Attackers don’t play fair. Neither should you.

@MatthewPascucciwww.frontlinesentinel.com

The famous book by Sun Tzu, “The Art of War” makes numerous references to the advantage of using deception.

“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”

Confederate “Quaker Guns” were logs painted and mounted to resemble canons during the Civil War.

Strategic trickery: The U.S. Army’s use of tactical deceptionhttp://soldiers.dodlive.mil/2014/09/strategic-trickery-the-u-s-armys-use-of-tactical-deception/

Hackers use numerous deceitful tactics: Phishing

Spoofing (of pretty much anything)

Botnets

Malvertising

Abuse of stolen accounts

Rootkits (the classic example)

Stolen certificates

Malware (Cryptolocker, etc.)

Brute-forcing authentication

Legal issues (review country/state laws) Entrapment shouldn’t be a concern Upper management might not understand Not considered a valid form of defense Limited “out of the box” toolset Fixated on preventing, not detecting, attacks Confusion with handling “live” intruders

Particular endpoints can’t run enterprise security services

Extremely useful in detecting east-west attacks within the network

Enhance detection of attacks by causing confusion with attackers

Dissuade attackers from moving forward with attacks

Added layer in your threat intel program to enhance your security posture

Using deception is defensive, not offensive. We aren’t performing a “hack-back”

Three steps to play mind games with attackers:

1. Attackers base their responses on trust Exploit this trust by misdirection and deceit. Turn the

tables on them.

2. Confuse and misdirect Slow down and guide attackers for your benefit.

3. Propaganda Seed data and accounts as canary alerts.

“Has merit and can be an attractive new capability for larger organizations desiring advanced threat detection and defense solutions.”

Gartner analysts believe deception should be integrated into a “Deception Stack” which includes the below styles of deception. These styles are all correlated against particular areas of the kill chain to stop attacks.

1. Network Deception2. Endpoint Deception3. Application Deception4. Data Deception

Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunitieshttp://www.gartner.com/technology/reprints.do?id=1-2LSQOX3&ct=150824&st=sb&aliId=89489

Preparation Learn the target Network reconnaissance Information gathering

Exploitation Steal accounts and exploit systems Using tools and techniques to acquire data

Exfiltration Mission accomplished Data acquired and moved off premise

Network deception is all the rage:

Tarpits

Honeypots (classic example)

QoS/Rate Limiting based off threat intel

Darknet alerting

Sink Holes

Honeynets

▪ Virtual honeynets

Using endpoints for your advantage:

Virtualization mimicry

Sandboxing technology

Honeypots

Files malware assumed it dropped

Spread the propaganda for your benefit:

Honeytokens (executables, unused email addresses, fake accounts, database, etc.)

Canary files hidden along legitimate files

Hidden words found with DLP/IPS

Beaconing Honeyfiles (Java script, hidden pixel, etc.)

Early warning signs of attack with applications:

WAF to strip out HTML entries

Slow responses back to attackers

Invisible HTML Links

Inconsistent Business logic to dissuade attackers

False robots.txt file entries

DNS Honeytokens

Detection of alerts needs to be tuned Limit the false positives in a network

E.g. Remove or white list vulnerability scanners Setup alerts via SIEM/WAF:

File system auditing/web alerts

Monitor for beaconing honeyfiles

Logins of honeytoken accounts Create as a part of your IR plan

Create runbook on internal vs external notifications

Your current technology can be used Some vendors are attempting deception Sea-change with management’s thinking Incident response procedures will change If the deception isn’t believable, you’re not

fooling anyone. This includes attackers.

Q & A