Deceptions use attackers’ own tactics to force them to reveal themselves. Deception techniques are typically used inside the network once attackers have broken in. Once inside, attackers use credentials to move laterally. But before penetrating their target, attackers often study publicly available data to plan their attack. Can we assume that attackers continue to use public information once they’ve broken in? Could externally-planted deceptions expand our range of visibility on the adversary’s activity? In this session, we will present research we conducted to answer these questions, and introduce a tool you can use to «try it at home.» We first took a deeper look at various OSINT resources-social media, paste sites, public code repositories, etc.-to refine our picture of the types of publicly-available data, attackers might use to further an attack. Then we planted various deceptive information. For example, on PasteBin we created a fake «paste» page containing a dump of fake credentials. On GitHub we created a fake repository of code containing «accidental» commits (git commit -am ‘removed password’). Next, we paired these deceptions with relevant data and user objects within a simulated network environment. We then started monitoring and waited for an attacker to bite.
Дата: 15.11.2018. Категории: