NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

32
@NTXISSA #NTXISSACSC4 Detecting and Catching the Bad Guys Using Deception James Muren Security Evangelist Illusive Networks October 4, 2016

Transcript of NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

Page 1: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DetectingandCatchingtheBadGuysUsingDeception

JamesMurenSecurityEvangelistIllusiveNetworksOctober4,2016

Page 2: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Whatthisisnot…

• …arehashofbreachnews.• ...orwhatcausesabreach.• ...numbers,dataandfiguresonbreaches.• ...arehashonthreatstoyourendpointsorsocialmediaprofile.

• …not”motherhood”or“applepie”

NTXISSACyberSecurityConference– October7-8,2016 2

Page 3: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Whatthisis…

• ...aboutcatchingbadguys.• ...deceivingandfrustratingbadguys.• ...usingnewanddynamicwaystodisruptattackeroperations.

• ...quicklygiveauthoritieswhattheyneedtoprosecute.

• AlldiscussedwithinthescopeoftheDeceptionParadigm

NTXISSACyberSecurityConference– October7-8,2016 3

Page 4: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

CurrentStateofAffairs

• Organizationsareincreasinginvestmentsincybersecuritytechnologiesandcontrols.

• Buttheyarestillgettinghacked.Badguysnotcaught.

• Existingdefensesareoverlystatic-attackers“fingerprint”defensesandbypass

NTXISSACyberSecurityConference– October7-8,2016 4

Page 5: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Staticdefenses...

NTXISSACyberSecurityConference– October7-8,2016 5

Page 6: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

…workedwellatonetime

NTXISSACyberSecurityConference– October7-8,2016 6

Page 7: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Dynamicattackers…

NTXISSACyberSecurityConference– October7-8,2016 7

Page 8: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

...arecircumventingtheline

NTXISSACyberSecurityConference– October7-8,2016 8

Page 9: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

CurrentStateofAffairs

• Themajorityofcybersecuritybudgetsstillspentonpreventioncontrols

• Thisistruedespitethediminishingmarginaldefensiveeffectivenessofthesecontrols

• Maynotknowifanattackerisintheirnetwork

NTXISSACyberSecurityConference– October7-8,2016 9

Page 10: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Breach&ControlInvestment

NTXISSACyberSecurityConference– October7-8,2106 10

Page 11: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Assumptions

• Don’taskwhattodo“if”abreachhasoccurred

• Assumeabreachhasoccurredandworktowardsdisproving.

• “Onlytheparanoidsurvive”

NTXISSACyberSecurityConference– October7-8,2106 11

Page 12: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Assumptions• Yourdefenseswilllikelyfailoralreadyhave– howwouldyouknow?

• Attackerswillfocusonaccountaccessandapplication“opendoors”

• Attackerswillmove“laterally”throughyournetworkandworktoaccomplishtheirmission

• Youwillneedapost-breachcapabilityasalastlineofdefensetoaugmentdetection

NTXISSACyberSecurityConference– October7-8,2016 12

Page 13: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DefendersNeedtoEvolve

NTXISSACyberSecurityConference– October7-8,2016 13

Page 14: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

CyberControlInvestment– Butwhere?

• Minimalcapital&operationalinvestment–lowestpossibleTCO.

• Diversifiedspend• Augmentpeople,process• Augmentexistingintrusiondetectioncapability

• OperationallylightNTXISSACyberSecurityConference– October7-8,2016 14

Page 15: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

RiskManagement101

• Youcannevereliminateallrisk

• Youcanreducerisktoanacceptablelevel

• Organizationsthatcannotadequatelyreduceforegobusinessopportunity

• Prove orconvince whatyouaredoingiseffective

NTXISSACyberSecurityConference– October7-8,2016 15

Page 16: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DeceptionProgramPractices• CyberRiskManagement–measureinvestment,effectivenessandjustifycontinuedcapabilityinvestmentorexpansion.

• ChangeManagement–otherwiseattackerscanfingerprint.

• Assessment &Redteam• Ecosystemofcyberexperts,partners,vendorsasprogrammatures

NTXISSACyberSecurityConference– October7-8,2016 16

Page 17: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DeceptionProgramOutcomes

• DisrupttheAttackerOODALoop!

NTXISSACyberSecurityConference– October7-8,2016 17

Page 18: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DeceptionProgramOutcomes

• Deceive,Disorient,Confuse,ParalyzeAttacker

• Understandwhatanattackerislookingfor– attribution.

• Understandfullyandquicklyhowattackerbreached-forensics

• Tactically– Buyyoursecurityteam/IR/Forensicsteamtimetorespond.

