1
00:00:00,210 --> 00:00:01,140
In this lesson,

2
00:00:01,140 --> 00:00:02,880
we're going to start talking about honeypots

3
00:00:02,880 --> 00:00:04,350
and active defense.

4
00:00:04,350 --> 00:00:06,450
Honeypots are probably the most well known form

5
00:00:06,450 --> 00:00:09,210
of active defense, although there are several other types.

6
00:00:09,210 --> 00:00:10,710
Now, when we talk about defense,

7
00:00:10,710 --> 00:00:12,210
you probably have heard the old saying,

8
00:00:12,210 --> 00:00:14,340
the best defense is a good offense.

9
00:00:14,340 --> 00:00:15,630
Now what does that mean?

10
00:00:15,630 --> 00:00:17,610
Well, this was actually a saying from a boxer back

11
00:00:17,610 --> 00:00:19,860
in the 1930s named Jack Dempsey.

12
00:00:19,860 --> 00:00:22,410
And his idea was if you have a really good offense

13
00:00:22,410 --> 00:00:23,670
and you're hitting the other guy over, and over,

14
00:00:23,670 --> 00:00:25,470
and over again, you're going to bloody him up

15
00:00:25,470 --> 00:00:27,900
to the point where he gets tired, and gives up on you.

16
00:00:27,900 --> 00:00:30,720
That's the idea of the best defense being a good offense.

17
00:00:30,720 --> 00:00:32,340
Now, when we talk about active defense,

18
00:00:32,340 --> 00:00:34,830
we're talking about the practice of responding to a threat

19
00:00:34,830 --> 00:00:38,190
by destroying or deceiving the threat actor's capabilities.

20
00:00:38,190 --> 00:00:39,810
Now, what this really means is

21
00:00:39,810 --> 00:00:41,880
that we have an engagement with the adversary.

22
00:00:41,880 --> 00:00:43,800
That's what active defense is all about.

23
00:00:43,800 --> 00:00:45,810
You're going to hit me, well, I'm going to hit you back,

24
00:00:45,810 --> 00:00:47,550
or you're going to try breaking into my network.

25
00:00:47,550 --> 00:00:49,080
I'm going to let you in, but I'm going to put you

26
00:00:49,080 --> 00:00:50,820
in this other area that's a decoy.

27
00:00:50,820 --> 00:00:52,830
That's the idea of active defense.

28
00:00:52,830 --> 00:00:55,080
For instance, I might want to set up something

29
00:00:55,080 --> 00:00:57,000
that is essentially bait for an attacker.

30
00:00:57,000 --> 00:00:59,490
I set up an area of my network that is exposed

31
00:00:59,490 --> 00:01:01,680
to the internet, and I don't patch my servers,

32
00:01:01,680 --> 00:01:03,540
and I put false information on that stuff.

33
00:01:03,540 --> 00:01:06,270
That all looks like a very attractive target to an attacker.

34
00:01:06,270 --> 00:01:09,510
And so, they may go and grab that and I'm luring them in.

35
00:01:09,510 --> 00:01:12,720
Well, that concept is actually called a honeypot.

36
00:01:12,720 --> 00:01:14,460
A honeypot is essentially a host

37
00:01:14,460 --> 00:01:16,560
or a server that is set up with the purpose

38
00:01:16,560 --> 00:01:19,230
of luring attackers away from your actual network components

39
00:01:19,230 --> 00:01:21,540
that you care about and instead, allowing them

40
00:01:21,540 --> 00:01:23,280
to start attacking this other area.

41
00:01:23,280 --> 00:01:24,570
When they do this, it allows you

42
00:01:24,570 --> 00:01:27,060
to discover attack strategies and weaknesses

43
00:01:27,060 --> 00:01:28,800
in different security configurations,

44
00:01:28,800 --> 00:01:30,630
and learn from their attack methods

45
00:01:30,630 --> 00:01:32,820
because as you watch them doing things, you're going to see,

46
00:01:32,820 --> 00:01:35,340
oh, when they first break in, then they try to pivot,

47
00:01:35,340 --> 00:01:37,020
or then they try to escalate privileges,

48
00:01:37,020 --> 00:01:39,090
or then they try to do X, Y, Z.

