Embed Size (px)
Citation preview
Sahir Hidayatullah CEO - Smokescreen @sahirh
DETECTING ATTACKS WITH
Cyber Deception
1 hrs
Why does it work?
The history of deception
The benefitsDeception across
the kill chain
What does the hacker see?
How to implement deception
Live Demos
“The more you know about the past, the better prepared you are for the future.”
Theodore Roosevelt
“Gauge your opponent’s mind and send it in different directions. Make him think various things, and wonder if you will be slow or quick.”
Miyamoto Musashi The Book of Five Rings
“Never win by force what can be won with deception”
Niccolò Machiavelli, The Discourses (paraphrased)
“Never interrupt your enemy when he’s making a mistake.”
Napoléon Bonaparte
There are 3 reasons why companies get hacked…
Low visibility
INITIAL INTRUSION
HACKERS UNDETECTED
DATA BREACH
1
Ever changing threat landscape2
Too many false positives3
13,72655,19872,61489,45296,825
=• Event fatigue • Data paralysis • Missed alerts • Game Over
Human psychology is an attacker’s greatest weapon.
It’s also their greatest weakness.
We’re losing. So why don’t we change the game?
Deception surrounds banking systems with decoys that detect hackers before any business impact
REAL SERVERS
REAL USERS
HACKERS DECEIVED AND DETECTED
Decoy SWIFT server
Decoy core-banking system
Decoy bank teller
SWIFT and transaction processing systems
Card-holder data
ATM networks
Core-banking / Internet banking
High-value personnel
What can be protected?
WHY DECEPTION? | The benefits
1. Detect all high-risk threatsAPTs, ransomware, SWIFT attacks, predictive analytics
2. Complete visibilityCovers every VLAN, DMZ and endpoint
3. Low false positivesMore productive security team
4. Real-time detectionImproved incident response time
5. Covers the entire kill-chainLower TCO and simplified operations
1
Deception Benefits
No false positives
High attacker impact
Focused on intent, not tools
Deception Benefits
No false positives
High attacker impact
Focused on intent, not tools
Source: David J. Bianco, personal blog
The Pyramid of Pain
60% of attacks do not involve malware!
Deception Benefits
No false positives
High attacker impact
Focused on intent, not tools
Why does deception work?
LEVEL 2 Deception
?!?!#@!
Wait a minute, how is deception different from…
Honeypots…
Honeypots
• Attract attacks
• Public facing
• Vulnerable
• Network focused
• Low signal / noise ratio
• Poor realism
• Not scalable
• Useful for research
Banking Case Study #1 SWIFT hack incident response
Banking Case Study #2 Wannacry detection in real-time
Banking Case Study #3 Phished credentials
Chronology of an Attack - “The Double Cycle Pattern”
Breach Complete Compromise targets and effect impact
Privilege escalation #1 Escalated to local administrator
Privilege escalation #2 Escalate to domain administrator
Initial Intrusion Low privilege normal user
Lateral Movement Hunt domain administrators
C2 and persist Establish remote control channel
Good deception blankets the kill chain
Internet Assets
Active Directory Objects
Application Credentials
Files
Network Traffic
Endpoints
People
Servers
Applications
RECONNAISSANCE
DATA EXFILTRATION
PRIVILEGE ESCALATION
EXPLOITATION
LATERAL MOVEMENT
The Golden Rules of Deception
The Observer Effect in Deception
The Half-life of Deception
Kerckhoffs’ Principle in Deception
Deception Strategy 101
• Threat model —> Deception stories
• Placement / density. Is more less?
• Blend-in v/s stand-out
• Testing = Blind + Full-knowledge
• Intelligence-driven deception
• Response and negative signalling
Demo time!
The Analysis Trifecta
INCIDENT HANDLING
What happened on the decoy?
How did it happen on the endpoint?
Where else did it happen
in the network
Deception alerts Decoy telemetry
DFIR / triage Malware analysis
Netflow / EP telemetry Threat Hunting
SIEM correlation
Continuous Response v/s Incident Response
When alerts are:
• Real-time
• Low-false positive
• Deterministic
Response should be:
• Orchestrated
• Automated
• Continuous
In Summary
• Deception = Fast detection + visibility + low false positives
• Proactive v/s Reactive approach
• Key component of the “next-gen SOC”
• Immediate takeaways
- Evaluate how deception fills holes in your defences
- Conduct a thought experiment based on past incidents
- Plan your deception strategy
- Implement deception as part of SOC / threat hunting
