Detecting a breach from an attackers perspective.

We're gonna regret this

Rik van Duijn and Wesley Neelen

Playlists: 'SHA2017' videos starting here / audio / related events

Detecting a breach is hard, detecting someone who targets your network specifically is even harder. As pentesters, we notice that we often remain undetected and breaching an infrastructure via an external server generally goes unnoticed. However, indications of our breach could definitely have been picked up, we could have been detected. So, why weren’t we? This talk focusses on using simple detection mechanisms that detect specific post exploitation steps. We demonstrate simple tricks that can be used as a final warning mechanism. We choose to focus on the behaviour of an attacker and give them what they want. Is the attacker using Mimikatz? Give them (fake) credentials. Are they using Responder? Broadcast WPAD queries! Port scanning the network? Give them something to port scan! Design small traps from an attackers perspective to detect someone snooping around.

Modern companies have various detection systems and immense amounts of logging. Not every alarm can be followed up, there needs to be a proper justification before starting a full-scale investigation. Indications of an initial breach (exploit-kit/phishing/malspam) do not justify a full-scale investigation. However, indications of post exploitation directs you towards a more focussed investigation. Assuming you don’t have many indications of post exploitation ;).