 Tom, you were here last year, and go back again. So welcome back. But this time you're my friend. So Tom, Tom and Haydour, everyone. Hello everyone. First of all, thank you for coming. We really appreciate it. Today we're going to talk about turning deception outside in and how to trick attackers with open source intelligence. So my name is Adar, and with me today you have Tom and Tom. We are a security researcher at Illusive Networks. And this is what we're going to talk about today. So we will begin with covering what open source intelligence is, how attackers and defenders look at it. Then we'll briefly explain what deceptions are. And then we'll move on to combining the two concepts and explain about our research where we planted deceptions in open source intelligence. We will wrap up with summary and some takeaways. So what is open source intelligence? It has a cool and formal definition. You can all read it. But in general it's the concept of collecting information about your target, your objective, from publicly available resources. And we all know that attackers really love open source intelligence. They use it all the time mainly to compromise networks. They want to infiltrate the network. So they begin with collecting information from OSINT. And the things that they're collecting are, there are a lot of things they're collecting. They're collecting credentials like user names, passwords, email addresses. They're looking at private information. And they're looking everywhere. They're trying to find these information, these pieces of information in public base sites, search engines, social media, and so on. And there are a lot of resources that attackers use. It's being used so widely and so intensively that people already automate the process of collecting information from OSINT. So you have awesome tools like the Harvester, ReconNG on the open source site. And you also have commercial tools like Maltigo, Shodan, and they are being heavily used by attackers, red teamers and so on. And Defender, OSINT really works in real life, okay? We spent two minutes on Googling and we found two awesome examples that demonstrate how attackers are using OSINT all the time. The first example is this guy. He posted a comment on a blog and he mentions that he lost $50,000 in AWS charges. He accidentally pushed his credentials on his public GitHub account and that led attackers to find it and that cost him a lot of money. The second example is the guys at UpGuard, they did a research and they found that another company called Viacom had a lot of confidential data under S3 buckets. So OSINT works, attackers use it all the time and it's easy for them to leverage it. Defenders, they have a different take on open source intelligence. First of all, not all defenders even know that there is information about their organization in online resources. But the ones that do know, the first thing they do when they find out that there is information about their organization online is they tank and they try to remove the information from the internet where we all know that removing stuff from the internet is not an easy thing because the internet just never forgets. That's me from 2006. The second thing that defenders try to do when they find out about information, they try to make it obsolete. So if you have a user name or credentials that leaked, you try to go on and modify that user's information in your network and that's okay. But that's not always an easy task because if your network diagram leaked, then change your entire architecture is not an easy thing to do. So not always the case. We suggest doing something else about it, not just removing the data or making it obsolete. We suggest using deceptions in OSINT to make your detection better and we'll explain how we do it. So I'll hand out to Tom to explain what deceptions are. Thanks, Adar. We like to pitch by the way. Okay. So put a pause for a second on OSINT and cover deceptions. So what are deceptions? Deceptions are basically pieces of information plundered by defenders in order to make attackers make mistakes. One example from real life or real wars was in the Second World War, the allied forces used dummy tanks and other means to fool the German forces. What you see in the picture is an inflatable tank that six people can lift. The meaning was that they wanted to German to believe that they're going to attack from a certain location so they deployed it. If you go to the digital world, so deceptions are also referred to as any tokens, breadcrumbs or lures. And one example of how deceptions can be used digitally is fake credentials. An attacker, when he compromises an endpoint, he will try to leverage which credentials that already end the endpoint. So from the defending perspective, you can take and plant deceptive credentials. They look very attractive, very real. An attacker when you will try to leverage them will not be successful and get detected by defenders. So this is an example of defenders making an attacker making a mistake. In this talk, we'll add a new twist to the concept of digital deceptions because we plant the information on the internet. Usually deceptions are planted inside the organization by the IT or the security team. So in this talk, we plant deceptions where it's available to everybody and see out influence attackers. So going back to the same slide that Adal just showed you about the resources that attackers are going to look for deceptive, look for informational organizations, the same places can and should be used by defenders to place the deceptive information, the deceptive username, deceptive IP, deceptive OSNAME in the same exact location. So now