ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ......
Transcript of ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ......
![Page 1: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/1.jpg)
Sahir Hidayatullah CEO - Smokescreen @sahirh
DETECTING ATTACKS WITH
Cyber Deception
![Page 2: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/2.jpg)
1 hrs
Why does it work?
The history of deception
The benefitsDeception across
the kill chain
What does the hacker see?
How to implement deception
Live Demos
![Page 3: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/3.jpg)
“The more you know about the past, the better prepared you are for the future.”
Theodore Roosevelt
![Page 4: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/4.jpg)
“Gauge your opponent’s mind and send it in different directions. Make him think various things, and wonder if you will be slow or quick.”
Miyamoto Musashi The Book of Five Rings
![Page 5: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/5.jpg)
“Never win by force what can be won with deception”
Niccolò Machiavelli, The Discourses (paraphrased)
![Page 6: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/6.jpg)
“Never interrupt your enemy when he’s making a mistake.”
Napoléon Bonaparte
![Page 7: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/7.jpg)
![Page 8: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/8.jpg)
![Page 9: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/9.jpg)
There are 3 reasons why companies get hacked…
![Page 10: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/10.jpg)
Low visibility
INITIAL INTRUSION
HACKERS UNDETECTED
DATA BREACH
1
![Page 11: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/11.jpg)
Ever changing threat landscape2
![Page 12: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/12.jpg)
Too many false positives3
13,72655,19872,61489,45296,825
=• Event fatigue • Data paralysis • Missed alerts • Game Over
![Page 13: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/13.jpg)
Human psychology is an attacker’s greatest weapon.
It’s also their greatest weakness.
We’re losing. So why don’t we change the game?
![Page 14: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/14.jpg)
Deception surrounds banking systems with decoys that detect hackers before any business impact
REAL SERVERS
REAL USERS
HACKERS DECEIVED AND DETECTED
Decoy SWIFT server
Decoy core-banking system
Decoy bank teller
![Page 15: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/15.jpg)
SWIFT and transaction processing systems
Card-holder data
ATM networks
Core-banking / Internet banking
High-value personnel
What can be protected?
![Page 16: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/16.jpg)
WHY DECEPTION? | The benefits
1. Detect all high-risk threatsAPTs, ransomware, SWIFT attacks, predictive analytics
2. Complete visibilityCovers every VLAN, DMZ and endpoint
3. Low false positivesMore productive security team
4. Real-time detectionImproved incident response time
5. Covers the entire kill-chainLower TCO and simplified operations
![Page 17: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/17.jpg)
1
Deception Benefits
No false positives
High attacker impact
Focused on intent, not tools
![Page 18: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/18.jpg)
Deception Benefits
No false positives
High attacker impact
Focused on intent, not tools
Source: David J. Bianco, personal blog
The Pyramid of Pain
![Page 19: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/19.jpg)
60% of attacks do not involve malware!
Deception Benefits
No false positives
High attacker impact
Focused on intent, not tools
![Page 20: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/20.jpg)
Why does deception work?
![Page 21: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/21.jpg)
![Page 22: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/22.jpg)
LEVEL 2 Deception
?!?!#@!
![Page 23: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/23.jpg)
Wait a minute, how is deception different from…
![Page 24: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/24.jpg)
Honeypots…
Honeypots
• Attract attacks
• Public facing
• Vulnerable
• Network focused
• Low signal / noise ratio
• Poor realism
• Not scalable
• Useful for research
![Page 25: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/25.jpg)
Banking Case Study #1 SWIFT hack incident response
![Page 26: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/26.jpg)
Banking Case Study #2 Wannacry detection in real-time
![Page 27: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/27.jpg)
Banking Case Study #3 Phished credentials
![Page 28: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/28.jpg)
Chronology of an Attack - “The Double Cycle Pattern”
Breach Complete Compromise targets and effect impact
Privilege escalation #1 Escalated to local administrator
Privilege escalation #2 Escalate to domain administrator
Initial Intrusion Low privilege normal user
Lateral Movement Hunt domain administrators
C2 and persist Establish remote control channel
![Page 29: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/29.jpg)
Good deception blankets the kill chain
Internet Assets
Active Directory Objects
Application Credentials
Files
Network Traffic
Endpoints
People
Servers
Applications
RECONNAISSANCE
DATA EXFILTRATION
PRIVILEGE ESCALATION
EXPLOITATION
LATERAL MOVEMENT
![Page 30: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/30.jpg)
![Page 31: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/31.jpg)
The Golden Rules of Deception
The Observer Effect in Deception
The Half-life of Deception
Kerckhoffs’ Principle in Deception
![Page 32: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/32.jpg)
Deception Strategy 101
• Threat model —> Deception stories
• Placement / density. Is more less?
• Blend-in v/s stand-out
• Testing = Blind + Full-knowledge
• Intelligence-driven deception
• Response and negative signalling
![Page 33: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/33.jpg)
Demo time!
![Page 34: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/34.jpg)
The Analysis Trifecta
INCIDENT HANDLING
What happened on the decoy?
How did it happen on the endpoint?
Where else did it happen
in the network
Deception alerts Decoy telemetry
DFIR / triage Malware analysis
Netflow / EP telemetry Threat Hunting
SIEM correlation
![Page 35: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/35.jpg)
Continuous Response v/s Incident Response
When alerts are:
• Real-time
• Low-false positive
• Deterministic
Response should be:
• Orchestrated
• Automated
• Continuous
![Page 36: ATTACKS WITH Cyber Deception · 2019-01-18 · DETECTING ATTACKS WITH Cyber Deception. 1 hrs ... Make him think various things, and wonder if you will be slow or quick.” Miyamoto](https://reader035.fdocuments.in/reader035/viewer/2022070718/5ede53c7ad6a402d6669a648/html5/thumbnails/36.jpg)
In Summary
• Deception = Fast detection + visibility + low false positives
• Proactive v/s Reactive approach
• Key component of the “next-gen SOC”
• Immediate takeaways
- Evaluate how deception fills holes in your defences
- Conduct a thought experiment based on past incidents
- Plan your deception strategy
- Implement deception as part of SOC / threat hunting