49
00:01:39,090 --> 00:01:40,590
And by being able to gather that information,

50
00:01:40,590 --> 00:01:42,210
you can learn about your adversary.

51
00:01:42,210 --> 00:01:43,470
Now, in addition to a honeypot,

52
00:01:43,470 --> 00:01:46,650
which is a single host or server, you might have a honeynet.

53
00:01:46,650 --> 00:01:48,270
And this is an entire network that's set up

54
00:01:48,270 --> 00:01:50,580
to entice an attacker and it looks really juicy,

55
00:01:50,580 --> 00:01:52,380
like it's a real company's network.

56
00:01:52,380 --> 00:01:53,880
Now, often these honeynets are set up

57
00:01:53,880 --> 00:01:55,530
by internet security companies

58
00:01:55,530 --> 00:01:56,970
because they want to use that to allow

59
00:01:56,970 --> 00:02:00,120
their security teams to analyze an attacker's behavior.

60
00:02:00,120 --> 00:02:01,980
Now, what's a good example of this?

61
00:02:01,980 --> 00:02:03,210
Let's say I went ahead and said,

62
00:02:03,210 --> 00:02:05,160
I have this wonderful database,

63
00:02:05,160 --> 00:02:06,720
so I'm going to set up a database server.

64
00:02:06,720 --> 00:02:09,479
I'm going to put some fake information in the database server

65
00:02:09,479 --> 00:02:11,550
and I'm going to expose it to the internet.

66
00:02:11,550 --> 00:02:12,990
Now, inside of that database,

67
00:02:12,990 --> 00:02:15,720
I have a lot of meaningless or unhelpful information,

68
00:02:15,720 --> 00:02:17,190
but the attacker doesn't know that.

69
00:02:17,190 --> 00:02:18,330
They just see there's a database

70
00:02:18,330 --> 00:02:20,100
with a lot of important financial records

71
00:02:20,100 --> 00:02:21,570
because that's what I made it look like.

72
00:02:21,570 --> 00:02:23,520
And so as they go in there and they start attacking

73
00:02:23,520 --> 00:02:25,920
that database, and they start getting into there,

74
00:02:25,920 --> 00:02:27,570
I can start seeing what they're doing,

75
00:02:27,570 --> 00:02:28,950
and figure out what their techniques are,

76
00:02:28,950 --> 00:02:31,080
and then use that to better harden

77
00:02:31,080 --> 00:02:33,660
the rest of my network against that type of an attack.

78
00:02:33,660 --> 00:02:36,390
That's the idea of using a honeypot or a honeynet.

79
00:02:36,390 --> 00:02:39,000
Now, one of the reasons why security researchers set up

80
00:02:39,000 --> 00:02:41,760
these big honeynets is to learn about new techniques

81
00:02:41,760 --> 00:02:43,080
because when they learn about techniques,

82
00:02:43,080 --> 00:02:45,750
they can try to attribute them back to the actor.

83
00:02:45,750 --> 00:02:46,980
When we talk about attribution,

84
00:02:46,980 --> 00:02:49,140
we're talking about the ability to do identification

85
00:02:49,140 --> 00:02:51,210
and publication of an attacker's methods,

86
00:02:51,210 --> 00:02:54,450
techniques and tactics as useful threat intelligence.

87
00:02:54,450 --> 00:02:56,130
For instance, if you look at FireEye,

88
00:02:56,130 --> 00:02:57,750
they do this all the time.

89
00:02:57,750 --> 00:03:00,450
You can go look at a report on APT28, for instance,

90
00:03:00,450 --> 00:03:02,820
and they'll tell you they believe this is attributed

91
00:03:02,820 --> 00:03:05,010
to APT28, these types of malware,

92
00:03:05,010 --> 00:03:06,600
and these are the common techniques they use,

93
00:03:06,600 --> 00:03:08,400
and these are the common tactics they use,

94
00:03:08,400 --> 00:03:09,540
and this is who we think they are.

