 Thank you so much and thank you completely to the IOT village and all the volunteers and the staff because I know we are coming down to the wire and They have got to be exhausted and and just You know kind of melting in all of this. So thank you all to the team Let's get started because I have to get off of this slide before it gets evil and comes out and does attack Do you know how hard it is to find a refrigerator like this? Anyway This is who I am. I am I'm the CEO of beside Chicago. I was the COO for Diana initiative last year I also am part of besides Pittsburgh. Why because I live in Pittsburgh currently my first deaf con was number three How many people are that old? There were 16 speakers then I've got a lot of years in security emphasis and blue teams. I used to be purple I do a lot of deaf sec ops. I Sort of was based in Pittsburgh the last year and a half, but in 16 more days I will be in beautiful Kirkland, Washington I can't wait I'm a natural creature of winter and you will typically find me as you will see right here sipping a Cousinoblain Yeho while simultaneously defending my systems is using open source magic spells and dancing flamingos We don't have time for dancing flamingos, but we damn well have time for tequila. Oh great And now I'm coughing that never happens. Wow honeypots refrigerators and internet of threats. I like to call it that instead of internet of things But yeah, these are some of my absolute favorite things. We're going to talk about this stuff and oh, yes I'm a drummer too if you haven't quite figured that out All right, the views here and opinions and everything I show you today are mine. They are no one else's Definitely not any my employer past or present Please take anything. I show you with a grain of salt. Don't try this at home As they say on Oh God, I just forgot the the TV show that oh well It's one of those days and those of you with an overwhelming fear of the unknown We'll be happy to know that if you read this disclaimer backwards There is no hidden message that will be revealed although some people want me to put one in there I think I may do that the next time All right, why are we here? A couple of important points I always like to present this in any of my talks and I need to update it for 2019 I just have to get the the information on it, but let's just look at 2018 In 2018 company spent over a hundred and fourteen billion dollars on Fancy software fancy hardware, you know all the blinky boxes the blinky software all that crap attacks and breaches continue to go up The the security stuff that we buy whether it's CPP whether it's firewalls whether it's who knows whatever it is It's vulnerable another very important point that I always like to make is lateral movement is So often overlooked. I'll talk about that Coming up a little bit more and then think about this. What about I've actually had people Tell me that oh our security architecture is incredibly unique. I am really I don't think so There's not that many ways To make it unique Also, what is your typical day normally? I'm in a room presenting this so I would say by a show of hands How many of you spend? 50% of your time checking boxes that have to do with compliance I can't see if you're raising your hands But pretend you are and put it in discord because I'd be really curious to look once I get off the screen If you don't have this book I recommend that you get it It's called offensive countermeasures by John Strand and this quote is directly out of this book I'd love it instead of brilliance. We've Standardized mediocrity and and what I take from that is the fact that yeah, we just go out and spend a few bucks here and there We buy some Coming off the shelf hardware software whatever we plug it in and we go whoo. We're protected I don't think so if that were the case There wouldn't be the Equifaxes of the world the capital ones and so on all right I love this this cartoon because this kind of says it all in this corner We have firewalls encryption antivirus software et cetera et cetera et cetera and in this corner We have Dave and the best part about this is up until recently my boss his name was Dave And when I showed him this I just couldn't stop laughing because it was perfect But it really is true right because It's all about our users that continue to do things or get compromise or something happens And we need a way to figure it out especially in Two two aspects of it one we're all working remotely and two we have a lot of IOT shit Excuse me IOT stuff on our networks So we have to do something about that Also, I saw this just the other day this $12 course can turn you into an ethical hacking pro Um I guess I did it wrong. I don't know. I went to school for this Although I was a music major. So what do I know now? I just had to put that up for your entertainment because I do think it's kind of funny Don't fall for these scams. Most of these courses are crap Um, honestly set up a lab in your environment. I'll give you one little tip whenever I interview people Um, one of the first questions I ask engineers security engineers and so on is tell me about your home lab I have actually had security engineers. Tell me. I don't have time for that really next So keep that in mind. You better have a really good home lab This is something I want to point out because this is these are screenshots from a recent security conference Before coveted before we went to virtual conferences. I was physically at a conference So it doesn't matter which one But the point here is this