WEBVTT 1 00:00:00.120 --> 00:00:03.160 Welcome to the deep dive. Today. We're looking at things 2 00:00:03.200 --> 00:00:07.759 a bit differently cybersecurity wise, moving beyond the usual stuff 3 00:00:07.799 --> 00:00:08.960 like patching in firewalls. 4 00:00:09.080 --> 00:00:12.759 Yeah, we're diving into something called offensive countermeasures exactly. 5 00:00:13.160 --> 00:00:17.160 The author of our source material uses this analogy shepherds 6 00:00:17.239 --> 00:00:21.000 versus sheep and wolves, suggesting we should maybe be more 7 00:00:21.039 --> 00:00:22.760 active like Shepherd's right. 8 00:00:22.879 --> 00:00:27.000 We've got this pdf from John Strand, offensive Countermeasures the 9 00:00:27.199 --> 00:00:31.039 Art of Active Defense, and the plan is to pull 10 00:00:31.039 --> 00:00:35.320 out the really interesting, maybe surprising ideas about actively defending yourself. 11 00:00:35.359 --> 00:00:38.520 We want those aha moments, I guess, without getting totally 12 00:00:38.560 --> 00:00:39.479 bogged down in the weeds. 13 00:00:39.560 --> 00:00:41.679 That's the goal. Find the insights that make you look 14 00:00:41.679 --> 00:00:43.079 at security in a new way. 15 00:00:43.200 --> 00:00:44.679 And right off the bat you get a feel for 16 00:00:44.719 --> 00:00:48.079 the author. There's a dedication to family and someone called 17 00:00:48.159 --> 00:00:52.479 DC from the miss R. It feels well personal, it does. 18 00:00:52.439 --> 00:00:55.200 And it's worth remembering who John Strand is Black Hill's 19 00:00:55.200 --> 00:00:58.799 Information Security Sans Institute. This isn't just theory, it's grounded 20 00:00:58.840 --> 00:01:00.000 in like actual expers. 21 00:01:00.359 --> 00:01:02.000 He even gives a shout out to his team at 22 00:01:02.000 --> 00:01:03.840 bhis for doing the heavy lifting. 23 00:01:04.079 --> 00:01:06.480 Yeah, it's a team effort, practical stuff. 24 00:01:06.599 --> 00:01:09.799 Okay, so the big idea is shifting gears right from 25 00:01:09.959 --> 00:01:14.040 just reacting to well considering more active steps. But there's 26 00:01:14.079 --> 00:01:15.680 a huge caveat, isn't there? 27 00:01:15.799 --> 00:01:19.359 Oh? Absolutely, He hammers this home. Do not be evil. 28 00:01:20.159 --> 00:01:23.920 This is definitely not about becoming some kind of digital vigilante. 29 00:01:23.959 --> 00:01:26.280 So it's not just hack the hackers back. 30 00:01:26.280 --> 00:01:28.480 No, not at all. Strand wants to open up the 31 00:01:28.480 --> 00:01:31.799 conversation about what responsible active defense could look like. He 32 00:01:31.920 --> 00:01:34.599 lays out options, a whole range, really. 33 00:01:34.439 --> 00:01:36.719 And he mentions that you know, even the basic security 34 00:01:36.719 --> 00:01:39.560 advice often doesn't get fully implemented. 35 00:01:39.079 --> 00:01:41.439 Right, So jumping straight to active measures is a big step. 36 00:01:41.480 --> 00:01:44.040 And there's that asymmetry thing. He talks about how hacking 37 00:01:44.079 --> 00:01:46.560 back is generally seen as well wrong. 38 00:01:46.879 --> 00:01:50.359 But he wants to explore the legal ways this might 39 00:01:50.400 --> 00:01:55.400 actually improve security. So okay, where does he start navigating 40 00:01:55.439 --> 00:01:56.200 this minefield? 41 00:01:56.400 --> 00:01:59.319 Logically, he starts with the law you absolutely have to 42 00:01:59.519 --> 00:02:03.239 this is foundational, and he warns straight away don't just 43 00:02:03.319 --> 00:02:06.040 jump to hacking the attackers. He uses a few court 44 00:02:06.079 --> 00:02:09.759 cases to show where the lines are currently drawn and crucially, 45 00:02:09.879 --> 00:02:11.879 where defenders can easily step over them. 46 00:02:11.960 --> 00:02:15.479 Okay, first case us versus heck and camp. What's the 47 00:02:15.560 --> 00:02:16.240 key point there? 48 00:02:16.599 --> 00:02:19.080 Well, the interesting thing is what the court decided was 49 00:02:19.159 --> 00:02:22.439 okay versus what wasn't In that case, just logging a 50 00:02:22.639 --> 00:02:25.840 MS address that unique hardware ID wasn't seen as a 51 00:02:25.879 --> 00:02:26.759 privacy violation. 