Mastodawn

Paul Brodeur Dec 2, 2022

Kelly Shortridge

How can we waste attackers’ time, attention, and money? Can we inflict psychological damage on them? In essence, can we f*** with them for better resilience outcomes?

Yes we can! Our new paper — led by @dykstra with other fine folks — answers these questions, introducing the concept of “sludge” against attackers for systems resilience: https://arxiv.org/pdf/2211.16626.pdf

Flatbush Gardener 🌈Dec 1, 2022

@shortridge @dykstra Oooh, that sounds like fun!

@shortridge @dykstra @anildash thank you for sharing! Interesting to note: in at least one high-assurance community I participate in, new users are not admitted unless their (federated verification token array) includes at least one valid “proving I have an account this other place, too” token. The propaganda invaders went from daily annoyances to … all but invisible.

Ken Snider Dec 1, 2022

@Cmdrmoto @shortridge @dykstra @anildash huh. I _really_ like this idea, but unfortunately I don't think we have one good, privacy-assuring authentication choice that the majority would agree to at this point.

@orenwolf @shortridge @dykstra @anildash It’s a powerful one.

But, as we GenX Internet nerds know, “one good, privacy-assuring authentication service” *will* ultimately serve as a point of centralized control, if we allow it.

Fortunately, “the authentication problem” is well-recognized. W3C recently ratified their DID 1.0 specification, including provisions for Verified Credentials, as a step in the right direction.

@orenwolf @shortridge @dykstra @anildash Factors preventing DID-based “universal login” from becoming A Thing?

Well … I’m not sure how we’ll get the Commercial Interests onboard. It seems counter to their captive-user-accumulation goals.

Microsoft, of all places, is actually doing really solid DID and Verified Credential implementation, as it dovetails well with their “we want every enterprise in the world using ActiveDirectory” strategy.

@shortridge @dykstra paging @jimstewartson - I suspect this is relevant to your interests

@Cmdrmoto @shortridge @dykstra Indeed thank you. ✍️

@Cmdrmoto @shortridge @dykstra Strong elucidation of something I have sorta kinda done standing up game platforms and websites for decades. Goal is not always perfect security, it’s to make it more of a pain in the ass to break in than the value they would obtain.
Thanks again.

@jimstewartson @shortridge @dykstra Next, consider what this “sludge” strategy would look like from the oppo perspective.

Perhaps you’d endeavor to overrun your Target’s stream of incoming intelligence, deploying conflicting / obscurant information, carefully engineered to maximize negative emotional states?

@jimstewartson @shortridge @dykstra

By making research into their *actual* agenda so confusing and emotionally harmful - they’re winning the Sludge game right now.

We need better IFF.

@jimstewartson @shortridge @dykstra Non-attributed intelligence is every bit as risky to accept into your brain, as that “free virus scanner” advertised via a porno website pop-up.

The opposition *does* know how to hijack your amygdala. Strong emotional states *do* make it difficult to engage cognitive “executive function”

Pat with lsb.icu Dec 2, 2022

@shortridge
Does me changing my Linux server's default shell to Powershell count

seadev Dec 2, 2022

@shortridge @dykstra The best defense is a good offense? I love it! Really good read, thanks for sharing!

Zate 🦘🇦🇺Dec 2, 2022

@shortridge @dykstra fantastic paper!

spmatich vk3spm

@shortridge @dykstra my favorite sludge: traffic lights
Q: how much ML model training does it take to change a light bulb?
A: not enough. please select all the traffic lights.

James Edward Dec 2, 2022

@shortridge @dykstra I guess there is a plausible-deniability angle to this too, where you don’t want to deploy so much sludge as to antagonise an attacker. It’s probably a bad outcome to turn an opportunistic adversary into a grudge-motivated one.

HcInfosec Dec 2, 2022

@shortridge @dykstra today I was the attacker of my own ipad since I lost my password.
I can tell you #apple really makes you miserable as a user if you forgot a password.

icesurfer Dec 2, 2022

@shortridge @dykstra love this. I have found myself in IR gigs where we would pretend that phishing attempts were successful, to f**k with the attacker and give them decoys to waste resources on.

"Thank you for your email. I will review the document and let you know"
...6 hours later...
"Uh, I tried to open the attachment but I received an error message. Can you make sure it is a well formed PDF and send it again please?"

Nick Drage Dec 3, 2022

@icesurfer @shortridge @dykstra to what end? Was there a bigger plan or strategy for information gathering around this, or just for fun/experimentation?

To me the exemplary example is Stefan at BSides Leeds ( https://www.youtube.com/watch?v=HR5H0YJQCsA ) - with "oh yes Mister CEO on holiday, we can transfer the money, but you've forgotten the new portal for bank details" and then going on to share the account numbers as an IOC and contact the hosting bank...

BSides Leeds 2019: Weaponising Layer 8 - Khae

YouTube

icesurfer Dec 3, 2022

@SonOfSunTzu @shortridge @dykstra can't share too much detail, but we knew the attacker was time constrained: they needed specific business information no later than a very precise date, for that info to be actionable. We opted to make it look like their phishing attempts had potential, to reduce the risk that they could choose avenues of attacks we had less visibility on.

Nick Drage Dec 11, 2022

@icesurfer @shortridge @dykstra thank you.

I think in general it's a good idea to waste the attacker's limited time, and to add to their cognitive load... but that's always a vague concept, and you don't know if you're spending your resources making another potential victim's life easier... altruistic, but not efficient.

But in this case, where you have known limits... great 🙂

Also I like the "keep them where we can see them" idea too...

Duane Gran Dec 3, 2022

@dykstra @shortridge great contribution to this art. I can see some opportunity for deceptive techniques, such as honey pots, to move beyond alerting on intrusion toward occupying the attackers time in such a way to give defenders more time to respond.

Kelly Shortridge Dec 3, 2022

@duanegran @dykstra I have a paper for precisely how to move beyond honeypots, too! In this one, we introduce the concept of deception environments (along with a design framework, examples, etc.) that can significantly waste attackers’ time, along with other myriad benefits: https://m-cacm.acm.org/magazines/2022/6/261170-lamboozling-attackers/fulltext

Lamboozling Attackers: A New Generation of Deception

Software engineering teams can exploit attackers' human nature by building deception environments.

Duane Gran Dec 3, 2022

@shortridge @dykstra this is marvelous! Thank you for sharing this.

@shortridge @dykstra A great article thanks. I’ve always considered that most criminal gangs need a return from the organisations they target. And just like salespeople, they will focus on leads that look likely to convert to revenue, and ignore those that look to be too hard. That’s not to say that a determined adversary won’t devote more resources to compromising an organisation, but most will move on to easier targets that have less sludge.

Bill Powell Dec 5, 2022

@shortridge @dykstra isn't this going to push them across to attack someone weaker. Isn't effort better spent strengthening the community, rather than making your own door more time-consuming to force?
Not sure - what are the arguments each way?

nokko Dec 6, 2022

@shortridge @dykstra Interesting read! Reminds me of Christopher Domas' work on psychological warfare via Control-Flow Graphs:
https://youtube.com/watch?v=HlUe0TUHOIc

DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering

YouTube

Adrian Sanabria Dec 13, 2022

@shortridge @dykstra Nice! More techniques for f***ing with attackers is what I wanted for Christmas!

Adrian Sanabria Dec 13, 2022

@shortridge @dykstra we need more stuff like this to inspire defenders.

Attackers depend on things to look and work like what they expect. Defenders can Home Alone the SHIT out of their environment.

Rich Seymour Dec 13, 2022

@sawaba @shortridge @dykstra K McCallister Security Associates “keep the change”

Wayne Werner Dec 13, 2022

@shortridge @dykstra honeypots, but for brains.

PB Livin'Dec 13, 2022

@shortridge @dykstra may not be *exactly* the same idea, but reminds me of the Mark Rober porch pirate gag:
https://youtu.be/xoxhDk-hwuo

Glitter Bomb 1.0 vs Porch Pirates

YouTube