95
00:03:09,540 --> 00:03:11,910
We think they are part of the Russian Federation,

96
00:03:11,910 --> 00:03:13,320
or we think they are part of China,

97
00:03:13,320 --> 00:03:14,760
or we think they are part of the US,

98
00:03:14,760 --> 00:03:16,350
or whoever it is they think they are.

99
00:03:16,350 --> 00:03:18,210
That is what attribution does.

100
00:03:18,210 --> 00:03:19,740
Now, in addition to dealing with things

101
00:03:19,740 --> 00:03:22,170
like honeynets, and honeypots, and attribution,

102
00:03:22,170 --> 00:03:25,260
we also can do other strategies like annoyance strategies.

103
00:03:25,260 --> 00:03:26,670
Now, annoyance strategies often,

104
00:03:26,670 --> 00:03:29,010
will rely on obfuscation techniques.

105
00:03:29,010 --> 00:03:30,810
These are things we're basically trying to annoy

106
00:03:30,810 --> 00:03:32,760
our attacker and waste their time.

107
00:03:32,760 --> 00:03:35,520
So for instance, we might put in bogus DNS entries.

108
00:03:35,520 --> 00:03:37,650
So when they look at our DNS records they see that we have

109
00:03:37,650 --> 00:03:39,480
a mail server, and a SharePoint server,

110
00:03:39,480 --> 00:03:41,370
and a file server, and a web server,

111
00:03:41,370 --> 00:03:43,140
and we may not have any of those servers up,

112
00:03:43,140 --> 00:03:44,640
but we can give bogus DNS entries

113
00:03:44,640 --> 00:03:45,960
so they think there's something else there,

114
00:03:45,960 --> 00:03:47,940
and so they'll waste their time trying to find it.

115
00:03:47,940 --> 00:03:49,470
Then we can also have things like web servers

116
00:03:49,470 --> 00:03:51,900
with decoy directories so I have a web server up

117
00:03:51,900 --> 00:03:53,490
and I have all my juicy information

118
00:03:53,490 --> 00:03:55,440
in a file called Confidential.

119
00:03:55,440 --> 00:03:56,910
No, I don't because I don't want somebody

120
00:03:56,910 --> 00:03:58,080
to see that 'cause they see confidential,

121
00:03:58,080 --> 00:03:59,700
they're going to try to get into it, right?

122
00:03:59,700 --> 00:04:02,310
But I might put decoy directories like confidential,

123
00:04:02,310 --> 00:04:04,800
important, financial, and that way attackers

124
00:04:04,800 --> 00:04:06,810
might try to go for those and waste their time

125
00:04:06,810 --> 00:04:07,680
'cause if they're wasting their time

126
00:04:07,680 --> 00:04:09,210
on stuff I don't care about, hopefully,

127
00:04:09,210 --> 00:04:10,410
they're not using their time against stuff

128
00:04:10,410 --> 00:04:12,000
I actually do care about.

129
00:04:12,000 --> 00:04:12,990
And then the other thing we can do is

130
00:04:12,990 --> 00:04:14,730
we can use port triggering and spoofing.

131
00:04:14,730 --> 00:04:15,990
There's a lot of techniques out there

132
00:04:15,990 --> 00:04:17,760
where when you see traffic come in

133
00:04:17,760 --> 00:04:20,760
on port X, have this action occur.

134
00:04:20,760 --> 00:04:22,530
And so you might have something like they connect

135
00:04:22,530 --> 00:04:25,350
on port 25 to try to get into your SMTP server

136
00:04:25,350 --> 00:04:27,330
and you're not really running an SMTP server.

137
00:04:27,330 --> 00:04:29,520
Instead, you're going to send that over to port 80

138
00:04:29,520 --> 00:04:30,960
and give them some other kind of message back.

