Profile picture
, 12 tweets, 3 min read
My Authors
Read all threads
I mentioned that the idea for Intrusion Detection Honeypots #idhbook was floating around in my head for a long time. Something I didn't mention in the book, is that it was my time as a pen tester many years back that crystaized some key parts of the concept for me. 🍯 1/
As the attacker, it's all about iterative discovery. You access something, look around, and leverage your access to move on to the next thing. You do this until you reach a goal, whatever it may be. 2/
Good attackers exhibit some common traits -- seeking to decrease ambiguity, adaptability, and curiosity are big ones. You have to take what the network gives you and manipulate it. I really learned the value of these things in the offensive context at @inguardians. 3/
The idea for Intrusion Detection Honeypots is that if you (the defender) can control what the attacker sees and thinks during their iterative discovery, you can control what they do. You are taking advantage of the things that make attackers good and successful. 4/
That's why attackers are so vulnerable to being manipulated by savvy defenders. We can easily place honey services/docs/tokens in front of attackers by knowing where they are likely to come from (common footholds) or where they are likely to go (valuable assets). 5/
Once they see the honeypot we place, we can easily make it appear valuable by blending in with other valuable things or standing out from less valuable things. 6/
There are so many ways to exhibit value because attackers WANT to believe things they've found have value. They yearn for it, thirst for it even. An interestingly named document, a system advertising a service they've never heard of, a custom-looking web app -- irresistible. 7/
At this point, the attacker MUST explore and interact. It's at the core of what they do. It's the bedrock of their entire mindset. It doesn't matter if they find out it's a honeypot later, by the time they figure it out you already know they're on your network. 8/
Intrusion detection honeypots take advantage of the thing that makes attackers good at what the do. It preys on their very sense of identity. Their adaptability and their curiosity can be their downfall when defenders take advantage of it. 9/
You have to be an experienced red teamer to be a great blue teamer. But, my red team experience was essential for conceptualizing some of the IDH concept. It's why the book isn't just a list of ways to implement IDH, but an entire framework for a deception mindset. 10/
I show you how to create a bunch of IDHs in the book. But the underlying goal is to teach you to think deceptively so that you can go well beyond the techniques I provide.

See-Think-Do.

Control the first two and you control the third. 11/11
You *dont have to be
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Chris Sanders 🍯

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#idhbook

More from @chrissanders88 see all

Profile picture
Chris Sanders
@chrissanders88
Let's talk about the differences between novices and experts. But, instead of cyber security, we'll use airport baggage screeners as an example. These are the folks who use the scanner screens to find forbidden items in luggage 1/
We all expect that experts are faster than novices. That's often correct, but WHY? 2/
Experts go through a few steps when looking at a bag image. First, they perceive the whole image quickly, looking for something to draw their attention. Maybe a dark spot or an unknown pattern. This holistic analysis is nearly automatic. 3/
Read 16 tweets
Profile picture
Chris Sanders
@chrissanders88
The most frequent mistake inexperienced analysts make when asking investigative questions is not being specific enough. For example, "Is this external IP bad?". That's a fine question, but it's not answerable without asking more questions. 1/
A deeper question might be, "Does this IP appear on any reputation lists?" or "Is it found in malware sandbox executions in public repos?" or "Have we encountered this IP in any other investigations?" . 2/
Another example, "Is this system infected?". We definitely want to know that, but it's more specific questions that get us there. 3/
Read 9 tweets
Profile picture
Chris Sanders
@chrissanders88
A lot of how adults learn relates to motivation, and for good reason! Adults have agency to choose what they learn. One interesting facet here is the role goal setting plays in learning and what it reveals about your motivation. 1/
First, let's consider expectancy-value theory. If you expect you might not do well in something, you're likely to devalue it, thereby avoiding it. If you expect to do well, you may value something and set goals related to it. 2/
There are several types of goals, but two common types are mastery-driven and performance-driven goals. The different between the two can help you recognize where your motivation lies and what barriers might be limiting you. 3/
Read 11 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!