Honey Users for Cybersecurity | John Strand | BHIS Nuggets
HTML-код
- Опубликовано: 5 окт 2023
- Join us in the Black Hills InfoSec Discord server here: / discord to keep the security conversation going!
Reach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services -- www.blackhillsinfosec.com/
🔗 Download John's Free Training VM Lab here:
www.antisyphontraining.com/jo...
Description: An effective way to shut down Password Spraying. This technique is part of the MITRE ATT&CK technique matrix.
Black Hills Infosec Socials
Twitter: / bhinfosecurity
Mastodon: infosec.exchange/@blackhillsi...
LinkedIn: / antisyphon-training
Discord: / discord
Black Hills Infosec Shirts & Hoodies
spearphish-general-store.mysh...
Black Hills Infosec Services
Active SOC: www.blackhillsinfosec.com/ser...
Penetration Testing: www.blackhillsinfosec.com/ser...
Incident Response: www.blackhillsinfosec.com/ser...
Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: www.backdoorsandbreaches.com/
Play B&B Online: play.backdoorsandbreaches.com/
Antisyphon Training
Pay What You Can: www.antisyphontraining.com/pa...
Live Training: www.antisyphontraining.com/co...
On Demand Training: www.antisyphontraining.com/on...
Educational Infosec Content
Black Hills Infosec Blogs: www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest RUclips: / wildwesthackinfest
Active Countermeasures RUclips: / activecountermeasures
Antisyphon Training RUclips: / antisyphontraining
Join us at the annual information security conference in Deadwood, SD (in-person and virtually) - Wild West Hackin' Fest: wildwesthackinfest.com/
Excellent approach to detecting password sprays!!!
Literally chose to do this for a project in one of my grad school class. I'm gonna be purple teaming this with a SIEM, pair it up with time series analysis for comparison, and various evasion methods you mentioned. I'm always trying to think about other novel places to apply trapping, tripping, and tracing like this because it's cost effective
Awesome sauce 👍
Great insight!
Would an attacker that has already compromised a computer and can see the GAL, notice the honey user not there and might seem it to be a fake account? Would you recommend syncing those honey users so they show up in the GAL?
I would say it is a 50/50 situation. Adversaries might perform further reconnaissance on users objects e.g. listing group membership and proceeding with password spraying or other techniques just on a subset of identified users, where’s others would run through all users regardless. IMHO it depends on the threat actor. The more sophisticated, the more careful and diligent the recon. So I agree good point with GAL, another trace would be lack of group membership, so this certainly isn’t a solution that will resolve all problems.