NTXISSACyberSecurityConference– October7-8,2016 18

Page 19: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DeceptionTechnology– Legacy&Now

• Honeypots• Honeynets• Decoys• Breadcrumbs• BrokenGlass

NTXISSACyberSecurityConference– October7-8,2016 19

Page 20: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DeceptionTechnology- Challenges• Ingeneral:

• Youneedexpertstooperate,maintain,patchandtrackbadguys

• Alertingfidelityisonlyasgoodasyouranti-fingerprintingmethodology

• Forensicexpertiseandeffortneedsindividualsfocusedonthiscapability.Nottrivial.

• Scalability– Deploymentandmaintenance

• Youleavevulnerablesystem(s)onyournetwork!!!!

NTXISSACyberSecurityConference– October7-8,2016 20

Page 21: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DeceptionEverywhereTM Technology

• DeceptionManagementSystem• DeceptionsEverywhere– notjustinafewtargetedareas

• Ratioofdeceptionstorealhigh• Manydeceptionfamilies

• Scalable• Highfidelityalerting• Honeyeverywhere!

NTXISSACyberSecurityConference– October7-8,2016 21

Page 22: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

AdditionalBenefits

• Operationallylight(Deception~256Kbyte)• LeveragesOSlevelobjectsandgeneratesdeceptionsonlyahackerwouldfind

• Noagent– lessattacksurface• Deceptionsblendinforattackersandransomware

• AdvancedSourcedForensics• AncestorTracking• Allinoneplace

NTXISSACyberSecurityConference– October7-8,2016 22

Page 23: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

illûsive Overvièw

Page 24: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Architecture

NTXISSACyberSecurityConference– October7-8,2016 24

Page 25: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

DeceptionFamilies

NTXISSACyberSecurityConference– October7-8,2016 25

Page 26: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

illûsive Attâcker Vièw™

Page 27: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

EnvironmentPre-Deception

NTXISSACyberSecurityConference– October7-8,2016 27

Page 28: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

EnvironmentPost-Deception

NTXISSACyberSecurityConference– October7-8,2016 28

Page 29: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Credentials

NTXISSACyberSecurityConference– October7-8,2016 29

Page 30: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

CalltoAction

• Considerhowadeceptionprogramfitsintoyourcyberriskmanagementstrategy

• Considerimplementingadeceptionprogramtoaddadaptiveandeffectivecapabilities

• Consideranecosystemofexperts,partnersandtechnologiesasyourdeceptionprogrammatures

• Startwithlowtotalcost&highlyeffectivedeceptioncontrols(bangforbuck)

NTXISSACyberSecurityConference– October7-8,2016 30

Page 31: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4

The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA

NorthTexasISSA(InformationSystemsSecurityAssociation)

NTXISSACyberSecurityConference– October7-8,2016 31

Thankyou

Page 32: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

@NTXISSA#NTXISSACSC4

Backup Slides


NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Security

NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Security

NTXISSACSC4 - A Day in the Life of a CISO

NTXISSACSC4 - A Day in the Life of a CISO

NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough

NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough

Illness Deception

Illness Deception

NTXISSACSC4 - A Brief History of Cryptographic Failures

NTXISSACSC4 - A Brief History of Cryptographic Failures

Deception in Defense of Information Systems - All.Netall.net/courses.all.net/Deception/Deception.pdf · – Ongoing deception in warfare – Deception in information systems

Deception in Defense of Information Systems - All.Netall.net/courses.all.net/Deception/Deception.pdf · – Ongoing deception in warfare – Deception in information systems

Discovered Deception

Discovered Deception

NTXISSACSC4 - Security for a New World

NTXISSACSC4 - Security for a New World

NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard

NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard

Deception postcards

Deception postcards

Companionship & Deception

Companionship & Deception

Crossing Deception

Crossing Deception

Family Deception

Family Deception

Cues to Catching Deception in Interviews: A Brief … Consortium for the Study of Terrorism and Responses to Terrorism A Department of Homeland Security Science and Technology Center

Cues to Catching Deception in Interviews: A Brief … Consortium for the Study of Terrorism and Responses to Terrorism A Department of Homeland Security Science and Technology Center

NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit

NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit

NTXISSACSC4 - World of Discovery

NTXISSACSC4 - World of Discovery

NTXISSACSC4 - Day in the Life of a Security Solutions Architect

NTXISSACSC4 - Day in the Life of a Security Solutions Architect

Deception slideshow

Deception slideshow

NTXISSACSC4 - Layered Security / Defense in Depth

NTXISSACSC4 - Layered Security / Defense in Depth

NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon

NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon