Poor Operational Security

🚂🚋🚋🚋🚋🚋

Poor offensive security techniques in use in the wild

_{The little script that could and would. Built with creativity, observations, and facepalm-inducing moments John Menerick}

Features

• Certificate Logs: finding those who are creating public ssl / tls certificates without understanding the consequences
• Multiple output formats: STIX, Snort, Suricata, PAN, Syslog, Twitter, etc...
• very cute: all about the fail train!

TODO

• Add additional techniques from Red Team playbooks and IR playbooks on the funny ways hackers, crackers, and red teamers have been caught
• Add Chef files

Usage

python pooropssec.py

Philosophy

Organizations may improve their information security posture by rethinking it from the perspective of an attacker trying to gain access to their most critical assets (data, people and systems). Typically this is accomplished with experience from the front lines to simulate the tools, tactices, and procedures (TTPs) of real hackers and crackers. However, everyone makes mistakes. Or Red Teams are one trick ponies who only know how to perform two to three different techniques. Then it is VERY easy for a Red Teamer to fall into practicing poor operational security behaviors. We take advantage of these lazy behaviors, TTPs, and related business operating expense saving techniques. In short, anything to move higher up the KillChain to reduce the time to respond to events and incidents before they happen is a ++ . We are faced with excessive amounts of data, of various noise to signal ratios, where questions and answers are easily hidden. But available to those who know how to ask the right questions and dig deep.

• Mature beyond the traditional hunting methods - WHOIS and name server monitoring, passive DNS, Malware / Implant tracking, Honeypots, etc...
• Enhance your security team's ability to prevent, detect, and respond to real-world incidents
• Identify and mitigate complex security vulnerabilities before an attack exploits them
• Still able to create diamond models to quickly pivot to patient zero and hero
• To cause pain and suffering for those who do not follow proper operational security, IE https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki

Deceptive tradecraft should be fun and light, not stern and stressful. It is cool to be cute.

Installation

There are a multitude of options Optional Customize the weights in indicators.py to your risk profile.

Source

$ pip install -r requirements.txt
$ python ./pooropssec.py

Vagrant

• Adjust the private ssh key to one of your liking. Otherwise user vagrant / password vagrant will suffice.

$ vagrant init pwn/PoorOperationalSec
$ vagrant up

Docker

• Adjust the private ssh key to one of your liking. Otherwise user vagrant / password vagrant will suffice.

$ docker pull