A Deception Framework for Survivability Against Next Generation Cyber Attacks
11 18-2015 - iasa cyber security e summit - deception in depth
-
Upload
matthew-pascucci -
Category
Technology
-
view
308 -
download
0
Transcript of 11 18-2015 - iasa cyber security e summit - deception in depth
The famous book by Sun Tzu, “The Art of War” makes numerous references to the advantage of using deception.
“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
Confederate “Quaker Guns” were logs painted and mounted to resemble canons during the Civil War.
Strategic trickery: The U.S. Army’s use of tactical deceptionhttp://soldiers.dodlive.mil/2014/09/strategic-trickery-the-u-s-armys-use-of-tactical-deception/
Hackers use numerous deceitful tactics: Phishing
Spoofing (of pretty much anything)
Botnets
Malvertising
Abuse of stolen accounts
Rootkits (the classic example)
Stolen certificates
Malware (Cryptolocker, etc.)
Brute-forcing authentication
Legal issues (review country/state laws) Entrapment shouldn’t be a concern Upper management might not understand Not considered a valid form of defense Limited “out of the box” toolset Fixated on preventing, not detecting, attacks Confusion with handling “live” intruders
Particular endpoints can’t run enterprise security services
Extremely useful in detecting east-west attacks within the network
Enhance detection of attacks by causing confusion with attackers
Dissuade attackers from moving forward with attacks
Added layer in your threat intel program to enhance your security posture
Using deception is defensive, not offensive. We aren’t performing a “hack-back”
Three steps to play mind games with attackers:
1. Attackers base their responses on trust Exploit this trust by misdirection and deceit. Turn the
tables on them.
2. Confuse and misdirect Slow down and guide attackers for your benefit.
3. Propaganda Seed data and accounts as canary alerts.
“Has merit and can be an attractive new capability for larger organizations desiring advanced threat detection and defense solutions.”
Gartner analysts believe deception should be integrated into a “Deception Stack” which includes the below styles of deception. These styles are all correlated against particular areas of the kill chain to stop attacks.
1. Network Deception2. Endpoint Deception3. Application Deception4. Data Deception
Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunitieshttp://www.gartner.com/technology/reprints.do?id=1-2LSQOX3&ct=150824&st=sb&aliId=89489
Preparation Learn the target Network reconnaissance Information gathering
Exploitation Steal accounts and exploit systems Using tools and techniques to acquire data
Exfiltration Mission accomplished Data acquired and moved off premise
Network deception is all the rage:
Tarpits
Honeypots (classic example)
QoS/Rate Limiting based off threat intel
Darknet alerting
Sink Holes
Honeynets
▪ Virtual honeynets
Using endpoints for your advantage:
Virtualization mimicry
Sandboxing technology
Honeypots
Files malware assumed it dropped
Spread the propaganda for your benefit:
Honeytokens (executables, unused email addresses, fake accounts, database, etc.)
Canary files hidden along legitimate files
Hidden words found with DLP/IPS
Beaconing Honeyfiles (Java script, hidden pixel, etc.)
Early warning signs of attack with applications:
WAF to strip out HTML entries
Slow responses back to attackers
Invisible HTML Links
Inconsistent Business logic to dissuade attackers
False robots.txt file entries
DNS Honeytokens
Detection of alerts needs to be tuned Limit the false positives in a network
E.g. Remove or white list vulnerability scanners Setup alerts via SIEM/WAF:
File system auditing/web alerts
Monitor for beaconing honeyfiles
Logins of honeytoken accounts Create as a part of your IR plan
Create runbook on internal vs external notifications
Your current technology can be used Some vendors are attempting deception Sea-change with management’s thinking Incident response procedures will change If the deception isn’t believable, you’re not
fooling anyone. This includes attackers.