52 00:02:27.039 --> 00:02:29.639 Okay, so log into hardware ID. Fine. But then there's 53 00:02:29.639 --> 00:02:33.319 the other case Susan Clemens Jeffrey versus Absolute. 54 00:02:32.800 --> 00:02:35.080 Software exactly, and that one went the other way. It 55 00:02:35.120 --> 00:02:38.960 involved tracking a stolen laptop, sure, but also recording keystrokes, 56 00:02:39.039 --> 00:02:42.719 chat messages, even webcam photos, very personal stuff. 57 00:02:42.759 --> 00:02:44.719 Ah, so that crossed the line a big one. 58 00:02:44.800 --> 00:02:47.879 The lesson is clear, tracking hardware location might be okay, 59 00:02:47.960 --> 00:02:52.280 but intercepting communications that hits federal wiretapping laws. Like the 60 00:02:52.360 --> 00:02:56.479 judge said, finding hardware versus eavesdropping fundamentally different. It really 61 00:02:56.560 --> 00:02:59.439 drives home that do not be evil point, good intentions, 62 00:02:59.479 --> 00:03:01.319 don't exp use illegal interception. 63 00:03:01.479 --> 00:03:03.800 Got it? Then he brings up E Hippie versus the 64 00:03:03.919 --> 00:03:05.439 WTO That sounds specific. 65 00:03:05.680 --> 00:03:09.280 It was an odd one. An ISP basically reflected denial 66 00:03:09.319 --> 00:03:12.639 of service attack back at the source, the e Hippie site. 67 00:03:12.800 --> 00:03:15.120 What was really strange was that people had actually signed 68 00:03:15.199 --> 00:03:18.240 up to DDOSS. The wto Wow. 69 00:03:18.120 --> 00:03:19.879 So volunteers for a cyber attack. 70 00:03:20.039 --> 00:03:23.199 Yeah, it just highlights how messy it gets with distributed 71 00:03:23.240 --> 00:03:26.319 attacks and what responsibility intermediaries have. 72 00:03:26.520 --> 00:03:31.479 And then the Microsoft boughtnet takedowns waladac Russ doc Keilly 73 00:03:31.560 --> 00:03:35.199 hose those are huge. What's the legal takeaway for the 74 00:03:35.280 --> 00:03:36.080 average company? 75 00:03:36.199 --> 00:03:39.199 That's the critical point. Microsoft went through legal channels, got 76 00:03:39.240 --> 00:03:42.919 restraining orders, used art CEO statutes, powerful stuff, but in 77 00:03:42.960 --> 00:03:46.360 doing so, they essentially took control of systems belonging to 78 00:03:46.520 --> 00:03:50.120 thousands of individuals. The owners of those infected bought computers 79 00:03:50.360 --> 00:03:52.080 without their direct consent. 80 00:03:51.919 --> 00:03:54.680 So even with court orders, it's controversial, very. 81 00:03:54.680 --> 00:03:58.280 And Strand's point is Microsoft has resources and legal clout 82 00:03:58.319 --> 00:04:01.280 most organizations can only dream of trying to replicate. That 83 00:04:01.439 --> 00:04:05.280 is legally perilous and probably impractical for almost everyone else. 84 00:04:05.680 --> 00:04:07.439 It's not a playbook for the rest of us. 85 00:04:07.960 --> 00:04:11.240 He also looks ahead, mentioning potential laws that might allow 86 00:04:11.319 --> 00:04:13.360 him attacking back, but he's worried. 87 00:04:13.639 --> 00:04:17.439 Yeah, his big concern is protecting the innocent bystanders, those 88 00:04:17.480 --> 00:04:23.160 intermediary victim machines, the bots. If laws allow broad hackback authority, 89 00:04:23.399 --> 00:04:26.319 how do you ensure those systems aren't just collateral damage. 90 00:04:26.360 --> 00:04:28.000 So it all comes back to restraint. 91 00:04:28.120 --> 00:04:31.560 Absolutely, do not be evil, tread very very carefully. 92 00:04:31.639 --> 00:04:34.800 Okay, so the legal side is definitely complex. Let's move 93 00:04:34.800 --> 00:04:38.319 on to some of the actual countermeasures he discusses. First up, 94 00:04:38.360 --> 00:04:42.800 protecting IP and security through obscurity. Isn't that usually frowned upon? 95 00:04:43.000 --> 00:04:46.079 It often is. Yeah, people tend to dismiss it, saying 96 00:04:46.319 --> 00:04:49.480 changing a port or server banner doesn't really stop anyone serious. 97 00:04:49.959 --> 00:04:52.959 But Strand offers a different perspective, framing it using the 98 00:04:53.000 --> 00:04:57.360 Odie loop observe, orient, decide act. That's kind of the 99 00:04:57.399 --> 00:04:58.600 attacker's decision cycle. 