PACKET HACKING VILLAGE - Turning Deception Outside-In: Tricking Attackers with OSINT

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/39924 (DOI)

Publisher

DEF CON

Release Date

2018

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Deceptions use attackers' own tactics to force them to reveal themselves. Deception techniques are typically used inside the network once attackers have broken in. Once inside, attackers use credentials to move laterally. But before penetrating their target, attackers often study publicly available data to plan their attack. Can we assume that attackers continue to use public information once they've broken in? Could externally-planted deceptions expand our range of visibility on the adversary's activity? In this session, we will present research we conducted to answer these questions, and introduce a tool you can use to "try it at home." We first took a deeper look at various OSINT resources-social media, paste sites, public code repositories, etc.-to refine our picture of the types of publicly-available data, attackers might use to further an attack. Then we planted various deceptive information. For example, on PasteBin we created a fake "paste" page containing a dump of fake credentials. On GitHub we created a fake repository of code containing "accidental" commits (git commit -am 'removed password'). Next, we paired these deceptions with relevant data and user objects within a simulated network environment. We then started monitoring and waited for an attacker to bite.