Defeating the Modern Cyber Attack

Carolyn CrandallChief Marketing Officer

Attivo Networks@AttivoNetworks

3

Carolyn Crandall | CMO| May 3, 2017

Defeating the Modern Cyber Attacker

4

Know how an attacker attacks

Know how to defend & respond

Understand the tools & techniques

attackers use to move laterally &

compromise assets

Build an adaptive defense with

attack sharing, incident response

automations

Defeating the Modern Cyber Attacker

1

43

2

It is not enough to only

think like an attacker, you

must also know how to

defend and respond.

5

Anatomy of a Breach

Complete

MissionInitial

Compromise

Initial

Recon

Establish

Foothold

Escalate

Privileges

Source:

Infosecinstitute.org

1. Compromise

2. Reconnaissance

3. Lateral Movement

4. Complete Mission

6

Compromise

Credentials

Internal Reconnaissance

Actions on the

Objective

CompromiseUser or Network

The Target

4

3

2

3

Complete Mission5

Attackers are Bypassing Prevention and Evading Detection

Attack Sequence and Methods

Advanced Attack Methods: HTTPS Zero-day Stolen employee

credentials MiTM End-point/ BYOD

Phishing

Intelligence Gathering

C&C

1

7

Attackers Are Bypassing Defense and Once Inside, Can Remain Undetected for Months

A Shift to Detection

Build a Strong Perimeter

Why Breaches are hard to investigate.

Pre

ve

ntio

n-

Ba

sed

Se

cu

rity

Secure the Entry Points

Monitor Suspicious Behavior

• Lack of Accurate Visibility to In-Network Threats

• Too Much Data to Correlate

• Alerts are Not Substantiated or Actionable

• Too Many False Positives / Investigation

Complexity

• Limited Resources to Respond

Traditional security tools are not designed to detect

threats that are already Inside-the-network

8

Detect Known Attacks

(Signature Based)

Detect Advanced Threats

(No Signatures)

Efficient: Not Resource Intensive

Accurate: No False Positives

Automated Incident Handling

Slows Down the Attack

UEBANetwork

Anomaly

Detection

Deception

SIEMFirewall/IDS

/Proxy/AV

Hunt

Teams

Deception: Detecting Attackers Better and Detecting Better Attackers

Choices in Closing the Detection Blind Spot

9

Obscures the Attack Surface and Disrupts Attackers

Deception to divert attacker’s attention

• Decoy systems to misdirect attacker

• Deception credentials and bait lure attackers

The entire network becomes a

Trap and a hall of mirrors

Deception

Deception Forces the Attacker to Have to Be Right 100% of the Time.

10

Complete

MissionEstablish

Foothold

Escalate

Privileges

Network and Endpoint Deception for Comprehensive Detection

Deception for Early Detection throughout Attack Phases

Deception Engagement Server

Initial

Compromise

Initial

Reconnaissance

De

tec

tio

n

11

Once small security gap will present opportunity for attackers

Typical Attack Path Sequence

Exploit Target

Target

De

tec

tio

n

12

Deception Obscures the Attack Surface and Disrupts Attacks

Changing the Game with Deception and Decoys

Target

• Deception lures to divert attention

• Decoys to misdirect attacker

• Appear identical to production assets

• Evidence-based alerts

Exploit Target

Target

De

tec

tio

n

13

Confuse and Misdirect to Make the Attacker’s job harder

Obscuring Your Infrastructure

Before Deception

Production Medical Servers and Devices

With Deception

Production Medical Servers and Devices

What Attacker Sees With

Deception

Production Medical Servers and Devices

Decoy Multiple HR Clusters

14

Distributed Deception PlatformsContinuous Threat Management

Scalable Complete

Accurate Authentic

Incident

Handling

Response

Forensics

Analysis

Real-time

Detection

Visibility

15

Entire Network is a Trap with Decoys, Deceptions, End-Point Lures

Distributed Deception & Response Platform

Data Center

User VLAN 3

SCADA/ IoT/ POS VLAN …

Engagement Servers

Deceptions

• Operating System

• Network Services

• Data and Document

Cloud Engagement Server

Att

rac

tiv

e &

Au

the

ntic

Virtual Engagement Server: Remote Networks

16

An

aly

sis

& F

ore

nsi

cs

Understand and Automate Incident Response

C&C

Port for communications

1 ATTRACK

VM 1

OS 1

VM n

OS n Sinkhole

Detect

2 ENGAGE 3 COMMUNICATE

Analyze Analyze and Auto-Correlate Attack information

ForensicsEvidence-based AlertsForensic Analysis and Reporting

Decoy and Lures to Attract EngagementSIEM Query for Credential Use

Response3rd Party Integrations for Auto Quarantine, Blocking, Threat Hunting (SIEM, EP, NAC, FW)

ENGAGEMENT SERVER: ANALYZE, REPORT, RESPOND4

17

• Attack paths based on misused

credentials, misconfigurations,

orphaned credentials

• Network map: possible lateral

movement paths

Assess Potential Attack Paths/Vulnerability AssessmentV

isib

ility

18

Network Visualization and Attack Insights

Network Visualization

Vis

ibili

ty

Time-lapse Attack Replay

19

Information Sharing and Automated Playbooks

Building an Adaptive DefenseIn

cid

en

t R

esp

on

se

Playbook Based Response

• Auto-correlation of attack details

• Automated blocking and quarantine

• Threat Hunting

20

Early and Accurate Detection, Visibility, Accelerated Incident Response

Proven Deception Use Cases

1. Early and Accurate Detection

• In-network Lateral Movement

• Stolen Credential & Man-in-the-Middle Attacks

• Insider, 3rd Party, Acquisition Integration

• Ransomware

• Specialized Environments Detection IOT (medical

devices), POS, SCADA

• Cloud and Data Center Security

2. Visibility and Streamlining Incident Response

• Exposed Credential & Attack Path Assessment

• Automation of Attack Analysis

• Evidence-based alerts & Incident Response Automations

21

It is Easy to Detect

False: Real OS/Golden Images, dynamic deception, Active Directory integration match production assets; Pen Testers consistently deceived.

It is Resource Intensive

False: Alerts are engagement based and automated attack analysis simplifies incident handling and response.

It is Hard to Operate and Not

Scalable

Depends: Non-inline designs are Friction-less to deploy and provide Cloud and Data Center Scalability; End-point deployment depends on approach.

It Creates a Dirty Network

Depends: Understand how decoys are deployed; see what tools they provide to whitelist and not interfere with other tools.

No Incremental Value

False: Achieves early detection at the end-point and in-network. DDP’s also provide the automations and integrations for simplified response.

There is Legal Risk

False: Unless counter hacking, deception is viewed in line with typical security defense controls.

Myths and Realities of Deception

22

Accelerate Incident Handling

Early In-Network Threat Detection

(All Attack Vectors)

Ev

alu

atio

n C

rite

ria

Types of Deception Technology

Environments

Authenticity

Ease of Deployment and Operations

Attack Analysis

Forensic Reporting

Threat Vulnerability Assessment

Response Automation

Deception Technology

Visibility and Incident Response

23

Let’s Keep In Touch.

Carolyn Crandall| CMO

carolyn@attivonetworks.com