disruption strategies against intelligence community

[coderman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


next in our series,
 observation and detection continued:

here's a beautiful fact less discussed -
 exploits are fragile!

perhaps more so than software in general.
we can use this to our advantage :P


the broad themes of our approach is thus:

- - change the landscape, subtly...
  you want to appear vulnerable while not actually.
  this is "VM camouflage", "OS Masking", "User Agent Switching",
  "Browser Fingerprint Forgery", etc., etc.

- - rebuild sanitized and minimized.
  sanitized builds will produce lots of context and abort when
  stack, heap, concurrency vulnerabilities are encountered.
  eliminating support for <bloated thing> in <your software> prunes
  the attack surface, perhaps mitigating an exploit chain at any link.

- - anticipatory read-ahead : pre-fix vulnerable fruit.
  this is a thread for another discussion, but red-teaming your own
  setup is the best way to become familiar with the usual and unusual
  behavior of your systems, and become aware of their limitations and
  weaknesses before they're exploited.

- - deploy the honey!
  this includes honey services, honey tokens, honey pots (classic),
  honey hardware, and whatever else you can setup to attract attention
  while you see whose attention you attracted :)
  one of my favorite techniques is disabling mlocate/updatedb and placing
  some large source trees on disk. i know that they should never be
  recursed over, so if all of the sudden i see a strange process doing a
  dirtree on that forbidden zone i know it's malicious, or at least severely
  malfunctioning! (this is where you use previous techniques to analyze state
  and determine one possibility from the other...)


relevant resources:

  https://en.wikipedia.org/wiki/AddressSanitizer
  https://docs.microsoft.com/en-us/cpp/linux/linux-asan-configuration
  https://blog.quarkslab.com/clang-hardening-cheat-sheet.html
  https://cheatsheetseries.owasp.org/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.html

  https://github.com/ray-lothian/UserAgent-Switcher
  https://github.com/maximbaz/browser-fingerprint-protector

  https://en.wikipedia.org/wiki/Deception_technology
  http://s3.eurecom.fr/docs/csur18_deception.pdf


best regards, until next time - build your kit! :)
-----BEGIN PGP SIGNATURE-----

iNUEAREKAH0WIQRBwSuMMH1+IZiqV4FlqEfnwrk4DAUCYWXyC18UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NDFD
MTJCOEMzMDdEN0UyMTk4QUE1NzgxNjVBODQ3RTdDMkI5MzgwQwAKCRBlqEfnwrk4
DIdDAQClN+iMK6vETD+gfkMBCXeusW8JD8OHKg3AkvtjhFq/1gD/W3b92Df31Zk7
oTp0vZBJOTsGiEuqvGq5ECchByNvrWU=
=tdrW
-----END PGP SIGNATURE-----