Here I had a gopro that allowed me to connect to it Um, and I actually started taking screenshots from this person's gopro I was trying to figure out where they were in the room based on the shots. I was able to see I had another device that was attempting to pair with me. I actually was able to pair with it I also was running an evil ap and I was kind of capturing all the the SIDS that were running around this particular security conference. The point is I usually do this every year at DEF CON So if you see me walking around, I'll usually have a purse and in that purse will be my evil ap And the beauty of carrying a purse is it hides very neatly in your purse But I look at all of this stuff and I kind of analyze it when I get back and and it's fascinating to me that as security professionals ourselves and hackers and so on we make the same mistakes that that a lot of A lot of amateurs and new people Make because they don't clear out their wi-fi. They don't do things that they should be doing There was also one other thing this morning. I was kind of bored I put up a new spice rack in my kitchen. So I took a picture of it. I wanted to share that with everyone Um, yes, you should all be laughing right now if you're not Oh, well, I tried All right Why are we not here? Well, first of all, it's not a demo of 5,000 different kinds of honey pots. That would be kind of silly. I 45 minutes It's not going to work very well Um, I'm not going to show you all of my honey pots If you follow me on twitter, you know, I have honey pots all over the world Um, I have them scattered everywhere. I have them in my apartment. I have them Um in a lot of different places showing you my honey pots would be counterproductive It's not gonna not going to do anything, but I will show you some Without showing you where they're located and they'll they'll make a point Um, oops. I have to fix come back. Sorry um, the whole point of this is There there must be a better way to do security because if we keep spending all this money There there really has to be a better way and I think honey pots are the way to do it Let's quick talk about what is an incident or breach? Um, some key points most breaches are not zero day. They're not fancy You don't get breaches from vulnerability scanners Most breaches come from configuration issues. Oh This this interests me because it opens up the door to how I can modify my honey pots Um, a close second is compromise credentials Um, I I worked at a company many years ago where well most companies Are smart enough that they will change the administrator account in their domain They don't want it to be administrator But why don't you put back an administrator account? And make it a honey credential Think about that. We'll talk about that a little bit more Also trailing in third are over privileged users That's not going to fit well into our honey pots as much as everything else Let's look at a couple of quick examples of iot Issues. Um, this was a funny one. A university was attacked by its own light bulbs vending machines and lamp posts um Answer question for me. I know you can't but you could in in discord Um, what in god's name were the light bulbs of vending machines and the lamp posts doing on the same Network as the rest of the university? It should not have been there Also, there are industrial issues that we deal with all the time Um, an oil rig was shut down a couple of years ago Why because there was an iot sensor on the oil rig that actually detected whether the oil rig was tipping It was an ocean oil rig Um, somebody got in they made the sensor read I want to say it was like 12 a 12 degree tilt and the sensor was set if it went to 10 degrees or over Then it would shut down the oil rig Nobody bothered to check that damn sensor to see if it was misreading or something was wrong with it Also, there was a blast furnace. It happened to have been owned by the government Um, it it malfunctioned So to speak well, what happened was somebody got into it They raised the temperature shut off the shut off valves The way the way this kind of solved itself was very simple. It melted it melted down. No one was hurt Um, although if you were a blast furnace, I guess you might have been hurt in in that particular case This one I will never understand Um, why are toilets connected to networks? Um, seriously. I mean, are we wet we're monitoring water? I I don't know Um, but this happens all over europe and asia and so on It does bring new meaning to the word system dump But anyway, uh, but um, yes, I I would never put a toilet on the network All right, now we're going to talk about one of my favorite things honey pops I love them. I think they are Much more valuable than people give credit Honey pots or deception technology people have changed the name lately. They love to call them deception technology Why I don't know they wanted something that sounded more professional So I guess deception technology and yet I have found many commercial honey pots are nothing more than open source versions that have been repackaged with a fancy front end And a distribution model that allows it to be deployed To your environment much easier, but it's still the open source solution So why can't I do that myself with an open source honey pot? Maybe ansible puppet Chef whatever is your tool of choice use that to deploy your honey pots and manage them Maybe we can but think of a honey pot as nothing more than a resource with no value The value of that honey pot is someone using the resource My my honey pots