100 00:04:58.680 --> 00:05:01.199 Okay, Odie loop. How does obscurity fit in? 101 00:05:01.439 --> 00:05:04.439 Well? The idea is that even simple obscurity tricks can 102 00:05:04.480 --> 00:05:07.800 mess with the attackers observe and orient phases. If your 103 00:05:07.839 --> 00:05:10.000 system doesn't look like what they expect, they have to 104 00:05:10.000 --> 00:05:11.560 spend more time figuring it out. 105 00:05:11.439 --> 00:05:13.319 So it slows them down buys. 106 00:05:13.079 --> 00:05:16.800 You time exactly that extra effort, that delay could be 107 00:05:16.879 --> 00:05:19.800 enough time for your detection systems to catch something. He 108 00:05:19.920 --> 00:05:22.959 uses that great example of iBuyer changing their server banner 109 00:05:23.000 --> 00:05:24.680 to look like a Commodore sixty four. 110 00:05:24.720 --> 00:05:25.920 A Commodore sixty four. 111 00:05:26.199 --> 00:05:26.600 Serious. 112 00:05:26.759 --> 00:05:29.800 Yeah, it sounds silly, but it could easily trip up 113 00:05:29.800 --> 00:05:34.480 an automated scanner looking for say Apache or ICEE. The 114 00:05:34.480 --> 00:05:36.439 scanner might just give up and move on. It's not 115 00:05:36.480 --> 00:05:40.040 about being unhackable, it's about increasing their work. 116 00:05:39.800 --> 00:05:42.959 Factor, making it harder for them to get oriented. I see. 117 00:05:43.000 --> 00:05:46.120 He also mentions user agent strings. That seems pretty basic. 118 00:05:46.240 --> 00:05:48.040 It is, but it's another layer. You look at the 119 00:05:48.079 --> 00:05:52.480 user agent strings in your weblogs. That's how browsers identify themselves. 120 00:05:52.800 --> 00:05:56.000 You can spot known bad tools or you know, less 121 00:05:56.040 --> 00:05:58.279 sophisticated attackers who don't bother changing. 122 00:05:58.000 --> 00:06:00.680 The defaults so you can fil ter osso noise that way. 123 00:06:00.319 --> 00:06:03.319 Right, A skilled attacker can spoof it easily. Short, but 124 00:06:03.399 --> 00:06:06.000 it catches the low hanging fruit, and it's something you 125 00:06:06.000 --> 00:06:08.639 can easily show management, which is sometimes helpful. 126 00:06:08.759 --> 00:06:13.600 Okay, Moving into more active stuff, deception and misdirection setting traps. 127 00:06:13.639 --> 00:06:17.120 Basically pretty much, he talks about annoyance techniques, things like 128 00:06:17.160 --> 00:06:20.920 c Symmetria Maze Runner. These tools help you deploy Honeypot's 129 00:06:20.959 --> 00:06:25.879 decoy systems, but also create fake breadcrumbs to lure attackers 130 00:06:25.920 --> 00:06:26.399 towards them. 131 00:06:26.480 --> 00:06:29.160 Because just setting up a honeypot doesn't mean anyone will find. 132 00:06:28.959 --> 00:06:31.199 It, right exactly. You need to make it discoverable, but 133 00:06:31.319 --> 00:06:33.160 only by the people you want to discover it. 134 00:06:33.800 --> 00:06:36.360 And then there's the uh, mister Clippy, show us the 135 00:06:36.399 --> 00:06:39.399 way tactic that sounds amusing it is. 136 00:06:39.519 --> 00:06:43.680 It uses php IDs, an intrusion detection system for web apps, 137 00:06:44.279 --> 00:06:46.879 but instead of just blocking an attack, it responds with 138 00:06:46.959 --> 00:06:51.079 the old Microsoft paper clip character Clippy offering a helpful 139 00:06:51.120 --> 00:06:53.360 link to o WASP security resources. 140 00:06:53.600 --> 00:06:55.600 Huh so it mocked the attacker a bit. 141 00:06:55.759 --> 00:06:58.120 Yeah, it's a bit of psychological disruption. Maybe makes them 142 00:06:58.199 --> 00:07:01.120 question if they're dealing with something unexpected. Did messes with 143 00:07:01.160 --> 00:07:02.319 their ODA loop again? 144 00:07:02.519 --> 00:07:06.079 He also suggests a random URL generator. How does that help? 145 00:07:06.399 --> 00:07:09.920 That's aimed at automated website scanners. If your site starts 146 00:07:10.000 --> 00:07:14.079 generating tons of plausible looking but non existent URLs, the 147 00:07:14.120 --> 00:07:15.959 scanner can get completely bogged down. 148 00:07:16.040 --> 00:07:18.360 He just keeps chasing fake pages. Right. 