Michael Banks - You TOO can defend against MILLIONS of cyber attacks

welcome to besides austa Welcome to The Living in America track uh good to see that a lot of you have turned up for our next speaker uh before we get to uh to Michael let me um let me read a couple of numbers off these are the first round of raffle drawings so if you have your tickets you want want to go ahead and pull those out you do not have to claim it now uh you can claim it after this uh but all the raffle prizes have to be cleaned I think oh gosh we went back and forth on the time so many times I don't remember when it ended up at but it was something

like 3:00 something 3:45 okay at 3:45 you got a claim by then all right everybody got their tickets ready to go 285 3842 is the first 285 3842 and that was uh first pick of the various pile again 285 3842 next was one of the Tactical Tailor backpacks and that was 965 596 965 596 the next is U I think a pretty cool one the one of the hack five field kits with a a pineapple Nano uh which actually if you were in the last talk it has one of those hack five land the land turtles uh and uh and a rubber ducky uh as well the ones that actually West talked about it briefly 028 222 that's 028

222 next is a clim bottle which Mark explained a little B this morning uh delivered with the Personal Touch of Cliff stole who's actually one of the pioneers of our industry 591 061 591 061 okay and the next thing uh was an ace hackware gift card of I think it was over $200 so it's a good one 028 777 028 777 we Cano's in here I didn't hear anybody win you know a bunch of losers it's all good okay so on onto our next speaker um Michel does some pretty cool stuff with uh with rendition infos he's actually one of our sponsors today uh if you follow them on Twitter you probably also follow uh one of their uh founding

founding guides one of the co-owners uh Jake Williams is actually here in the room too so uh and we appreciate your support Jake and we appreciate uh uh rendition support of uh besides Augusta uh Michael here is a security consultant gets to go out and do cool stuff that a lot of you wish I'm sure you could do get to go do penetration testing social engineering and vulnerability assessments he's going to talk to us today uh about the topic somewhat like that so I give you my

thanks morning so basically the talk of the title is you two can defend against millions of cyber attacks so I was you know looking for a theme for the presentation I thought Dr Evil work well with the word Millions so I threw them in there so my name is Michael Banks and again I'm a security consultant a Edition infoset and also throughout the presentations anyone that takes a picture of the presentation and tweets it at rendition SEC they're giving away three iTunes gift cards so if you do that throughout the talk just tweet that to redition set I'm also a sigo in the reserve in the reserve for a while I do that as well and I'm a recent graduate of AUST

University right here so standard disclaimers you know opinions are of my own and not of any of my employers um I'm not a lawyer and this is definitely not legal advice so overview is basically I'm going go background how I got to you know do this talk and some of the things that motivated me to do this talk and go over some numbers and basically some projects that I started doing and some takeaways so I was sitting in Baltimore and I don't watch the news too much I keep you know up to date on the current stuff that's going on but at the time there was this thing that happened in the news and they mentioned something

known as an SF 46 a standard form 4 86 standard form 86 and I was like that sounds familiar I think I did something like that or I had one something like that and basically it's a big stack of papers with a lot of information on it and if you don't know about it just Google it you'll find plenty of information on it but an organization was hacked and they seem to house a bunch of sf86 so I was you know it caught my attention it was just playing on TV and and I looked into it and one thing that I found is there's a lot of hearings when it's government entities that once to get hacked there's

a lot of hearings that Congress has so luckily the hearing was happening in a couple of days so I caught the hearing and actually the director Mr Archer who's no longer the director was um was going through the hearing and you know one of the quotes that she mentioned is up there you know they thwart 10 million text all constantly that they you know protected against so I was like I said to myself what does that even mean really so it was you know something they threw out there I didn't want it to be an excuse but yeah so I started watching that and that happened from the committee of oversight and government reform so I was watching

that one and I started to watch more Congressional hearings when it was about cyber and you know technology and I noticed the pattern a theme that kept going repeatedly no matter what what hearing it was one of them was we need more Talent which is echoed many different organizations insert your organization here whoever it is that's in the media that they face millions of cyber attacks whether it's per day per month per year and then the last theme I keep hearing on the hill is something referring into a cyber Pearl Harbor I don't know what that looks like maybe it's OPM I have no clue but it's that term is used by the congressman's and Senators

constantly so I stepped back and I was like what is a Cyber attack really I mean you know I have some thoughts about it but it really depends who you're asking so in the public sector or the government it basically they refer to the CFA and and it has many interpretations I looked at it I read it it's very I don't want to say too vague but it covers a wide Gambit so that's what they consider the statute of what a Cyber attack really falls under I kept searching and kept searching and I found another definition that the dod uses and there is a little more descriptive and a little more in depth what they consider Cyber

attack but it really you know didn't drive home or provide something for a framework of what a Cyber attack really is or what it might look like so I'm sure they have their own definition but I'm sure some public entities like you know targets only and Wendy's might have a different definition of what a Cyber attack is based on their experience so one thing a good Trend with this entire talk is based on it are the numbers so I mean a lot of people and a lot of times they they say numbers don't lie and sure numbers don't lie but they can be presented in a way that might be misleading or might paint a