are attacked all the time. I typically will not set my honey pots up to hack back Who knows maybe someday I will but I haven't done it yet Also, these are incredibly important points Probably the most important aspect of honey pots is deployment Where are you going to put them? I made a comment a few minutes ago. I have honey pots all over the world I don't just put them out Just randomly for the hell of it There might be a couple that I might just place in a country On a vps somewhere just to see if it gets attacked But most of them are very strategically placed, especially within my own environment my own networks Etc. So think about it. We're going to talk about that detail coming up architecture customization in other words planning You know, there are hundreds Thousands, I don't know. I've lost track. There are hundreds of types of fire of honey pots out there Um, we're going to talk about that. In fact, let's talk about it right now Here's a good list of some of my favorite honey pots ADHD great tool comes from active countermeasures. It is free Excuse me, and you know go download it start playing with it. It has numerous Honey pots built into it a couple of which are my favorite as well honey badger and honey badger red I love honey badger and I'll talk about that coming up. There's another another place to generate canary tokens There is also open canary, which is a great, uh, honey pot If you want to build your own custom honey pots out of hardware and software Take a look at the mozilla project called web things There's a whole framework there that you can actually build your own honey pots with raspberry pies and so on Tea pot is still a good one to get started with to start playing There's a new one that replaced the modern honey network a couple of years ago It's called community honey network. Take a look at that one twisted honey pots another But I think you're getting the idea, but also What about the real thing? What if I have a server that I could install? Windows server on it whatever year you want to pick Why couldn't that be an actual honey pot? Why does it have to have special software on it to be a honey pot? I'll tell you this right now. I have a mail server in my own personal network Um, that is a fake mail server If you look at my mx record You will see that I have a couple of of mail servers in there But then there's this other mail server that sits on the exact same network But it's not part of the mx record It's a honey pot And I catch people trying to to spam it and get in and do things all the time because the bots find it The whole point here is there are lots and lots of honey pots This is a great website or a github link where the The person maintains a great list of all of the honey pots. So keep that in mind Also, I will be making my slides available after this talk up on my github repo My github repo is the same as my twitter handle rainbow cat. So this will be up later tonight Also, remember I said lateral movement Lateral movement is critical And honey pots are one of your best tools to detect lateral movement Just recently I bought a new iot device I plugged it into my network and one of my honey pots Which is is made to detect port scanning and I have it here in my own place Kind of went off why because the device that I plugged in started port scanning my network Without going into details because I have a bug bounty in place for this It turns out that the vendor Had actually installed somehow some beta or their their testing software not beta their testing software got put on a piece of Equipment that got shipped To production that that got shipped in in purchased I'm wondering whether that's a true story, but we can talk about that offline The whole point is we have to find a way to detect lateral movement honey pots are the way to do it We're going to see that all right Everyone should know what udda is if you don't know what udda is you're about to udda stands for observe orient decide And act and this came from the military It came from the military on how you do warfare on how you do all of this and it also was adopted by a lot of security professionals Well in the honey pot world I think we need our own little Need or a mnemonic if you will and it's called secad secad stands for confuse confound my favorite annoy And of course delay why because if I can delay an attacker Because they're stuck in a honey pot Then I'm going to have more time to find them And keep them from getting into my actual valuable um resources So yeah, I love this. We'll see it a little more later Don't forget about monitoring. You can deploy all the honey pots you want But people keep Forgetting to monitor them. I use a great tool. Um, I just put it up here. I don't represent them It's open source called wazoo or some people say waza but um Go take a look at it. It's an agent's configuration and also a sim built in You put the agents on your honey pot. It does a lot of analysis of all the honey data that's or of all the attack data that's coming into your honey pots Sends it up to your sim and it's tremendous I just like to mention that because you should pick something to be able to monitor your honey pots All right, let's talk about deployment This is the big part I can't say it enough plan plan plan This should be 90 percent Of your time when it comes to deploying honey pots, especially when it comes to iot You can't just build a little iot honey pot and go. Oh, I'll just put it on my network No, you have to design your network such that it looks like