149 00:07:18.839 --> 00:07:22.079 It takes forever to crawl, generates masses of useless data 150 00:07:22.399 --> 00:07:25.439 and might just exhaust the scanner's resources or time limits. 151 00:07:25.720 --> 00:07:27.839 It obscures your real site structure. 152 00:07:28.279 --> 00:07:31.560 Okay, now we get to honeypots and honeypots these sound 153 00:07:31.600 --> 00:07:33.959 like core concepts. Let's start with honeypots, right. 154 00:07:34.079 --> 00:07:38.639 Honeypots are decoy systems or services. They look real, maybe 155 00:07:38.680 --> 00:07:43.160 even valuable. The key is no legitimate user should ever 156 00:07:43.199 --> 00:07:45.000 interact with a honeypot. 157 00:07:44.920 --> 00:07:48.199 So any traffic hitting it is automatically suspicious. 158 00:07:47.800 --> 00:07:51.839 Highly suspicious. Yes, it's great for detection, especially for attackers 159 00:07:51.839 --> 00:07:54.199 already inside your network, and you can learn a lot 160 00:07:54.240 --> 00:07:56.480 by watching what they do in the honeypot, what tools 161 00:07:56.519 --> 00:07:58.879 they use, what data they're after. Are they just looking 162 00:07:58.920 --> 00:08:01.720 for storage or are they after your critical data? 163 00:08:01.879 --> 00:08:05.199 That makes sense? He mentions the Modern Honeypot Network MHN. 164 00:08:05.360 --> 00:08:08.800 Yeah. MHN is a framework that makes deploying different kinds 165 00:08:08.800 --> 00:08:12.600 of honeypots like SSAH honeypots, Web honeypots much much easier. 166 00:08:12.600 --> 00:08:14.279 It automates a lot of the setup. 167 00:08:13.959 --> 00:08:16.279 So it lowers the barrier to entry for using. 168 00:08:16.079 --> 00:08:18.199 Honeypots, definitely makes it more accessible. 169 00:08:18.319 --> 00:08:21.240 Then there's libre Atarpit sounds sticky. 170 00:08:21.560 --> 00:08:25.720 It is. It's designed to slow down automated scanning, especially 171 00:08:25.800 --> 00:08:29.120 things like malware spreading. Internally, if something tries to connect 172 00:08:29.120 --> 00:08:32.240 to an IP address or port that Librea is watching. 173 00:08:31.959 --> 00:08:33.840 It responds really slowly. 174 00:08:34.039 --> 00:08:37.440 Exactly, it just drags out the connection process. Tying up 175 00:08:37.440 --> 00:08:41.399 the scanner's resources makes a scanning incredibly inefficient and might 176 00:08:41.440 --> 00:08:44.279 trigger alerts because the connections stay open for so long. 177 00:08:44.639 --> 00:08:47.360 Okay, now, honeyports, how are they different? 178 00:08:47.519 --> 00:08:51.000 Honeyports are more targeted than full honeypots. Instead of a 179 00:08:51.039 --> 00:08:55.480 whole fake system, it's just a single specific unused network 180 00:08:55.519 --> 00:08:57.639 port on a real system like port. 181 00:08:57.399 --> 00:08:59.600 One twentive if nothing normally uses it. 182 00:08:59.720 --> 00:09:02.480 Right, And the really clever part Strand talks about is 183 00:09:02.559 --> 00:09:04.519 using them for dynamic blacklisting. 184 00:09:04.639 --> 00:09:09.080 Dynamic blacklisting so blocking attackers automatically based on them hitting 185 00:09:09.120 --> 00:09:10.320 the honeypot, Yes. 186 00:09:10.200 --> 00:09:13.440 But with a specific trigger. Typically it only blocks the 187 00:09:13.440 --> 00:09:17.039 IP address if the attacker completes a full TCP connection 188 00:09:17.080 --> 00:09:17.840 to the honeypot. 189 00:09:17.879 --> 00:09:20.639 Why the full connection? Why not just any packet? 190 00:09:20.919 --> 00:09:23.559 Because just sending a single packet like in a basic 191 00:09:23.679 --> 00:09:27.519 syn scan is really easy to spoof. An attacker could 192 00:09:27.519 --> 00:09:30.639 send packets pretending to be from a legitimate IP address 193 00:09:30.879 --> 00:09:34.480 and trick your system into blocking someone innocent requiring a 194 00:09:34.519 --> 00:09:36.519 full connection. The whole three way hunt take makes that 195 00:09:36.600 --> 00:09:39.120 much harder. It shows more deliberate intent. 196 00:09:39.360 --> 00:09:42.639 Ah Okay, that makes it more reliable. He mentions, IP 197 00:09:42.759 --> 00:09:44.360 kung Fu and deny hosts here right. 198 00:09:44.679 --> 00:09:49.039 Ipkung Fu has scripts for hardening Linux firewalls, ipptables, and 199 00:09:49.120 --> 00:09:53.159 deny hosts. Specifically, watches for repeated failed logins like SSH, 200 00:09:53.200 --> 00:09:57.399 brute force attempts and blocks those ips their related concepts. 201 00:09:57.039 --> 00:09:59.919 And he actually gives examples of setting up a basic honeyport. 202 00:10:00.559 --> 00:10:02.879 Let's walk through the Linux one briefly. How does that work? 203 00:10:02.919 --> 00:10:05.879 It's surprisingly simple. You use a tool called netcat and 204 00:10:06.039 --> 00:10:09.240 entry to listen on an unused port, say twenty twenty five. Okay, 205 00:10:09.919 --> 00:10:13.240 Then you'd tell netcat that when someone successfully connects makes 206 00:10:13.279 --> 00:10:15.519 that full TCP connection, it should run. 207 00:10:15.399 --> 00:10:16.919 A little script and the script does what. 208 00:10:17.279 --> 00:10:21.279 The example script basically grabs the connecting IP address and 209 00:10:21.320 --> 00:10:25.279 then uses the iptable's command the Linux firewall to instantly 210 00:10:25.320 --> 00:10:28.679 add a rule that blocks all further TCP traffic from 211 00:10:28.759 --> 00:10:30.840 that attacker's IP to your system. 212 00:10:31.240 --> 00:10:33.960 So one connection to the honeyport and they're blocked from 213 00:10:34.000 --> 00:10:34.519 everything else. 214 00:10:34.639 --> 00:10:35.120 Pretty much. 215 00:10:35.200 --> 00:10:35.480 Yeah. 216 00:10:35.799 --> 00:10:38.519 He shows how a simple syn scam won't trigger it, 217 00:10:38.919 --> 00:10:41.320 but a tool trying to make a full connection gets 218 00:10:41.360 --> 00:10:42.919 immediately firewalled off. 219 00:10:43.200 --> 00:10:46.240 And there's a similar method for Windows using PowerShell. In 220 00:10:46.279 --> 00:10:46.919 his firewall. 221 00:10:47.000 --> 00:10:49.840 Yep, same principle. Listen on a port and if a 222 00:10:49.840 --> 00:10:52.480 full connection happens, run a PowerShell command to add a 223 00:10:52.480 --> 00:10:55.519 block rule to the Windows firewall. It's very practical. 224 00:10:55.679 --> 00:10:59.240 He does mention a limitation, though, about spoofed connections. 225 00:11:00.480 --> 00:11:03.320 If an attacker is sophisticated enough to fully spoof the 226 00:11:03.399 --> 00:11:07.440 TCP handshake, potentially predicting sequence numbers and so on, they 227 00:11:07.480 --> 00:11:09.600 might be able to trigger the block while hiding their 228 00:11:09.639 --> 00:11:13.159 real IP, but he notes this is generally much harder 229 00:11:13.200 --> 00:11:16.120 to do effectively, especially against a live system. 230 00:11:16.159 --> 00:11:19.039 Well, it's not foolproof against really advanced attackers, but good 231 00:11:19.039 --> 00:11:20.399 for most exactly. 232 00:11:20.519 --> 00:11:22.960 And you could add to other layers, like monitoring those 233 00:11:23.000 --> 00:11:25.200 firewall rules for weird patterns. 234 00:11:25.279 --> 00:11:28.440 Okay, let's shift to web traps like fake websites to 235 00:11:28.440 --> 00:11:29.200 catch scanners. 236 00:11:29.440 --> 00:11:32.679 That's the idea. Tools like spider trap or web Labyrinth. 237 00:11:32.919 --> 00:11:36.120 Spider Trap can generate a maze of random fake links, 238 00:11:36.159 --> 00:11:38.360 making a website look infinitely. 239 00:11:37.840 --> 00:11:39.519 Deep, so a scanner just goes on forever. 240 00:11:39.759 --> 00:11:42.159 Or it can use a word list, maybe one commonly 241 00:11:42.240 --> 00:11:45.600 used by attackers to create fake directories that look interesting 242 00:11:45.639 --> 00:11:49.159 but are just traps. It swamps the scanner with junk data. 243 00:11:49.360 --> 00:11:51.600 You can even point to it in your robots dot txt. 244 00:11:51.879 --> 00:11:55.080 Yeah, legitimate search engines will ignore it, but an attacker 245 00:11:55.159 --> 00:11:58.000 might see admin backup trap in robots dot txt and 246 00:11:58.000 --> 00:12:01.080 think ooh interesting and walk right in web labyrinth. 