SlideShare ist ein Scribd-Unternehmen logo

Applying intelligent deception to detect sophisticated cyber attacks

Fidelis Cybersecurity
Fidelis Cybersecurity

Over 50 white-hat hackers participated in an exercise against modern deception defenses and the results and lessons learned are eye opening. Deception — the use of decoys, traps, lures, and other mechanisms — is quickly gaining the attention of organizations seeking an effective and efficient post-breach detection defense. View the results now

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
Applying Intelligent Deception to Detect Sophisticated Cyber Attacks
© Fidelis Cybersecurity Today’sSpeaker Tom Clare Product/Technical Marketing, Fidelis Background: Deception, UEBA/SIEM, Web Proxies, Vulnerability Assessments, Firewalls, and Endpoint (EPP/EDR) Companies: Fidelis, Gurucul, Websense, Check Point Technologies, and McAfee LinkedIn – www.linkedin.com/in/tomclare/
© Fidelis Cybersecurity
© Fidelis Cybersecurity Before the Allies stormed the beaches of Normandy in history’s largest amphibious assault, they staged one of history’s greatest military deceptions. The top-secret ruse — complete with rubber tanks, body doubles, fake radio chatter and double agents — successfully duped Adolf Hitler and Nazi commanders and laid the groundwork for D-Day success on June 6, 1944. WWII - OperationBodyguard
© Fidelis Cybersecurity SavingSeaTurtles PROBLEM 140 Million Years on Earth Top Endangered Species Poachers Steal/Sell Eggs Consistent/Pervasive Problem SOLUTION 3D Printed Fake GPS Eggs Decoy Eggs Look Real Poachers Cannot Detect Enables Tracking/Mapping
© Fidelis Cybersecurity OpportunityforCyberDeception Knowing what attackers desire creates an opportunity for an active defense; to lure, detect, and defend. Global Average Dwell Time 99 Days Preventive Defenses Deception Layer Lures Attack Lures
© Fidelis Cybersecurity CaptureTheFlag(CTF) Cyber CTF Games Jeopardy-Style Different challenges Broad range of categories Earn points per challenge Quality vs time/race Attack-Defense Blue team defends network Goal to detect attacks Red team attacks network Goal to capture flag(s)
© Fidelis Cybersecurity BluevsRedTeams Blue Team focus includes: Defending networks and systems Monitoring security defenses Security control effectiveness Hardening systems and controls Identifying security flaws Incident response Red Team focus includes: White-hat hacker role as threat actors Adversarial assessments (or pen-testing) Real-world attack simulations w/o damage Assess vulnerabilities to improve defenses Challenge preconceived notions In 1932, Rear Admiral Yarnell demonstrated how the Japanese could attack Pearl Harbor to wipe out the Pacific fleet almost exactly as it occurred nine years later. The attack simulation was deemed a success, however not in the final report. Japanese radio deception was effective on US intelligence for the offensive strike.
© Fidelis Cybersecurity DeceptionElements
© Fidelis Cybersecurity DeceptionAlerts
© Fidelis Cybersecurity CTFRealNetwork Real-world network complete with assets, users, services and data. 29 Users 1,491 Documents 5,532 Emails 31 Applications installed 3 Full browser profiles (Chrome, IE, FF) 2 Corporate web applications 2 Databases 1 Domain Controller (DC) 1 DNS Server 1 Private cloud service
© Fidelis Cybersecurity CTFDeceptionLayer The decoys were defined with a variation of interactive capabilities. Some decoy services appeared only as open ports, while others were full-blown services, appearing to run real applications. Among the services made available were TCP, UDP, SMB, HTTP, ICMP, RDP, FTP, MYSQL, SMTP and SSH. 10 decoys • 7 Workstations (user and development machines running Windows 7) • 2 Windows Servers (running Windows 2012 and Windows 2008) • 1 Ubuntu Linux server 95 decoy services Breadcrumbs or traps include: 61 files 39 beacon traps 27 emails 26 credentials 12 applications 10 IoT devices 2 network traps Breadcrumbs make deception deterministic by leading attackers to decoys, versus static honeypots waiting to be found.
© Fidelis Cybersecurity ExampleTraps Email Trap (unstructured data) Chrome Browser Trap (structured data)
© Fidelis Cybersecurity CTFDeceptionChallenge CTF challenge to find 5 file hashes for information spread across assets Participants provided access to one asset via RAT (Remote Access Trojan) The first file hash containing key information resides on this infected asset Each subsequent file hash was technically harder to find requiring more expertise Each attacker or team worked solo on a fresh instance of the environment Tasks include gathering intelligence, collecting information, and moving laterally Public invitation to: • Red teams • Pen-testers • Security researchers Best applicants selected Written mission brief & goals Challenge ran for 1+ month 52 participants w/global profile 6-7 hours of time/participant Dozen+ malware types also tested in parallel
© Fidelis Cybersecurity TheKnowledgeGap Mission brief provided key intel on first challenge • Read the brief, averaged ~100 commands • Did not read, used spray and pray efforts Knowledge before and during phases reduces knowledge gap/commands Over time hackers become quieter and harder to detect Early detection is critical Deception layers need to be automatically kept current and dynamic
© Fidelis Cybersecurity TrapConsumption Attacker Profiles • 52 Humans • 12 Malware dynamic
© Fidelis Cybersecurity Traps:ManvsMachine Average human triggered 10.5 traps Humans target files, email & unstructured data Malware targets apps and structured data Passwords/credentials: • Found 2 on average • Utilized 2.5 times/avg • Max reuse: 11 times in 11 places Password traps near decoys are very effective Trap variety is important to cover attack types
© Fidelis Cybersecurity DecoyAccess On average, each attacker interacted with nearly 10 decoy services No decoy had more than 47% activity, signaling variety is important Sloppy attacks used scanners with pings and SYNs, non-interactive noise, easy for decoys to detect Sophisticated attacks were focused on specific decoys with high interaction Decoy variety is important with live services to engage attackers
© Fidelis Cybersecurity CTFDeceptionSummary Sophisticated attacks are more targeted and highly interactive than careless and noisy low interaction scanning Deception needs to be diverse to be effective against malware and human attackers Deception layers should as realistic as possible, kept current, and dynamic to increase the knowledge gap against attackers Augment deception layers with network and traffic analysis for increased visibility and accuracy Deception lures, detects and consumes attacker time, thus diverting and slowing attacks
© Fidelis Cybersecurity LearnMore –CTFWhitePaper In-depth Research White Paper More details on Traps/Breadcrumbs More depth on Decoy Services Online at - www.fidelissecurity.com
© Fidelis Cybersecurity LeaderinAutomatedDetection&Response Global Presence • Established 2002 • Headquartered in Washington, DC • Fortune 100 & DoD enterprise proven • Proactive, MDR, and, IR service expertise Comprehensive visibility across network to endpoints Real-time and historical forensics analysis Extensible patented deep session inspection platform On-premise and/or cloud deployable form factors
© Fidelis Cybersecurity AutomatedDetection&Response(ADR) 22 Breach Detection Endpoint Detection & Response Intelligent Deception Highlights • Automatically do what experienced security analysts would do. • Leverage native visibility across enterprise to detect threats using a wide variety of techniques. • Enable investigation, containment, and remediation process by validating alerts. • Lure, detect and defend against attackers in your network.
© Fidelis Cybersecurity FidelisElevate Platform 23 Fidelis Network Fidelis Endpoint Fidelis Deception Improve Security Operations’ Efficiency and Effectiveness • Shift from clues to conclusions by combining similar alerts with context for quick action • Pre-validate network alerts at the endpoint • Reduce the time to respond • Gain visibility across the entire kill chain • Employ an active post-breach defense that lures attackers to decoys and adapts to your network as it changes
© Fidelis Cybersecurity QuestionsandNextSteps Key Resources Fidelis Deception Datasheet https://www.fidelissecurity.com/resources/ fidelis-deception-module Case Study on How First MidWest Bank Uses Fidelis Deception https://www.fidelissecurity.com/case- study-first-midwest-bank
Thank You!

Empfohlen

Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
Fidelis Cybersecurity
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and Research
Fidelis Cybersecurity
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
Fidelis Cybersecurity
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Fidelis Cybersecurity
 

Empfohlen

Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
Fidelis Cybersecurity
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and Research
Fidelis Cybersecurity
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
Fidelis Cybersecurity
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Fidelis Cybersecurity
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Fidelis Cybersecurity
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
Fidelis Cybersecurity
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
Fidelis Cybersecurity
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
Fidelis Cybersecurity
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
Quest
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24
 
Gavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune SystemGavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune System
centralohioissa
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
Dragos, Inc.
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
scoopnewsgroup
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Storage Switzerland
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
Fidelis Cybersecurity
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception Solution
Fidelis Cybersecurity
 

Weitere ähnliche Inhalte

Was ist angesagt?

Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
Fidelis Cybersecurity
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 

Was ist angesagt? (20)

Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
 
Gavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune SystemGavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune System
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
 

Ähnlich wie Applying intelligent deception to detect sophisticated cyber attacks

Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
Fidelis Cybersecurity
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception Solution
Fidelis Cybersecurity
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Positive Hack Days
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 

Ähnlich wie Applying intelligent deception to detect sophisticated cyber attacks (20)

Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception Solution
 
Efficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in actionEfficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in action
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
La sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SILa sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SI
 
MT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT SupportMT17_Building Integrated and Secure Networks with limited IT Support
MT17_Building Integrated and Secure Networks with limited IT Support
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Applying intelligent deception to detect sophisticated cyber attacks