this is a valid honey pot um, I'm going to show you coming up A honey pot. Let me I'll stop right there. I'll show you something and we'll talk about it Also two types of honey pots. I recommend low interaction medium interaction. We don't need higher interaction honey pots We want them to get delayed and get Stuck, but we don't need them mucking around with things that are very complex and difficult Most of my honey pots if I am deploying them within an environment run on raspberry pies If I could turn my camera, I would show you. I have a table down here that has about 25 raspberry pies on it in various forms of destruction and rebuilding and everything Raspberry pies are great for it. Also Think about honey ports honey pots, honey tokens, honey credentials Um, it's easy to build a honey pot But it's also going to be a little more difficult because we have to customize it And this is where the the hard part comes in. This is why I say ding ding ding. This is important I'm going to show you a test coming up here in just a second And and we're going to see how many of you pass Also, if you're going to put a honey pot out there real versus self sign certificates Self sign certificates is the most dead awful giveaway that this is a honey pot versus a real resource And these days with let's encrypt there's no reason you can't put a real certificate on a honey pot also How difficult would it be? If you took an actual application A production application that you have But put it put it on a honey pot server And you might take maybe some of the Data out of it. Maybe, you know ask your application team to modify it a little bit But the point is you put the actual application on A a honey pot server so that way when they're trying to attack it or trying to get into it It looks like they're getting into something real. I'm going to show you an example of that coming up in just a second I already mentioned Put a host intrusion detection on it. My favorite being was it was you? Which is a fork of ossec from several years ago There are some rules and you do have to do some tuning work, but it's very very important Now where do you put your honey pots? Well, I put them everywhere in server farms and cloud storage iot the iot one's coming up in a second. Put them out my dmz out for mail servers Um all over the place remember Stop and think about it. Um, you know, you want wordpress. You want raspberry pies put Spin up some vms or some vps's out there Also, what about a point of sales system? I'll I'll tell you one about that coming up here in just a second. All right. Normally, this is interactive Um, it's not very interactive right now, but if you were looking at this And I'm hoping you can see my mouse. You should be able to So we see this is I got into this device It looks like it says linux rt ac 5300 normally I'm asking everybody in the room. What do you think this is and most people will yell out Oh, it looks like it's an asus router and in fact It's an ac 5300 No, it's not It's actually calry Calry is an ssh telnet honeypot tool That can be configured to look like just about anything In my case what I did Is I went to an actual ac 5300 I gathered all of the screenshots and the not screenshots All of the data files. I did dfs. I did ls as I captured all of the data I could off an actual ac 5300 I then went to My calry configuration And I started modifying all of the files here Because that's all you have to do If you can modify the files Then suddenly this looks like An actual asus 5300 now if we were in my live version of this where people could yell out things You might yell out, but what about the http interface of the router? Well That is in here too. I just didn't get a screenshot of it. I should have but I captured Everything from the interface. I logged in. I got all of the html files After doing some screen dumps and so on I then went to my calry device I modified it a little bit because calry normally doesn't have a web server on it Well, because you're installing calry on a base version of linux There's nothing to stop you from putting a patchy on there. I put a patchy on there I put all of my configurations. So when you hit the web interface it looked exactly like The asus 5300 Now here's the hard part. I had to go. Well, wait a minute. I can't just drop it on a network somewhere because why would someone have a A wireless router Sitting just randomly on a network. No, what I had to do was create a dmz in my environment Set it up. So it looked like this was my you know, xfinity connection. So anyone coming to my xfinity um system would see an asus 5300 exposed and think they found The keys to the kingdom and they would sit there forever trying to break into it leaving my real firewall Which of course may be pf sense. Who knows where it might be open sense because I like that better the point is Don't forget about the configurations That's in the customization But that's how easy it is to take a simple firewall tool in this case calorie and modify it to look like something else Now my other question Um, if you were looking at this What would you say this is and of course? Actually, let me oops wrong one. Um, let me see if I can See where my discord window went. Um, is anybody asking any questions? No, okay, um What I was going to say is in discord Tell me what do you think this is? I'm looking at the discord channel right now the top questions text So does this look like what open vpn and I know there's a delay So I'm kind of waiting and waiting and see what anybody says But it