247 00:12:01.279 --> 00:12:01.960 Similar idea. 248 00:12:02.240 --> 00:12:05.840 Similar but phke based, so easy to deploy. It can 249 00:12:05.879 --> 00:12:08.559 also log crawler activity to a database, which is great 250 00:12:08.600 --> 00:12:12.919 for analysis. Plus, it can return random HTTP status codes, 251 00:12:12.960 --> 00:12:15.559 not just four or fours, making it harder for scanners 252 00:12:15.559 --> 00:12:17.919 to tell what's real and what's fake. It can even 253 00:12:17.960 --> 00:12:20.639 throw in fake email addresses as bait clever. 254 00:12:21.120 --> 00:12:24.000 He also mentions creating infinitely recursive directories. 255 00:12:24.320 --> 00:12:26.919 Yeah, that's a neat trick. You create a symbolic link 256 00:12:26.960 --> 00:12:29.879 inside a directory that points back to the directory itself. 257 00:12:30.600 --> 00:12:33.960 If a tool tries to recursively list files in there, 258 00:12:34.120 --> 00:12:35.559 like metasplit's. 259 00:12:35.000 --> 00:12:37.000 Materpreter might get stuck in a loop. 260 00:12:37.320 --> 00:12:40.840 Exactly. It can freeze the tool, eat up resources, and 261 00:12:40.919 --> 00:12:45.240 make the malicious process really obvious to defenders. Simple but 262 00:12:45.320 --> 00:12:46.919 effective against certain tools. 263 00:12:47.000 --> 00:12:50.720 What about trip wirelike defenses? Sounds like file integrity monitoring 264 00:12:50.840 --> 00:12:51.200 it is. 265 00:12:51.320 --> 00:12:54.360 He talks about crypto locked and crypto locked in. They 266 00:12:54.440 --> 00:12:58.960 work by placing special hidden trip files in critical locations. 267 00:12:58.600 --> 00:13:00.720 Files that should never be touched. 268 00:13:00.960 --> 00:13:04.200 Right. If anything accesses or modifies these trip files, it 269 00:13:04.279 --> 00:13:08.159 triggers an alert logging maybe even shuts down the offending process. 270 00:13:08.240 --> 00:13:10.960 Using the hunter module and crypto locting, it's like a 271 00:13:11.000 --> 00:13:12.919 silent alarm on your crown jewels. 272 00:13:12.960 --> 00:13:14.600 Any access is a red flash. 273 00:13:14.519 --> 00:13:15.440 Very strong indicator. 274 00:13:15.519 --> 00:13:18.440 Yes, okay. Detecting human interaction this seems different. 275 00:13:18.759 --> 00:13:23.159 It's more behavioral deny hosts, which we mentioned blocks ips 276 00:13:23.200 --> 00:13:26.279 after too many failed logins, but you must whiteless trusted 277 00:13:26.279 --> 00:13:28.480 ips first or you'll lock yourself out. 278 00:13:28.679 --> 00:13:29.159 Good point. 279 00:13:29.399 --> 00:13:32.320 Then there's human dot pie. This tries to spot if 280 00:13:32.320 --> 00:13:35.080 a human is using a service account. Service account should 281 00:13:35.080 --> 00:13:37.679 be automated, right usually yeah, So if human dot pie 282 00:13:37.720 --> 00:13:42.679 sees things like typos in commands entered via a bashshell 283 00:13:42.799 --> 00:13:45.879 on that account, it suggests a person might have compromised 284 00:13:45.919 --> 00:13:48.600 it and is using it interactively looking for. 285 00:13:48.559 --> 00:13:52.960 Those human errors on accounts that shouldn't have them. Interesting. Now, 286 00:13:53.720 --> 00:13:55.120 stealthy blocking. 287 00:13:55.080 --> 00:13:58.080 This is in visiport. It's like a honeyport, but instead 288 00:13:58.080 --> 00:14:01.360 of actively rejecting the connection until telling the attacker you're blocked, 289 00:14:01.840 --> 00:14:05.360 it just stops responding silently, adds them to a blacklist. 290 00:14:05.480 --> 00:14:09.080 So the attackers scan just hangs. They don't necessarily know 291 00:14:09.120 --> 00:14:10.440 they've been blocked exactly. 292 00:14:10.440 --> 00:14:12.879 They might think the host is just down or unreliable. 293 00:14:12.960 --> 00:14:15.759 The idea is they're less likely to immediately switch IP 294 00:14:15.840 --> 00:14:18.600 addresses if they don't get that explicit rejection message. 295 00:14:18.639 --> 00:14:20.840 And you can configure it to make some ports still 296 00:14:20.840 --> 00:14:21.600 look open to them. 297 00:14:21.720 --> 00:14:24.399 Yeah, to enhance the deception, make them waste more time 298 00:14:24.440 --> 00:14:27.759 probing ports that will never respond properly. He also quickly 299 00:14:27.840 --> 00:14:30.960 mentions Ausomelian for making your OS fingerprint harder to guess. 300 00:14:31.399 --> 00:14:33.480 What about web server specific. 