeypot or not is just you change your browser's

language and if the page stays in English, uh it's basically a honeypot. It's a very very easy way to to find out if you are on a fake page or not. You will also have to handle vu HTTP method not just the usual get and post uh replicating exotic endpoints and for the most cautious attackers even replicate the TCP stack and to do this of course you have only one option which is reverse engineering. So here here is a very very quick methodology quick look at the methodology we use uh to do this. First the documentation study of course it is a basic u map the existing CV because it often reveal exotic endpoints you

wouldn't find otherwise it's extremely important proxy based analysis which is the basic of reverse web reverse engineering uh add some uh directory brute forcing with d for example and the good old click click method uh just click on everything at the end to be sure that you haven't missed anything and just to give you a glimpse of what requires to be done to just uh mimic one single page. I' I've taken the Citrix uh which is a very juicy login page interesting to do an web exposed Hornbot. So just for this login page 194 base endpoint can be accessed and I'm not talking about the application just the login page. Um you have to do this

in 12 languages, seven user agents at least and 10 HTTP method and that leads you to at least 100 more than 162k variation to replicate just for one single page. So this is I I hope you see that how different it is than a standard uh web facing honeyot. Okay, now we have a trap that almost impossible to detect. But here's the next question. How do we actually get attackers to go for it? Because it's what we want. Uh well, here we have a very very big advantage because we are playing at home. What is the most uh painful thing for an attacker when he's doing a fishing? It do not have the um the

domain and we are playing at home. So we can make the perfect fishing because we have the right domain. Um, so the goal here is to create a domain that really stands out to attackers when they do their enumeration. And what's better than the good old test.comp.com. If there are any pentesters out there, please I I dare you to tell me that you will never check test.comp.com. If you find this in your enumeration phase, I I will do it also. It's one of the first you try. Um, you can be a bit more subtle if you want. You can use home office, remote, things like that. But be sure to study your external parameter because the domain needs to blends

perfectly into the environment uh or it will be too obvious. And finally, how do we deal with the massive massive noise you will get? So let's see what we get into our honeypots. First, uh we will have an industrial amount of login attempts coming from the bots. Of course, absolutely zero value, no interest at all. Number two, we have the opportunist. So, this guy found a combo list on an obscure forum. Uh, and he's very happy to spread to do some password spraying all around. So, most of these these attempts will be bad ones, but I don't know why they have sometimes valid credentials. So, you cannot fully ignore them. And uh finally the real attackers

they uh make very very very little noise but they have the attempt the attempt they want we want sorry so sorry it will not be rocket science or AI or things like this just apply for example first the password policy if someone is trying 10 character password and your password policy is 12 characters long yes it's fake or it's old but it's not interesting After that you can apply your some um regular expression to catch your first name.ast name for example or uh if you are first name do name or things like that and even just with those first two you eliminate 95% of false positives. After that you can check for u already leaked password if you are doing dark

web monitoring and if the brute if it's a part of a brute force or a password sparing with no interest and will all that you get a qualified alert but that doesn't means that it's a right password you came from millions of attempt to dozens hundreds um and now you have the final step to do which is the automation so you have to connect to your active directory octa in ID whatever you have to be sure that the password is the right one before resetting it. But if I summarize, if you implement this correctly, you will only have alerts when someone is trying to connect on a fake portal that nobody has ever heard about with a valid

credential. So that is a critical alert. Okay. And now the question is, do they actually fall for it? Um, honestly, when I launched this strategy, I I I knew it has had a huge potential. Uh, I've been a pentester for 10 years, and I was like, okay, if I ever go uh in front of this, this would be a nightmare because how do you know if it's the right domain, if the pass the page is wellcrafted? Um, you you cannot know it's it's a fake one. Um, but I had no idea if it would work. And this is not something you can test on a lab. If you go on a lab with a domain with no risk at all, no no

exposure um there is no way you can see if the strategy is working. Um so we have deployed this strategy over the past year and a half in over uh 20 large international companies and I can I can share some numbers with you. Um so around 50 portals for 20 companies. Um we have processed 2.3 billion login attempts and out of those 2.3 billion attempts uh we've identified 257 valid credential without any dark web uh exposure. That's huge. That's way far more than I ever expected. uh I thought yeah maybe we will get one or two uh 10 uh at maximum but 257 with zero dark web presence on only 20 companies so it's it's big big companies

with hundred and hundred of users but still uh it's huge and to put this in perspective those 257 valuable items represent 0.1% of all login attempts so that proves that without a flawless execution of the automation and the filtering, this strategy uh is useless completely. Um and as a conclusion, I would say that fishback is a strategy that looks extremely simple on paper. It's just a honeypot, but you have um to execute it with extreme attention to detail if you want to reveal its full power. Um, and as a tech guy myself, I'm completely amazed with the results. U because I knew in my heart that dark web monitoring wasn't exhaustive at all. Uh, but seeing the proof is extremely

extremely exciting. Thank you very much.