Embed Size (px)
Citation preview
Sahir Hidayatullah CEO - Smokescreen @sahirh
THREAT HUNTING WITH Deception
“The more you know about the past, the better prepared you are for the future.”
Theodore Roosevelt
“Gauge your opponent’s mind and send it in different directions. Make him think various things, and wonder if you will be slow or quick.”
Miyamoto Musashi The Book of Five Rings
There are 3 reasons why companies get hacked…
Low visibility
INITIAL INTRUSION
HACKERS UNDETECTED
DATA BREACH
1
Ever changing threat landscape2
Too many false positives3
13,72655,19872,61489,45296,825
=• Event fatigue • Data paralysis • Missed alerts • Game Over
Why does deception work?
LEVEL 2 Threat Hunting
?!?!#@!
LEVEL 3 Deception
Next-gen firewall
Sandboxing
Two-factor authentication
DAST / SAST
Network analytics
Endpoint detection and response
Thinking in lists v/s Thinking in graphs
Blue Team Red Team
Differences in colour…
Are apparent through differences in language…
Talks about SQL injection
Password cracking
Phishing Port-scanning
Patch management
Talks About Squiblydoo
AS-REP roasting Hot potato attacks SPN enumeration
LocalAccountTokenFilterPolicy Unquoted service paths
Process hollowing OLE embedded phishing
LLMNR poisoning
Bloodhound / user hunting DLL side loading
GPP exploitation Time-stomping
Observe
OrientDecide
Act
The adversary’s OODA loop
Source: David J. Bianco, personal blog
The Pyramid of Pain
Who should implement deception?
The 3 V’s
VISIBLE
VALUABLEVULNERABLE
Good deception blankets the kill chain
Internet Assets
Active Directory Objects
Application Credentials
Files
Network Traffic
Endpoints
People
Servers
Applications
RECONNAISSANCE
DATA EXFILTRATION
PRIVILEGE ESCALATION
EXPLOITATION
LATERAL MOVEMENT
“We’ll do it live!”Bill O’Reilly
Chronology of an Attack - “The Double Cycle Pattern”
Breach Complete Compromise targets and effect impact
Privilege escalation #1 Escalated to local administrator
Privilege escalation #2 Escalate to domain administrator
Initial Intrusion Low privilege normal user
Lateral Movement Hunt domain administrators
C2 and persist Establish remote control channel
“That was possibly the most frustrating experience in twelve years of pen-testing.”
HUNT MISSION #1 Hunt initiation with Periscope Events
HUNT MISSION #2 Hunting During Incident Response
Deception Strategy 101
• Threat model -> Deception stories
• Placement and density. Is less more?
• Blend-in v/s Stand-out
• Testing = Blind + Full-knowledge
• Intelligence-driven deception
• Response and negative signalling
The Golden Rules of Deception
The Observer Effect in Deception
The Half-life Of Deception
Kerckhoffs’ Principle in Deception
The Analysis Trifecta
INCIDENT HANDLING
What happened on the decoy?
How did it happen on the endpoint?
Where else did it happen
in the network
Deception alerts Decoy telemetry
DFIR / triage Malware analysis
Netflow / EP telemetry Threat Hunting
SIEM correlation
Continuous Response v/s Incident Response
When alerts are:
• Real-time
• Low-false positive
• Deterministic
Response should be:
• Orchestrated
• Automated
• Continuous