139
00:04:30,960 --> 00:04:32,850
So again, you're wasting their time.

140
00:04:32,850 --> 00:04:35,970
Now, another thing you can do is what's known as hack back,

141
00:04:35,970 --> 00:04:38,550
and this is something I don't really encourage you to do.

142
00:04:38,550 --> 00:04:41,040
Most organizations are not going to allow you to do hack back

143
00:04:41,040 --> 00:04:43,710
unless you work for maybe a three letter agency,

144
00:04:43,710 --> 00:04:46,500
or a military component, or some other nation state

145
00:04:46,500 --> 00:04:47,730
because when you're hacking back,

146
00:04:47,730 --> 00:04:50,070
you are conducting offensive attacks.

147
00:04:50,070 --> 00:04:51,930
Hack back is essentially using offensive

148
00:04:51,930 --> 00:04:54,120
or counter attacking techniques to identify

149
00:04:54,120 --> 00:04:56,580
the attacker and degrade their capabilities.

150
00:04:56,580 --> 00:04:58,620
The idea here with hack back is maybe you have

151
00:04:58,620 --> 00:04:59,970
somebody who is attacking your network

152
00:04:59,970 --> 00:05:01,200
and you identify that their command

153
00:05:01,200 --> 00:05:04,170
and control is at this particular IP.

154
00:05:04,170 --> 00:05:05,670
Well, you can start doing a denial

155
00:05:05,670 --> 00:05:07,680
of service against their IP to get them

156
00:05:07,680 --> 00:05:09,690
to stop doing the attack against you.

157
00:05:09,690 --> 00:05:11,610
That's the idea of a hack back.

158
00:05:11,610 --> 00:05:13,890
Now, can you do this legally?

159
00:05:13,890 --> 00:05:16,500
Mm, maybe, it depends where you live

160
00:05:16,500 --> 00:05:18,840
because these things all are in different laws based on

161
00:05:18,840 --> 00:05:20,820
the city, the state, the country,

162
00:05:20,820 --> 00:05:22,590
or the region of the world that you live in.

163
00:05:22,590 --> 00:05:23,910
And so, you have to look into that

164
00:05:23,910 --> 00:05:26,640
because there are many legal and reputational implications

165
00:05:26,640 --> 00:05:28,410
that you have to consider and mitigate

166
00:05:28,410 --> 00:05:30,810
before you can use some of these active defense strategies,

167
00:05:30,810 --> 00:05:33,480
especially hack back, for instance,

168
00:05:33,480 --> 00:05:35,760
hack back is considered an offensive maneuver.

169
00:05:35,760 --> 00:05:38,040
As I said, you are attacking somebody.

170
00:05:38,040 --> 00:05:40,560
So in the United States, you could actually go to jail

171
00:05:40,560 --> 00:05:42,660
for that because you are breaking the law.

172
00:05:42,660 --> 00:05:44,310
It is illegal to do hacking.

173
00:05:44,310 --> 00:05:46,110
And so if you are hacking back against somebody

174
00:05:46,110 --> 00:05:48,270
who is hacking you, that doesn't make two wrongs

175
00:05:48,270 --> 00:05:50,490
make a right here, you could still go to jail for that.

176
00:05:50,490 --> 00:05:52,710
So keep that in mind, remember where you are,

177
00:05:52,710 --> 00:05:55,860
and the laws in your area and the laws of the server

178
00:05:55,860 --> 00:05:57,060
that you're actually attacking

179
00:05:57,060 --> 00:05:58,950
because just 'cause you're in the United States,

180
00:05:58,950 --> 00:06:00,870
that server may be someplace else,

181
00:06:00,870 --> 00:06:03,420
and then it's affected by those laws and regulations.

182
00:06:03,420 --> 00:06:06,210
So again, the best practice is really not to do a hack back,

183
00:06:06,210 --> 00:06:07,830
but again, it is one of those things that's covered

184
00:06:07,830 --> 00:06:09,430
so I wanted to bring it up here.