that we understand what is OSINT and what are deceptions, I'll let Adal to combine the two and explain what we've done. So like Tom said, hopefully we now have a better understanding of what OSINT is and what deceptions are. And we want to share with you what we try to answer. You probably ask yourself what we did. So we wanted to make sure if attackers will use deception to move laterally in a network and not only use it to infiltrate a network. That was our main question. And in order to answer that question or these questions, we had the following steps. Please know that we had to take two extra steps because we didn't want to do our experiment on a real organization. We wanted to make the initial experiment on a fake company or on a fake environment that we control. So the first step was to create a front organization, a fake company, and then we created a corresponding computer network for that company. Then we had a planting of the deceptions in OSINT resources and we monitored the attacker's activity or their attempts to use those credentials. So the first step was in my opinion one of the most fun parts because we could create our own company. We decided to call it aviado mining because everyone's doing crypto mining in crypto currency, right? It's the hottest thing right now. And we had some employees on LinkedIn that even got job requests from recruiters. We had a coming soon website, of course. We had Twitter account and a GitHub account with pieces of code that relates to crypto mining and cryptocurrency. And we had a good presence online right now, okay? The next step was to create a computer network for aviado mining. So we chose a random cloud provider. We created servers, computers. They were all joined on active directory domain. We had computers and user accounts that were part of the domain. And we added a jump server theoretically for users to use it from home. But actually we wanted attackers to compromise that server and then move on to his lateral movement in our network. That was our goal. The entire operation was monitored using a pretty simple architecture. We had Sysmon deployed on the servers and endpoints. We had NetFlow logs from the cloud provider and a splunk server to correlate the entire thing. And now Tom will talk on the actual cool thing of planting deception and the results. Thank you. So as I said before, we planted different deceptions in different hosting resources. Actually we planted tons of deception with various complexity levels. We planted internal resources like IPs and host names of the jump server and other internal servers of the network. We also planted credentials to do servers like username and password or API keys. And we also, since we know that attackers upload credentials to the internet, we planted some credentials dump too. For example, NTDSD dump or Mimicats dump. We planted it in various hosting resources. For example, paste sites, public mailboxes, code repositories and file uploads. We wanted to show you what it really means to plant deceptions on hosting resources. So let's take a classic example of paste bin, which is a public paste site. As you can see, we uploaded like 20 mails of our Aviatum mining company with their password. And we also planted an external IP of the jump server which contains a username and password, which we'll monitor later. Another example to resource to plant deceptions on is public mailboxes. For example, Melinator, which expose an API that attackers can use in order to find interesting data in the public mailboxes. Credentials can be found online not only due to attackers' activities like uploading credentials dump to the internet, but also because of user mistakes. For example, here the user by mistake uploaded a script to Github which contains a clear text password. A more complex resource is file uploads. For example, we uploaded an NTDSD file to VirusTotal, which is a database of the active directory that contains hashes of the password of the users in the domain. For example, the correct password of J Hoffman is password 2. And as you can see, there are open source Seattle rules which attackers and defenders can use in order to find this NTDSD files on the VirusTotal. And actually, we had many others more ideas. For example, RDP shops, Github geists, cloud storage, IRC channels. And we also failed on some resources. For example, while uploading credentials dump to hacking firms and read it, we just got banned. So our goal was that the company will be visible on the internet. So before the research was started, if an attacker search for our company name on Google will not find anything. Not on Google and not on automatic tools like the Harvester, which is a public website where you can enter your email address and it searches it across all the databases in the internet. After we planted all the deceptions we talked about, this is how it looks like. Google finds all our deceptions and also the automatic tools found our credentials dump. So actually our goal was achieved now. Our company is visible to the internet. We ran the experiment for two months where we use unique user line for each resource in order to easily distinguish the resource. Our monitoring focus on usage of deceptions, of successful or gone of the deceptive users and attempts to move laterally. And we didn't care so much about scanners and brute force attacks. Also we saw some of them, which we'll talk later. So let's talk about the findings. What did we found? We found like close to 8000 successful logins with our deceptive user names. Over 700 distinct processes which were executed on our jump servers and close to 20,000 failed logins attempts of non-existing