This was a 4 hour training
https://blackhillsinfosec.com/training/active-defense-cyber-deception-training/
- Active Defense - limited offensive action and counteracttacks to deny a contested area
- Passive Defense- Measures taken to reduce probbability of and to minimize the efefects of damage caused by hostile action without the intention of taking the initiative. Aka "Hope for the best"
- Prevent => Detect => Respond - "Prevention is ideal, but detection is a must"
- offensive techniques as aggressors attack, but with a defensive posture
- Think poison, not venom
- Make sure you have a solid legal footing
- Deliberate and calculated process of deceiving attackers in an effort to wage a better defense....make them work harder
Deception_time + Reaction_time < Attack_time
- Javelin networks - bought by Symantec
- Cymeetria
- Illusive networks
- Attivo networks
- TrapX
- Acalvio
- illegal to set up lethal traps for trespassers
- Telnet banner court case (Reddit)
var curr=(Patch, strong passwords, AV, Firewalls and proxies, etc..)
var next-gen="Next-Gen${curr[@]}"- Susan v Absolute - Violating Wire Taping Laws
- IP and Geolocation are okay, even if it is stolen.
- However, if you start taking pictures of the computer, going through internet history, etc.. this is NOT okay.
- "Even bad people that steal computers have rights"
- So don't do this Defcon vid
- Court Case Src
- Callbacks
- Note illegal: Software Updates, Check License Keys, phone tracking,
-
Hacking back is illegal (Current Legislation that has NOT passed)
-
So instead, annoy, attribution, and attack (with warrant).
-
"Hallmarks of Legality" (Ben somehting SANS instructor)
- Discuss, document, plan, consult others
- Do not hide - hidiing might be interpreted as what you knew/thought was wrong/illegal
- Don't be evil
-
Poison vs Venom
- Poisin is the baddies getting hurt by touching your stuff
- Venom is your stuff touching the baddies
-
Log on Windows
-
HoneyPots should be monitored
-
HoneyPorts (Go to Lab) - as soon as an attacker accesses the port, it will block the attacker for any computer at all.
- More info from Legal But Frowned Upon
- Blackhills video on this topic
- nmap's syn scan won't trip it
- Syn inital sequence number packet is 32 bits
- Responds with syn ack - thanks Networking class
- Don't set up on port already in use, make exceptions for vulnerability/red team's software
- Many vendor products actually have this (E.g. Palo Alto)
-
Use CanaryTokens
-
Go through labs later
-
tcp wrappers // port spoofing
-
(Word/Excel) Web Bugs and CanaryTokens
-
Like Tor - https://geti2p.net/en/
- base64
- sysmon bypass
- Lol (leaving off the land) bins
- https://github.com/iagox86/dnscat2
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/trustedsec/unicorn
- https://github.com/CBHue/PyFuscation
- https://github.com/outflanknl/EvilClippy
- https://github.com/backlion/Offensive-Security-OSCP-Cheatsheets/blob/master/offensive-security/t1027-obfuscated-powershell-invocations.md
- gzip compression
- gcat
- CLMBypass