301 00:14:33.159 --> 00:14:39.080 Traps phphttp Tarpit it confuses web scanners using log fuzzing, 302 00:14:39.159 --> 00:14:42.600 filling logs with junk, and spoofing errors. You hide a 303 00:14:42.679 --> 00:14:44.639 reference to it in your site and when a bot 304 00:14:44.720 --> 00:14:45.960 hits it, it gets tangled up. 305 00:14:46.159 --> 00:14:47.360 And artillery that's. 306 00:14:47.240 --> 00:14:50.440 A listener that monitors multiple ports. If someone connects, it 307 00:14:50.480 --> 00:14:52.600 can play a sound and alert for you, and it 308 00:14:52.600 --> 00:14:55.200 can also add a firewall rule to block the IP. 309 00:14:55.600 --> 00:14:59.559 Moving into wireless active defense, that's a whole different playground, definitely. 310 00:15:00.159 --> 00:15:02.799 He tells that funny story about ATVs connecting to his 311 00:15:02.960 --> 00:15:06.360 you get hacked Wi Fi shows how casual wireless probing 312 00:15:06.440 --> 00:15:06.720 can be. 313 00:15:07.039 --> 00:15:07.799 Huh yeah. 314 00:15:07.879 --> 00:15:11.039 For more active stuff, there's Claymore. If someone joins your 315 00:15:11.080 --> 00:15:14.200 fake Wi Fi network, Claymore automatically runs a full end 316 00:15:14.240 --> 00:15:16.919 map scan against their device. Quick recon. 317 00:15:17.000 --> 00:15:19.600 Yeah, they're intel on anyone connecting to the Honeypop. 318 00:15:19.200 --> 00:15:23.159 WiFi right, and he mentions deauthentication tools to kick unauthorized 319 00:15:23.159 --> 00:15:26.320 devices off your real network. The point is you need 320 00:15:26.360 --> 00:15:29.039 to know who's sniffing around your wireless even if many 321 00:15:29.080 --> 00:15:30.600 are just looking for free Internet. 322 00:15:30.720 --> 00:15:34.720 Okay, lots of defensive techniques. Now attribution trying to figure 323 00:15:34.720 --> 00:15:37.159 out who the attackers are. Yeah, but not for revenge, 324 00:15:37.159 --> 00:15:37.879 she says. 325 00:15:38.000 --> 00:15:42.200 No, definitely not. Attribution here means understanding the attacker, What 326 00:15:42.279 --> 00:15:45.000 are their goals, how skilled are they, what tools are 327 00:15:45.000 --> 00:15:49.480 they using. It's about gathering intelligence to improve your defense. 328 00:15:49.159 --> 00:15:53.240 And response because static defenses just get bypassed eventually often. 329 00:15:53.360 --> 00:15:57.720 Yeah, attackers adapt, so attribution needs active real time effort. 330 00:15:57.879 --> 00:15:58.639 During an attack. 331 00:15:58.759 --> 00:16:01.960 He brings up ssh h like Cowori and Kippo. First, 332 00:16:02.519 --> 00:16:03.799 how do they help attribute? 333 00:16:04.080 --> 00:16:06.799 These are great because they don't just log failed logins. 334 00:16:07.279 --> 00:16:10.320 If an attacker does get in to the honeypot. Remember, 335 00:16:10.519 --> 00:16:13.799 these tools record their entire interactive shell session. 336 00:16:13.960 --> 00:16:15.399 You can see every command. 337 00:16:15.080 --> 00:16:18.679 They type, exactly what files they look for, what tools 338 00:16:18.720 --> 00:16:22.039 they download, what they try to run. It's incredibly valuable 339 00:16:22.039 --> 00:16:24.799 insight into their methods and objectives. It's like watching over 340 00:16:24.840 --> 00:16:26.320 their shoulder in a safe environment. 341 00:16:26.600 --> 00:16:30.600 What about attackers using things like tr or proxies to hide? 342 00:16:30.879 --> 00:16:32.240 Can active defense still work? 343 00:16:32.519 --> 00:16:35.919 It's harder, obviously, but Strand points out that using those 344 00:16:35.919 --> 00:16:39.399 tools sometimes forces attackers to disable things like JavaScript for 345 00:16:39.440 --> 00:16:40.799 better anonymity, which. 346 00:16:40.679 --> 00:16:41.840 Might break some exploits. 347 00:16:42.200 --> 00:16:46.120 Right, so, you can create targets requiring things like JavaScript, 348 00:16:46.399 --> 00:16:49.960 Java or maybe word macros. If an attacker enables those 349 00:16:50.000 --> 00:16:52.639 to interact with your trap, you might get more information 350 00:16:52.720 --> 00:16:56.159 about their browser plugins, maybe even leak their real IP. 351 00:16:56.360 --> 00:17:00.159 If the tech is vulnerable, you're exploiting their need to interact. 