looks Like an open vpn server. I assume you would all Say that and I'm pausing a little bit to see what discord says People are typing. Yes. Yes Okay, but it's not It's actually a um honeypot What did I do? I installed the open vpn server on it But here's the change When you click this To download the software It downloads honey badger Honey badger runs on the attacker's machine It sends back a configure or it sends back a trace And it says guess where I am The whole point here is yes, I used open vpn the actual application But I modified it So it it does things that I want it to do and not Just what it was written to do. I have a real open vpn server, but this one is fake Some more examples Okay, I mentioned point of sale um, I did this in a previous Company many many years ago where we have point of sale servers They kept getting hacked and they kept getting hacked with skimmers being put on them So anytime, you know, they were credit card typical credit card skimmers software Well, we couldn't find who was doing it. It was happening and happening at multiple locations So what did we do? We we built raspberry pies in this case. It was rpi 3s. We took rpi 3s Configured them to look exactly like Oracle's micro pos system So the interface was there and everything was there We then drop shipped them to the various locations that we had And within a week of being installed in our locations One of them was attacked and the skimmer software was attempted to be installed And we finally found out where it was coming from and it was Contractors and blah blah blah. Does it matter the point was the honeypots Caught the um bad actors All because we stopped and thought about where to put these things Because that's what's important where to put them Now, also think about compromise credentials How many people have aws keys that are stored out in github and they better be fake aws keys Because the minute they're compromised you're going to find out who Is really trying to attack you and not just some fake um threat report that comes from some company that says oh You're you're being attacked by this country and these people and blah blah blah Most of the times they're telling you about attacks you already know about So think about credentials that you can use and if you ever have a user That comes to you and says oh my my account was compromised because I clicked on a phishing account. Well, here's what you do Change their account name right away Create a honey credential of the one that was compromised. It works every time um This one I don't have time to talk about Yeah never mind um had another one where We we had a hardware. We had a server room a data center And we knew that we had people That seemed to be getting into systems Physically they were connecting up um The a crash cart and they were logging into servers We couldn't catch them because not the entire place wasn't covered by cameras This was like maybe about 10 years ago. So we had an issue But a simple I guess it wasn't 10 years ago. It was more like eight what we did was we created qr codes We stuck them on the bottom of these servers And if you scanned it because we told people about it if you scanned it It would give you emergency credentials to log in to fix the server Well, no what it really did was emailed us saying that somebody just scanned the qr code And that's how we found who was doing it again honeypots. I already told you about my mail server This is an easy one to do and it's not that hard Also, um Set up a webcam Um a fake one of course It's very easy to mimic what a webcam software looks like on a raspberry pi You can expose it on your internet via You know some some port routing Between you know your firewall and and everything and even if it's just on your dmz The point here is I did this years ago if you all remember marai I had done this I had fake webcams out on my network I didn't always get a chance to analyze them because I didn't have them set up pointing to a sim So what I This is how I learned I need to get a sim set up and have everything being correlated and analyzed Because I found out that I had the marai payload on one of my honeypots Two months after marai hit the problem was The payload had been dropped two months before marai hit So if I had only been looking at my honeypots more regularly I might have found marai before it actually Did what it did Oh, well um think of s3 buckets s3 but when you stop and think about iot devices, what do they talk to? They talk to the cloud in many cases They talk to all sorts of things in the cloud and they can also talk to s3 buckets and drop data in it put a fake s3 bucket out there Generate some weird data drop it in there put some fake credentials out that that are available that would access that s3 bucket And then when the credentials are compromised you get an alert for that But then when they're used to access the s3 bucket, which has bogus data in it You also know who's actually actively trying to attack Um think about honey ports. This is going to be important. We might have to speed up because I have a little less time Um, here's an example of a great honeypot tool. This is on the adhd Um package that you can look at. It's called port spoof So here you see I did an end map From port 200 to port 300 of a host called gonzo and it returned all of these funky Um, what are pretty normal services and so on that you see running on there? But what really happened Is this is running a tool called port spoof and port spoof actually only listens on one port