Re: disruption strategies against intelligence community
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 next in our series, observation and detection continued: here's a beautiful fact less discussed - exploits are fragile! perhaps more so than software in general. we can use this to our advantage :P the broad themes of our approach is thus: - - change the landscape, subtly... you want to appear vulnerable while not actually. this is "VM camouflage", "OS Masking", "User Agent Switching", "Browser Fingerprint Forgery", etc., etc. - - rebuild sanitized and minimized. sanitized builds will produce lots of context and abort when stack, heap, concurrency vulnerabilities are encountered. eliminating support for <bloated thing> in <your software> prunes the attack surface, perhaps mitigating an exploit chain at any link. - - anticipatory read-ahead : pre-fix vulnerable fruit. this is a thread for another discussion, but red-teaming your own setup is the best way to become familiar with the usual and unusual behavior of your systems, and become aware of their limitations and weaknesses before they're exploited. - - deploy the honey! this includes honey services, honey tokens, honey pots (classic), honey hardware, and whatever else you can setup to attract attention while you see whose attention you attracted :) one of my favorite techniques is disabling mlocate/updatedb and placing some large source trees on disk. i know that they should never be recursed over, so if all of the sudden i see a strange process doing a dirtree on that forbidden zone i know it's malicious, or at least severely malfunctioning! (this is where you use previous techniques to analyze state and determine one possibility from the other...) relevant resources: https://en.wikipedia.org/wiki/AddressSanitizer https://docs.microsoft.com/en-us/cpp/linux/linux-asan-configuration https://blog.quarkslab.com/clang-hardening-cheat-sheet.html https://cheatsheetseries.owasp.org/cheatsheets/C-Based_Toolchain_Hardening_C... https://github.com/ray-lothian/UserAgent-Switcher https://github.com/maximbaz/browser-fingerprint-protector https://en.wikipedia.org/wiki/Deception_technology http://s3.eurecom.fr/docs/csur18_deception.pdf best regards, until next time - build your kit! :) -----BEGIN PGP SIGNATURE----- iNUEAREKAH0WIQRBwSuMMH1+IZiqV4FlqEfnwrk4DAUCYWXyC18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NDFD MTJCOEMzMDdEN0UyMTk4QUE1NzgxNjVBODQ3RTdDMkI5MzgwQwAKCRBlqEfnwrk4 DIdDAQClN+iMK6vETD+gfkMBCXeusW8JD8OHKg3AkvtjhFq/1gD/W3b92Df31Zk7 oTp0vZBJOTsGiEuqvGq5ECchByNvrWU= =tdrW -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 the next session of instruction gets into some nitty gritty: sometimes you need a ground truth; low level, via external system. this is of course reading flash and disassembling differences. this is observing RF spectrum and deciphering accordingly. this is measuring power consumption to the milli-ampere. - --- pre-boot attacks on the management plane of a system ( think about https://github.com/Cr4sh/ThinkPwn :) will leave your OS & app level view oblivious to malfeasance. sure, you could coreboot an x220, but we're trying to fish... the themes of this approach are as follow: - - use an external flash reader to regularly extract and compare the persisted information. note that some types of systems will append to memory, while others will update values in place. for EUFI BIOS there are more options, and in particular you'll want to dissect suspect code that may appear on your system. - - flexible binary diff and disassembly tools. when you observe difference, you must verify them as usual operation, or flag malicious modifications for further analysis. - - low level monitoring can see the invisible! i mentioned two laptops at the beginning of this excursion. it follows for other devices employed as targets. power usage : temperature : responsiveness - these values should be identical for identical hardware running identical workloads. malware recursing a very large codebase running pattern matching (for intelligence/espionage subjects) will consume a visible and non-trivial amount of computing resources. you'll be able to see this, even if running in ring-3 SMM and otherwise completely invisible to the operating system itself. - - EMSEC : emission security is about your RF environment. devices used for exfiltration may show an RF footprint while device driver shows hardware idle or in power save mode. Stingray detection (IMSI Catcher Detector) also worth running, as you should never see your phones re-routed off a standard roaming list. there was recently a DF capable crowdsupply campaign... :P in short: you should have the following capabilities: 1.) be able to observe changes to flash memory controlling BIOS, HDD state, embedded device firmware, and other controller storage. 2.) be able to contrast with baseline activity - power consumption, heat dissipation, RF emissions. this is where identical hardware can be crucial to discovering malicious activity. 3.) be able to observe malicious RF activity. once upon a time they even shined a high watt retro reflector source at my farm. so high power my wife felt the hairs on her neck rise. pro tip: metal pole barns are great faraday cages :P and DF with an SDR pointed out their location up the hill... the hunter becomes the hunted! until nex time, and best regards, -----BEGIN PGP SIGNATURE----- iNUEAREKAH0WIQRBwSuMMH1+IZiqV4FlqEfnwrk4DAUCYa+eAF8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NDFD MTJCOEMzMDdEN0UyMTk4QUE1NzgxNjVBODQ3RTdDMkI5MzgwQwAKCRBlqEfnwrk4 DMRRAQCSHkmfhGbcDMGSrk8UV2fRIXniUD+8CdAKV2ZQBKEZVAD+NmYj15JSTWou A0Xo/z+d0hFlKrm1jvXPhorANicOKoc= =SAy8 -----END PGP SIGNATURE-----
participants (1)
-
coderman