ntxissacsc4 - detecting and catching the bad guys using deception

@NTXISSA#NTXISSACSC4

DetectingandCatchingtheBadGuysUsingDeception

JamesMurenSecurityEvangelistIllusiveNetworksOctober4,2016

Whatthisisnot…

• …arehashofbreachnews.• ...orwhatcausesabreach.• ...numbers,dataandfiguresonbreaches.• ...arehashonthreatstoyourendpointsorsocialmediaprofile.

• …not”motherhood”or“applepie”

NTXISSACyberSecurityConference– October7-8,2016 2

Whatthisis…

• ...aboutcatchingbadguys.• ...deceivingandfrustratingbadguys.• ...usingnewanddynamicwaystodisruptattackeroperations.

• ...quicklygiveauthoritieswhattheyneedtoprosecute.

• AlldiscussedwithinthescopeoftheDeceptionParadigm

CurrentStateofAffairs

• Organizationsareincreasinginvestmentsincybersecuritytechnologiesandcontrols.

• Buttheyarestillgettinghacked.Badguysnotcaught.

• Existingdefensesareoverlystatic-attackers“fingerprint”defensesandbypass

Staticdefenses...

…workedwellatonetime

Dynamicattackers…

...arecircumventingtheline

CurrentStateofAffairs

• Themajorityofcybersecuritybudgetsstillspentonpreventioncontrols

• Thisistruedespitethediminishingmarginaldefensiveeffectivenessofthesecontrols

• Maynotknowifanattackerisintheirnetwork

Breach&ControlInvestment

Assumptions

• Don’taskwhattodo“if”abreachhasoccurred

• Assumeabreachhasoccurredandworktowardsdisproving.

• “Onlytheparanoidsurvive”

Assumptions• Yourdefenseswilllikelyfailoralreadyhave– howwouldyouknow?

• Attackerswillfocusonaccountaccessandapplication“opendoors”

• Attackerswillmove“laterally”throughyournetworkandworktoaccomplishtheirmission

• Youwillneedapost-breachcapabilityasalastlineofdefensetoaugmentdetection

DefendersNeedtoEvolve

CyberControlInvestment– Butwhere?

• Minimalcapital&operationalinvestment–lowestpossibleTCO.

• Diversifiedspend• Augmentpeople,process• Augmentexistingintrusiondetectioncapability

• OperationallylightNTXISSACyberSecurityConference– October7-8,2016 14

RiskManagement101

• Youcannevereliminateallrisk

• Youcanreducerisktoanacceptablelevel

• Organizationsthatcannotadequatelyreduceforegobusinessopportunity

• Prove orconvince whatyouaredoingiseffective

DeceptionProgramPractices• CyberRiskManagement–measureinvestment,effectivenessandjustifycontinuedcapabilityinvestmentorexpansion.

• ChangeManagement–otherwiseattackerscanfingerprint.

• Assessment &Redteam• Ecosystemofcyberexperts,partners,vendorsasprogrammatures

DeceptionProgramOutcomes

• DisrupttheAttackerOODALoop!

DeceptionProgramOutcomes

• Deceive,Disorient,Confuse,ParalyzeAttacker

• Understandwhatanattackerislookingfor– attribution.

• Understandfullyandquicklyhowattackerbreached-forensics

• Tactically– Buyyoursecurityteam/IR/Forensicsteamtimetorespond.

DeceptionTechnology– Legacy&Now

• Honeypots• Honeynets• Decoys• Breadcrumbs• BrokenGlass

DeceptionTechnology- Challenges• Ingeneral:

• Youneedexpertstooperate,maintain,patchandtrackbadguys

• Alertingfidelityisonlyasgoodasyouranti-fingerprintingmethodology

• Forensicexpertiseandeffortneedsindividualsfocusedonthiscapability.Nottrivial.

• Scalability– Deploymentandmaintenance

• Youleavevulnerablesystem(s)onyournetwork!!!!

DeceptionEverywhereTM Technology

• DeceptionManagementSystem• DeceptionsEverywhere– notjustinafewtargetedareas

• Ratioofdeceptionstorealhigh• Manydeceptionfamilies

• Scalable• Highfidelityalerting• Honeyeverywhere!

AdditionalBenefits

• Operationallylight(Deception~256Kbyte)• LeveragesOSlevelobjectsandgeneratesdeceptionsonlyahackerwouldfind

• Noagent– lessattacksurface• Deceptionsblendinforattackersandransomware

• AdvancedSourcedForensics• AncestorTracking• Allinoneplace

illûsive Overvièw

Architecture

DeceptionFamilies

illûsive Attâcker Vièw™

EnvironmentPre-Deception

EnvironmentPost-Deception

Credentials

CalltoAction

• Considerhowadeceptionprogramfitsintoyourcyberriskmanagementstrategy

• Considerimplementingadeceptionprogramtoaddadaptiveandeffectivecapabilities

• Consideranecosystemofexperts,partnersandtechnologiesasyourdeceptionprogrammatures

• Startwithlowtotalcost&highlyeffectivedeceptioncontrols(bangforbuck)

@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4

The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA

NorthTexasISSA(InformationSystemsSecurityAssociation)

Thankyou

Backup Slides

ntxissacsc4 - detecting and catching the bad guys using deception

Internet

deception 101―primer on deception

cues to catching deception in interviews: a brief …...

ntxissacsc4 - identity as a threat plane leveraging ueba and...

deception 101 -- primer on deception · pdf filedeception...

ntxissacsc4 - day in the life of a security solutions...

family deception

deception postcards

ntxissacsc4 - world of discovery

deception operations

ntxissacsc4 - cyber insurance – did you know?

ntxissacsc4 - the art of evading anti-virus

spoken cues to deception cs 4706 what is deception?

deception solution overview - attivo networks · deception...

icarus deception

ntxissacsc4 - a brief history of cryptographic failures

deception 101 -- primer on deception - federation of...

interpersonal deception: v. accuracy in deception … ·...

deception in defense of information systems -...

ntxissacsc4 - what should a college information or cyber...

ntxissacsc4 - introducing the vulnerability management...