NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Security
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
684 -
download
0
Transcript of NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
@NTXISSA#NTXISSACSC4
DetectingandCatchingtheBadGuysUsingDeception
JamesMurenSecurityEvangelistIllusiveNetworksOctober4,2016
@NTXISSA#NTXISSACSC4
Whatthisisnot…
• …arehashofbreachnews.• ...orwhatcausesabreach.• ...numbers,dataandfiguresonbreaches.• ...arehashonthreatstoyourendpointsorsocialmediaprofile.
• …not”motherhood”or“applepie”
NTXISSACyberSecurityConference– October7-8,2016 2
@NTXISSA#NTXISSACSC4
Whatthisis…
• ...aboutcatchingbadguys.• ...deceivingandfrustratingbadguys.• ...usingnewanddynamicwaystodisruptattackeroperations.
• ...quicklygiveauthoritieswhattheyneedtoprosecute.
• AlldiscussedwithinthescopeoftheDeceptionParadigm
NTXISSACyberSecurityConference– October7-8,2016 3
@NTXISSA#NTXISSACSC4
CurrentStateofAffairs
• Organizationsareincreasinginvestmentsincybersecuritytechnologiesandcontrols.
• Buttheyarestillgettinghacked.Badguysnotcaught.
• Existingdefensesareoverlystatic-attackers“fingerprint”defensesandbypass
NTXISSACyberSecurityConference– October7-8,2016 4
@NTXISSA#NTXISSACSC4
Staticdefenses...
NTXISSACyberSecurityConference– October7-8,2016 5
@NTXISSA#NTXISSACSC4
…workedwellatonetime
NTXISSACyberSecurityConference– October7-8,2016 6
@NTXISSA#NTXISSACSC4
Dynamicattackers…
NTXISSACyberSecurityConference– October7-8,2016 7
@NTXISSA#NTXISSACSC4
...arecircumventingtheline
NTXISSACyberSecurityConference– October7-8,2016 8
@NTXISSA#NTXISSACSC4
CurrentStateofAffairs
• Themajorityofcybersecuritybudgetsstillspentonpreventioncontrols
• Thisistruedespitethediminishingmarginaldefensiveeffectivenessofthesecontrols
• Maynotknowifanattackerisintheirnetwork
NTXISSACyberSecurityConference– October7-8,2016 9
@NTXISSA#NTXISSACSC4
Breach&ControlInvestment
NTXISSACyberSecurityConference– October7-8,2106 10
@NTXISSA#NTXISSACSC4
Assumptions
• Don’taskwhattodo“if”abreachhasoccurred
• Assumeabreachhasoccurredandworktowardsdisproving.
• “Onlytheparanoidsurvive”
NTXISSACyberSecurityConference– October7-8,2106 11
@NTXISSA#NTXISSACSC4
Assumptions• Yourdefenseswilllikelyfailoralreadyhave– howwouldyouknow?
• Attackerswillfocusonaccountaccessandapplication“opendoors”
• Attackerswillmove“laterally”throughyournetworkandworktoaccomplishtheirmission
• Youwillneedapost-breachcapabilityasalastlineofdefensetoaugmentdetection
NTXISSACyberSecurityConference– October7-8,2016 12
@NTXISSA#NTXISSACSC4
DefendersNeedtoEvolve
NTXISSACyberSecurityConference– October7-8,2016 13
@NTXISSA#NTXISSACSC4
CyberControlInvestment– Butwhere?
• Minimalcapital&operationalinvestment–lowestpossibleTCO.
• Diversifiedspend• Augmentpeople,process• Augmentexistingintrusiondetectioncapability
• OperationallylightNTXISSACyberSecurityConference– October7-8,2016 14
@NTXISSA#NTXISSACSC4
RiskManagement101
• Youcannevereliminateallrisk
• Youcanreducerisktoanacceptablelevel
• Organizationsthatcannotadequatelyreduceforegobusinessopportunity
• Prove orconvince whatyouaredoingiseffective
NTXISSACyberSecurityConference– October7-8,2016 15
@NTXISSA#NTXISSACSC4
DeceptionProgramPractices• CyberRiskManagement–measureinvestment,effectivenessandjustifycontinuedcapabilityinvestmentorexpansion.
• ChangeManagement–otherwiseattackerscanfingerprint.
• Assessment &Redteam• Ecosystemofcyberexperts,partners,vendorsasprogrammatures
NTXISSACyberSecurityConference– October7-8,2016 16
@NTXISSA#NTXISSACSC4
DeceptionProgramOutcomes
• DisrupttheAttackerOODALoop!
NTXISSACyberSecurityConference– October7-8,2016 17
@NTXISSA#NTXISSACSC4
DeceptionProgramOutcomes
• Deceive,Disorient,Confuse,ParalyzeAttacker
• Understandwhatanattackerislookingfor– attribution.
• Understandfullyandquicklyhowattackerbreached-forensics
• Tactically– Buyyoursecurityteam/IR/Forensicsteamtimetorespond.
NTXISSACyberSecurityConference– October7-8,2016 18
@NTXISSA#NTXISSACSC4
DeceptionTechnology– Legacy&Now
• Honeypots• Honeynets• Decoys• Breadcrumbs• BrokenGlass
NTXISSACyberSecurityConference– October7-8,2016 19
@NTXISSA#NTXISSACSC4
DeceptionTechnology- Challenges• Ingeneral:
• Youneedexpertstooperate,maintain,patchandtrackbadguys
• Alertingfidelityisonlyasgoodasyouranti-fingerprintingmethodology
• Forensicexpertiseandeffortneedsindividualsfocusedonthiscapability.Nottrivial.
• Scalability– Deploymentandmaintenance
• Youleavevulnerablesystem(s)onyournetwork!!!!
NTXISSACyberSecurityConference– October7-8,2016 20
@NTXISSA#NTXISSACSC4
DeceptionEverywhereTM Technology
• DeceptionManagementSystem• DeceptionsEverywhere– notjustinafewtargetedareas
• Ratioofdeceptionstorealhigh• Manydeceptionfamilies
• Scalable• Highfidelityalerting• Honeyeverywhere!
NTXISSACyberSecurityConference– October7-8,2016 21
@NTXISSA#NTXISSACSC4
AdditionalBenefits
• Operationallylight(Deception~256Kbyte)• LeveragesOSlevelobjectsandgeneratesdeceptionsonlyahackerwouldfind
• Noagent– lessattacksurface• Deceptionsblendinforattackersandransomware
• AdvancedSourcedForensics• AncestorTracking• Allinoneplace
NTXISSACyberSecurityConference– October7-8,2016 22
@NTXISSA#NTXISSACSC4
illûsive Overvièw
@NTXISSA#NTXISSACSC4
Architecture
NTXISSACyberSecurityConference– October7-8,2016 24
@NTXISSA#NTXISSACSC4
DeceptionFamilies
NTXISSACyberSecurityConference– October7-8,2016 25
@NTXISSA#NTXISSACSC4
illûsive Attâcker Vièw™
@NTXISSA#NTXISSACSC4
EnvironmentPre-Deception
NTXISSACyberSecurityConference– October7-8,2016 27
@NTXISSA#NTXISSACSC4
EnvironmentPost-Deception
NTXISSACyberSecurityConference– October7-8,2016 28
@NTXISSA#NTXISSACSC4
Credentials
NTXISSACyberSecurityConference– October7-8,2016 29
@NTXISSA#NTXISSACSC4
CalltoAction
• Considerhowadeceptionprogramfitsintoyourcyberriskmanagementstrategy
• Considerimplementingadeceptionprogramtoaddadaptiveandeffectivecapabilities
• Consideranecosystemofexperts,partnersandtechnologiesasyourdeceptionprogrammatures
• Startwithlowtotalcost&highlyeffectivedeceptioncontrols(bangforbuck)
NTXISSACyberSecurityConference– October7-8,2016 30
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 31
Thankyou
@NTXISSA#NTXISSACSC4
Backup Slides