different picture than what's actually happening so one of the things I see in the news constantly and all the time is you know different tax Millions this millions that I I'm like I'm still saying to myself it's not really telling me what's really happened what kind of attac this is what's happening behind the scenes but if they get this information they paint a bigger picture of what's actually happened because if for example if there's a you know an attack happening on network if I got to talk to my boss and say we need more funding if I'm just going to tell them we got scanned you know and there was a breach if I give a bigger number it's more

likely for me to get fun funding so I'm going to tell them the bigger number than what actually happened but the biggest one of all that I saw was 300 million cyber attacks each day I don't know what again what they mean by it or how they calculating it but it's out there in the news constantly so give a good example of how it's reported let's take and sshot for if I have a word of 10,000 words and I attack an IP let's say it takes 3 minutes to do it's reported as 10,000 rapid you know sophisticated cyber attacks that were for it cuz I didn't get logged in so sure but it could also be reported in

other venues as one failed intrusion event so if I got to tell that to my boss and I want funding which one would I probably use yeah that's how it's reported in the media as well another example I want you know I need bigger numbers I need bigger numbers so let's try an MF scan I want to scan all the parts 65,000 when in actuality there's no report CU I mean you get scanned all the time so I wanted to you know get real numbers get real data on how you can calculate this and you know get some information so I came up with something called project slam so project slam basically is a project designed to research the

adversary's behavior one one Buzz term I hear a lot is user Behavior analytics and Analysis so I created a project slam to do that and what project is on the back in is basically doing plan on doing this every year and V1 that's already in place now is you know uh deployment on digital ocean it's basically a Linux server and I'm running kipo and I put a nice little website on you know on the web and let it sit there let it you know accumulate some stats some logs so one of the things I'm interested in in grabbing with uh project slam is username password word list I'm grabbing the session of what a person logs in if

they get the correct pass password so I didn't want to set the password too hard to not you know get a get an attacker to get all the way in the Honeypot so I set it pretty reasonably easy for them to get in because once they get in the full sessions is being logged on what they actually type where they go what they try to run and things they try to pull in so I also wanted all the different you know tools and downloads that they wanted inside the environment to run so it also captures that as well that's what's in place now and I'm GNA go over some stats M the set next year I'm

planning on doing something a little bit more robust instead of just getting a lot of data I actually want to see what they do where they go so right now it's they're given an environment that they can go in and they try to run different commands and if I don't have the commands on the approved list or create a response for that man it doesn't happen I do allow them to bring things in the environment if they want to download something but they don't have access to it they think they download it and they don't actually have it so that's what's currently in next year I'm planning on doing something still in development on how actually

going to implement it but I'm thinking about using like something like Docker creating an entire OS that's its own Standalone machine not Network to anything else and they can actually just play with it you know create some data on there that's fake data you know fake username and password different things like that to see where they go see where they go first what they download what they bring in and then once they're done with it I just blow away that you know archive it image it and take analysis while I'm still capturing the same information what I'm currently doing about username and passwords attempts so staying on V1 it's been deployed now for 27 weeks

and that's my big number that I was able to capture 599,000 attemp so I could you know go even further and just capture IPS on connections but I'm actually capturing the amount of times a person actually puts in a username and passwords and press into so if they just come to the site and leave or come to the port and leave I'm not counting that I want the confirmed number of what a person actually attempted something that would violate the cfaa if they actually logged in so that's my current stats um some of the things I'm saving are the unique IPS passwords accumulating all of that and bringing that into the environment to get you

know numbers and stats to see what's used and there's some interesting things you can also take from the data as far as like the IPS and the geolocation to see you know what countries even attacking the box so what country do you think are number one China China that's a good guess that's a good guess it's pretty accurate what about number two though Russ Russia

us so here are the top countries that are attacking and us is number two India was number three and that's some of them are shocking to see some of them are not but yeah China of course China question are val so it's only whatever IP that actually makes the connection since I'm doing it's going over s so it's a TCP connection so it's making a full connection maybe it's going through a VPN sure but I'm only taking it again the first approach yeah so some of the other unique things I'm capturing getting usernames and passwords some again some of these are no-brainers that they would be the highest numbers but I mean it's different things that's also you

know telling like Pi G some of the usernames they trying of course root an administrator so changing into something that's not up here would be more I would say preferable to configure to log in on something like SSH some of the past words again some no-brainers some a little surprising and some I mean are more telling other country as well I mean you know some of these like support admin sure but wub or wbao I mean some of these are like you can sort of tell sort of that it's International it's not us probably trying to log in so yeah Charing 27 weeks I'm let this run to the end of the year it won't be a

full month cuz I deployed it in like March wouldn't be a full years so one of the different things I'm calculating is right now on the current path I get about 4,000 a day so that would make 1.4 million in an entire year so next year I have a full year of actual data but you know what's next so I'm actually going to do dump all the information that I've got and put it on GitHub at the end of the year along with like a report of everything I found different patterns that I saw different usernames different IPS and even the word list so that can be downloaded and used if I would recommend even if you don't use wordless

