DEF CON 25 Packet Hacking Village - Tom Sela - Fooling the Hound Deceiving Doman Admin Hunters

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers. Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected. To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge.