Jared Naude (140)
Attack Mining: How to use distributed sensors to identify and take down adversaries by Lars König
Buckle up for a deep dive into the constant battle to protect systems on the internet against adversaries gaining access, and how you can help make the internet a safer place!
Very large variety of passwords that are being used. Victim customization does not happen as it does with user names. By using the user names and passwords that adversaries use, we could do adversary fingerprinting. #38c3
By combing several attributes, this data can be visualized in a multi-dimensional environment. By reducing the dimensions, a graph can be created to visualize this better. #38c3
The graph shows a subset that was investigated. This shows 238 unique IPs between Feb - Dec. Each IP scan contains 169 username and password combination. #38c3
When these IPs are looked up in Shodan, they are residential IP addresses which shows either infected home or IOT devices. The speakers dives into a specific example of an adversary trying a set of specific passwords over and over again. #38c3
The speaker investigated these passwords and found devices that were being targeted. One example was a Raspberry Pi in South Korea. The speaker was able to get access to the instance and was able to investigate further by using netstat -apn and pstree -a. #38c3
Adversaries will often brute force well known user names (Root, admin, user, test, etc). However, they will also create a list that is specific to a domain and site. The next set of users that are targeted are accounts created by applications that are installed (e.g. postgres) #38c3
From the data, Lars has created these 2 diagrams. The first diagram shows where the attacks come from. The second diagram shows the map of IOT devices. #38c3
Lars has a setup that has 250 sensors that logs ~ 12.5 million events per day. #38c3