352 00:17:00.240 --> 00:17:02.120 He mentions dcloaks specifically for this. 353 00:17:02.360 --> 00:17:06.119 Yeah, Deluk tries to uncover the real IP behind anonymizers, 354 00:17:06.440 --> 00:17:09.640 often by exploiting browser plug ins. He suggests putting it 355 00:17:09.680 --> 00:17:13.319 in places normal users won't go, like disallowed areas and 356 00:17:13.440 --> 00:17:15.720 robots dot txt, maybe with a warning. 357 00:17:15.440 --> 00:17:18.599 Banner like a digital trip wire for anonymized attackers. He 358 00:17:18.680 --> 00:17:20.599 mentions the FBI using similar. 359 00:17:20.200 --> 00:17:21.680 Things apparently, so yes. 360 00:17:21.799 --> 00:17:23.960 What about tracking breaches via files? 361 00:17:24.200 --> 00:17:27.759 Two main ideas here. One put fake but realistic looking 362 00:17:27.799 --> 00:17:30.359 bait files on servers if they get access to alarm 363 00:17:30.359 --> 00:17:33.640 bells ring okay to use web bugs. These are tiny, 364 00:17:33.799 --> 00:17:37.480 often invisible images embedded in documents or pages. When the 365 00:17:37.519 --> 00:17:39.799 dock is opened, it requests the image from your server, 366 00:17:40.039 --> 00:17:41.400 logging the opener's. 367 00:17:40.960 --> 00:17:43.519 IP, so you can track when and where a skull 368 00:17:43.599 --> 00:17:44.599 and document is opened. 369 00:17:44.799 --> 00:17:48.799 Potentially Yes. Tools like webbug server or slate bug server 370 00:17:49.000 --> 00:17:53.559 help manage this, and Deposa dot Pi specifically embeds them 371 00:17:53.599 --> 00:17:56.359 in modern dot docks files, which are harder to analyze 372 00:17:56.359 --> 00:17:57.039 for these things. 373 00:17:57.319 --> 00:18:01.799 Then there's honey badger sounds tacous geolocation. 374 00:18:02.240 --> 00:18:05.599 Yeah. It uses Java applets to try and identify nearby 375 00:18:05.640 --> 00:18:08.880 Wi Fi access points from the attacker's machine based on 376 00:18:08.960 --> 00:18:11.720 public Wi Fi location databases. It can sometimes get a 377 00:18:11.720 --> 00:18:13.519 pretty good estimate of their physical location. 378 00:18:13.880 --> 00:18:17.000 Wow. And you feed that location into pushpin exactly. 379 00:18:17.039 --> 00:18:19.960 Pushpin is part of the reconnting framework. You give it 380 00:18:20.000 --> 00:18:23.920 coordinates and it scours public sources social media showdown et cetera. 381 00:18:24.200 --> 00:18:27.119 For information related to that geographic area. 382 00:18:26.680 --> 00:18:29.200 Trying to link the location to accounts. 383 00:18:28.799 --> 00:18:31.799 Or devices, right connecting the dots using open source intelligence, 384 00:18:32.000 --> 00:18:34.079 you'll need apikeys for things like Twitter. 385 00:18:34.119 --> 00:18:38.680 Though lastly for attribution jar combiner. This sounds of a dodgy. 386 00:18:38.759 --> 00:18:40.960 It definitely could be misused. The idea is to take 387 00:18:40.960 --> 00:18:44.799 a legitimate Java applet and embed a malicious information gathering 388 00:18:44.839 --> 00:18:46.319 applet inside it, so. 389 00:18:46.200 --> 00:18:48.680 The user sees the normal applet, but the hidden one 390 00:18:48.680 --> 00:18:49.200 fund's home. 391 00:18:49.519 --> 00:18:52.680 That's the concept. Combine the JR files, sign it to 392 00:18:52.720 --> 00:18:57.319 look legit. It's advanced and ethically Murky needs extreme caution. 393 00:18:57.640 --> 00:19:00.599 Okay, we've seen lots of tools. He then talks about frameworks, 394 00:19:00.839 --> 00:19:04.039 specifically tailos. What's the point of a framework here? 395 00:19:04.279 --> 00:19:07.680 Callos aims to make active defense more accessible and consistent. 396 00:19:08.039 --> 00:19:10.920 Instead of learning dozens of separate tools, you use a 397 00:19:10.960 --> 00:19:14.279 common interface in tailos to load and run different active 398 00:19:14.279 --> 00:19:15.599 defense modules, so. 399 00:19:15.519 --> 00:19:18.680 It standardizes things, makes it easier to train people and 400 00:19:18.680 --> 00:19:20.000 deploy defenses consistently. 401 00:19:20.160 --> 00:19:22.519