users probably which are scanners. Let's most, let's monitor now on the most attractive resource which was paced by far and let's try to explain why it was the most monitored site. First of all, the average time between deception planting and attacker attempt to use them was four hours, which is the fastest of all the authentic resources. The exposure was amazing. We got a pace like over 7000 views in one month. And we also paid attention that every time we post a pace, the pace gets 40 views after several minutes. Probably by automatic tools which scrapes these public sites like dump monitor, have I been pwned, paced Hunter. And actually our research show that as the time went by attempts to use the deceptive user decreased drastically. So if you want to remain relevant, you should constantly be posted. GitHub is a great example too. But in contrast to paced being, here the average time between deception planting and attacker attempt to use them was days and not hours. The exposure was much less, only tens of views and not thousands of views. And in contrast to paced being here the automatic tools scan only specific repositories and not scan all the, all the GitHub content. For example, Repo scanner and GitHub. Let's talk about the activities that were done on the jump server and let's, I'm sorry. Let's talk about the activities. We saw different activities. Some of them were expected and some of them were less expected. We used the cool forensics tool that we took a screenshot for every successful logon and for every one minute. We saw lateral movement attempts like trying to add a local admin user or scanning the network in order to reach our internal servers. We also saw some privilege escalations since the deceptive user was only a domain user and not a local admin user. And we also saw some generic malicious tool like some Bitcoin miners on Sentry MBA and also some weird stuff like an attacker who entered YouTube and searched for Rihanna Diamond Son. And now I will let Tom talk about the summary and the conclusions. Thank you. So let's review everything we covered. We talked about what are the definitions of OSINT and the deceptions. We shared with you what were our research questions. Will attackers use OSINT information to infiltrate the network but also to move laterally. And we shared with you the experiment that we found and shared some of the findings. We will release in Monday more detailed report with all the findings so you can find the website down there. So we have multiple conclusions from our experiment. The first thing that we found that we were surprised that how many human operators tried to compromise our servers. We had human operators connecting via RDP to our server either installing Bitcoin miners or as Tom said doing weird stuff like opening YouTube and searching for Rihanna. So we expected much more automatic scans but we found human operators. The second thing we were surprised from how fast the attackers operate. It took only up to four hours from the point of time that we uploaded the credentials to the point of time that somebody knocked on our door. It was really, really fast. And all that was achieved while we had to revise our deceptions again and again. We discovered it's kind of an art form. You have to, in order to make deceptions look realistic, you have to invest the time and think what will look realistic in the eyes of an attacker. So it also took us a while to get this. If we go higher a little bit, we understand that our results were influenced by the fact that we had an unipot organization. And if you use a real organization versus an unipot organization, we expect quite different results. We saw a lot of attempts tried to compromise the initial server and less attempts to move laterally. And we believe that using a real organization, we'll see a shift and much more attempts to move laterally in the network because attackers will have an higher motivation to move around. And this is something we expect to do in a future research. And one question we also, whether it refers into a real organization that came to our mind, will planting this type of information online will increase the motivation of attackers to try to compromise the network. That's something that we had to think about. And what we see during the experiment is that because so much open source information is already available online. So if you have a fake organization that nobody knew about, it will may increase the motivation of attackers. But because your organization probably already has information filed online, you can all gain from adding additional deceptive information. If we'll take from this talk only three things. We really advise you to be the following. The first thing, when you go back home to your company, use one of the open source tools that we share with you and see what kind of information is available online. We promise you to be surprised of the amount and the type of information that's already out there. The second thing, turn the problem into an advantage. Because once something is online, you cannot remove it. We urge you to monitor that information. If there are username, emails, see how they're used inside your organization. You may be surprised and maybe find attackers that already compromise your network. And the last and most important one, add deceptive information to the open source resources. The first thing, it will confuse attackers. They will not be able to distinguish between the real information and deceptive one. And most importantly, it will increase the detection capabilities and enable you to detect attackers that already compromise your network. Thank you very much.