to try to crack passwords or whatnot download the text file and make sure your password is on there I mean there's if your password's on there you probably want to change so I mean that's different things I plan on doing this every year it runs a lot of it automa automatically by itself then require a lot of Maintenance couple things I would recommend if you do something like a honey pot is take your data from the cloud if you post it somewhere like digital ocean and analyze it somewhere else cuz right now I'm using if you saw the dashboards or the graphs and charts earlier I'm using Cabana elk elastic search log St kab and I'm doing

that in the same VM currently that the instance is running on so digital ocean you can get a base install for like 10 bucks a month when I was just aggregating the data that was fine once I want to actually analyze it and get numbers back yeah 1 gig ram wasn't doing it so that $10 instance a month went to 20 and when that grew it went to 40 so I mean you know take your data somewhere local and analyze it somewhere else where you can actually have more RAM and it doesn't cost you per month so that's definitely something I recommend I plan on doing this every year so some of the takeaways is

actually again the word list uh this is basically a log the word list there's more information on the back end but this is one of the things I dumped already and if you want to get that information it is on GitHub so one of the things on there is uh the dump you have the IPS and the dates that the honey pot captured it so you can actually go in there some other things there's two branches there's a development Branch to where I'm writing some tools that'll actually capture uh basically uh actually a tool that'll take the IPS no matter what OS you're on and automatically block the IP and all you would do is either feed it this list or

any word list that you have it'll pull the IP out of it and block that IP so that's different things that are on the GitHub uh couple conclusions basically don't use Simple passwords one thing as you saw before root is the highest guess that they're going to take so I would disable roots not the full account but its ability to log in through SSH so I'll choose a username not on that list as well log in and then you can elevate your privileg to root if you really need root but being it having it disabled from the public log in saves you a bunch of times and it throws off your attack a big while um

some of the other data that is on Honeypot it's not on GitHub but that adds a lot of value I can show you now is it's again it shows you what they actually do on the server so and this is another neat reason why I like kippo is that you can actually see exactly what again the attacker

types

not all righty so one of the things you can see what the typer type what the typer what the attacker types and it's pretty definitely telling and there's an entire directory full of logs just like this so I mean I can actually go see exactly what they type where they go and things might work things might not so it's definitely useful one of the other things I mentioned before is it has capability to allow them to bring different things in so if they W get a file it'll actually download the file but they won't have access to it and sometimes they download some tools and it's definitely useful as you see here you downloaded file you download the website it

actually tells you sort of the the level of your attacker as well cuz he download his website instead of the actual tool he wanted so and now he downloaded his tool and he tries to find it and you know he might have access to it but again he doesn't have access to it so what kipo actually does now I have that tool as well so I actually you know I was curious on what this was so looking at it

she I can't

talk so what was this attacker trying to do turns out that tool was dedu I don't know if you wrote it himself or if you download it somewhere else but I mean there was this Pearl was trying to run this Pearl program to basically DS the website so now I have this Pearl program that I could use somewhere else or you know I know I need to disable for all so different things like that def is very useful to get this information but I will say one of the other unique things that I did see and disclaimer this one is not done in my honey pot and I didn't actually do this one but this is the

funniest one I saw so this this person's another one of the interesting attackers that actually tried to log in on one and you know actually watching what he's going and where he's going maybe this is Andrew Morris I don't know but I mean you can actually get a lot of information based on watching what someone tries to do so it's definitely useful in that aspect cuz I now see what you know domain attacker uses if it's his Zone where he tries to go and what things he tries to get now a lot of it works and you can write the response for it the way this one works is anything he pings he'll get a response on what he pings it'll grab

the IP and [Laughter] reply some attackers are more persistent than others some log in you know do a few commands and leave some are more persistent where they'll keep trying different things some will figure out pretty quickly as a honey pot some takes a while for them to figure out it's a honey

pot a neat thing about this as well is you can write the responses you want it to happen so if he runs a command and I want a certain response I can make him angry you know

and that's one of the one of the uniqueness that I do like about kippo is you can actually customize a lot of

it and he is pretty persistent I don't know if you even figured it out yet honestly so he goes back to pingy

life

broadcast catching on he's catching on maybe he's catching on

they should try sex dress and then they figure it out

eventually so

yeah so again this a lot of information you can get from a person on what they try

and definitely useful to have a honey poot cuz I mean I literally have a directory of about 100 200 of these so I mean you know taking time and looking through it to see what's actually out there to see what they do and what they download and different I mean I got a directory full of downloads of different files that they try to download as well so I mean right are there any

questions not I have few things to go in we have a six Monon part-time membership to the clubhouse this is a local one so if you're not local I probably wouldn't recommend it for this one but um I guess a question um what was the name of the Harry Potter musum so on the backo yeah and another prize you can go get it another prize is the hacker Playbook 2 good read a lot of useful information this one um what was the third country with the most attempts India uh that's all our talk any questions I'll be afterwards and don't forget TW Tom Jin [Music] Jeffer come back card app question no are you ready

yeah thank you