But it has some redirect Via ip tables on that server. So anything that hits it it says, oh Um, let me go and return All of this bogus data, but here's the best part of it Because this one returned pretty quickly, but here's another example here. We see that okay the attacker decided oops The attacker decided to do an end map minus a of gonzo So we see we've got um four minutes 43 seconds elapsed Um, it's it's still running. It's stealth scan doesn't find much. It says it's got 75 Um, you know, we've got nine minutes 58 seconds a minute 30. It says it's it's got remaining It's still running here. It's only at 77 percent and it's still going And actually i'm sorry looking at the wrong numbers over here My timing is over here. It went from 453 to 739 and it only made it three percent. Why? Because port spoof Actually slows it down. It's like a target. It drags it in remember c cad That d is delay If I can delay the attacker while they screw around Trying to attack this host In my own network Then the odds are I will have spotted them because my sim will alert me when port spoof triggers Simple so now I know where they're coming from. I know what they're trying to do Yeah, you know think about this Um, also, I will mention this one. I have a screenshot of it someday. I may add it in here I'm sure you all have heard of Have I been poamed and a lot of people go there they put in their their email address and They get a report back saying whether it's been compromised or not I was thinking about that one day and I stood up a funky domain similar to have I been poamed It was only up for about a week. I took it down very quickly because I was very surprised It said have I been poamed but instead of asking you to enter your email address It asked you to enter your password To check to see if that password has been compromised in one week I had thousands of people typing in their passwords I was I was floored thinking good lord What all I did was stand up a simple website That's in here enter your password and people started doing it It's crazy what people do. This is why honeypots have have so So much power in gathering information So please this is this is a dated quote. It's from 2014 But I think you all would agree 84 of organizations that were breached had evidence of the breach in their log files. The problem is logging of all their actual applications is terabytes and petabytes and so on it's it's huge But honeypots are not going to be false positives Honeypots when they are triggered They are real attacks. Why because you don't just Drop them all over the place. I did have one place that we put a bunch of honeypots and and we had all the department or The main department had actually told all the other managers where we put the honeypots And I was like seriously. Why did you do that? The the whole point of having internal honeypots is to catch insider threats Not for you to tell everybody so I had to pull them all back Wait about a month and then redeploy them So nobody knew where they are the point here is Planning about where you're going to put honeypots. So here are your key takeaways from today Remember secat confuse confound annoy delay also Honeypots have low false positives Feed them to a separate sim Don't feed them to the same sim that you have Collecting all your other data They are great tools for detecting lateral movement Why because what are people looking for when they get inside your environment? You know, I could only imagine if Equifax had real honeypots inside their network They might have actually caught them before they got away with things They're cost effective as hell if you're not going out and spending money on commercial versions And remember honeypots are there to defend but mostly to detect your environment and What what I really want to say is is honestly the well get to it a sec. Let's talk about this If you want to to only work with iot honeypots, I recommend home home, you know, it's it's a Kit for testing and and looking at iot devices But what I use it for is for gathering all of the screenshots the data and everything of white bulbs and And thermostats and all these things so I can mimic them And make my honeypots look exactly like those devices That's one of the things I do with it. Also honeypots are great for forensics. Keep that in mind. Hell. I had Mariah I just didn't know I had it But what I really think is important here is honeypots are real threat intel They are not fake threat intel. They are giving you information That is Valid on who's attacking you. It's about thinking differently. I can't watch Hundreds of thousands of servers in my environment every day Unless I start to think about it slightly differently and that's what we do with honeypots so I can't say it enough plan plan plan. That is the key thing Honeypots are easy to deploy But planning the deployment is what's important Thank you all very much. I hope you enjoyed this talk. I will be posting my slides I am working on an actual honeypot customization Workshop. I'm almost there. I've done a couple of walkthroughs. The problem has been I need to work on the labs But once I get this done, I'm going to give it for free virtually So yeah, I'll be I'll be doing that watch my twitter feed. You'll see information about that Coming up within the couple of months. I have to get through my move From where I am now out to washington. So thank you all very much. Hope you had a good time Hope you liked my spice spice rack choke If not, oh well, and here's to Casa Noble and Yeho Tequila