  • 1. Applying Intelligent Deception to Detect Sophisticated Cyber Attacks
  • 2. © Fidelis Cybersecurity Today’sSpeaker Tom Clare Product/Technical Marketing, Fidelis Background: Deception, UEBA/SIEM, Web Proxies, Vulnerability Assessments, Firewalls, and Endpoint (EPP/EDR) Companies: Fidelis, Gurucul, Websense, Check Point Technologies, and McAfee LinkedIn – www.linkedin.com/in/tomclare/
  • 4. © Fidelis Cybersecurity Before the Allies stormed the beaches of Normandy in history’s largest amphibious assault, they staged one of history’s greatest military deceptions. The top-secret ruse — complete with rubber tanks, body doubles, fake radio chatter and double agents — successfully duped Adolf Hitler and Nazi commanders and laid the groundwork for D-Day success on June 6, 1944. WWII - OperationBodyguard
  • 5. © Fidelis Cybersecurity SavingSeaTurtles PROBLEM 140 Million Years on Earth Top Endangered Species Poachers Steal/Sell Eggs Consistent/Pervasive Problem SOLUTION 3D Printed Fake GPS Eggs Decoy Eggs Look Real Poachers Cannot Detect Enables Tracking/Mapping
  • 6. © Fidelis Cybersecurity OpportunityforCyberDeception Knowing what attackers desire creates an opportunity for an active defense; to lure, detect, and defend. Global Average Dwell Time 99 Days Preventive Defenses Deception Layer Lures Attack Lures
  • 7. © Fidelis Cybersecurity CaptureTheFlag(CTF) Cyber CTF Games Jeopardy-Style Different challenges Broad range of categories Earn points per challenge Quality vs time/race Attack-Defense Blue team defends network Goal to detect attacks Red team attacks network Goal to capture flag(s)
  • 8. © Fidelis Cybersecurity BluevsRedTeams Blue Team focus includes: Defending networks and systems Monitoring security defenses Security control effectiveness Hardening systems and controls Identifying security flaws Incident response Red Team focus includes: White-hat hacker role as threat actors Adversarial assessments (or pen-testing) Real-world attack simulations w/o damage Assess vulnerabilities to improve defenses Challenge preconceived notions In 1932, Rear Admiral Yarnell demonstrated how the Japanese could attack Pearl Harbor to wipe out the Pacific fleet almost exactly as it occurred nine years later. The attack simulation was deemed a success, however not in the final report. Japanese radio deception was effective on US intelligence for the offensive strike.
  • 11. © Fidelis Cybersecurity CTFRealNetwork Real-world network complete with assets, users, services and data. 29 Users 1,491 Documents 5,532 Emails 31 Applications installed 3 Full browser profiles (Chrome, IE, FF) 2 Corporate web applications 2 Databases 1 Domain Controller (DC) 1 DNS Server 1 Private cloud service
  • 12. © Fidelis Cybersecurity CTFDeceptionLayer The decoys were defined with a variation of interactive capabilities. Some decoy services appeared only as open ports, while others were full-blown services, appearing to run real applications. Among the services made available were TCP, UDP, SMB, HTTP, ICMP, RDP, FTP, MYSQL, SMTP and SSH. 10 decoys • 7 Workstations (user and development machines running Windows 7) • 2 Windows Servers (running Windows 2012 and Windows 2008) • 1 Ubuntu Linux server 95 decoy services Breadcrumbs or traps include: 61 files 39 beacon traps 27 emails 26 credentials 12 applications 10 IoT devices 2 network traps Breadcrumbs make deception deterministic by leading attackers to decoys, versus static honeypots waiting to be found.
  • 13. © Fidelis Cybersecurity ExampleTraps Email Trap (unstructured data) Chrome Browser Trap (structured data)
  • 14. © Fidelis Cybersecurity CTFDeceptionChallenge CTF challenge to find 5 file hashes for information spread across assets Participants provided access to one asset via RAT (Remote Access Trojan) The first file hash containing key information resides on this infected asset Each subsequent file hash was technically harder to find requiring more expertise Each attacker or team worked solo on a fresh instance of the environment Tasks include gathering intelligence, collecting information, and moving laterally Public invitation to: • Red teams • Pen-testers • Security researchers Best applicants selected Written mission brief & goals Challenge ran for 1+ month 52 participants w/global profile 6-7 hours of time/participant Dozen+ malware types also tested in parallel
  • 15. © Fidelis Cybersecurity TheKnowledgeGap Mission brief provided key intel on first challenge • Read the brief, averaged ~100 commands • Did not read, used spray and pray efforts Knowledge before and during phases reduces knowledge gap/commands Over time hackers become quieter and harder to detect Early detection is critical Deception layers need to be automatically kept current and dynamic
  • 16. © Fidelis Cybersecurity TrapConsumption Attacker Profiles • 52 Humans • 12 Malware dynamic
  • 17. © Fidelis Cybersecurity Traps:ManvsMachine Average human triggered 10.5 traps Humans target files, email & unstructured data Malware targets apps and structured data Passwords/credentials: • Found 2 on average • Utilized 2.5 times/avg • Max reuse: 11 times in 11 places Password traps near decoys are very effective Trap variety is important to cover attack types
  • 18. © Fidelis Cybersecurity DecoyAccess On average, each attacker interacted with nearly 10 decoy services No decoy had more than 47% activity, signaling variety is important Sloppy attacks used scanners with pings and SYNs, non-interactive noise, easy for decoys to detect Sophisticated attacks were focused on specific decoys with high interaction Decoy variety is important with live services to engage attackers
  • 19. © Fidelis Cybersecurity CTFDeceptionSummary Sophisticated attacks are more targeted and highly interactive than careless and noisy low interaction scanning Deception needs to be diverse to be effective against malware and human attackers Deception layers should as realistic as possible, kept current, and dynamic to increase the knowledge gap against attackers Augment deception layers with network and traffic analysis for increased visibility and accuracy Deception lures, detects and consumes attacker time, thus diverting and slowing attacks
  • 20. © Fidelis Cybersecurity LearnMore –CTFWhitePaper In-depth Research White Paper More details on Traps/Breadcrumbs More depth on Decoy Services Online at - www.fidelissecurity.com
  • 21. © Fidelis Cybersecurity LeaderinAutomatedDetection&Response Global Presence • Established 2002 • Headquartered in Washington, DC • Fortune 100 & DoD enterprise proven • Proactive, MDR, and, IR service expertise Comprehensive visibility across network to endpoints Real-time and historical forensics analysis Extensible patented deep session inspection platform On-premise and/or cloud deployable form factors
  • 22. © Fidelis Cybersecurity AutomatedDetection&Response(ADR) 22 Breach Detection Endpoint Detection & Response Intelligent Deception Highlights • Automatically do what experienced security analysts would do. • Leverage native visibility across enterprise to detect threats using a wide variety of techniques. • Enable investigation, containment, and remediation process by validating alerts. • Lure, detect and defend against attackers in your network.
  • 23. © Fidelis Cybersecurity FidelisElevate Platform 23 Fidelis Network Fidelis Endpoint Fidelis Deception Improve Security Operations’ Efficiency and Effectiveness • Shift from clues to conclusions by combining similar alerts with context for quick action • Pre-validate network alerts at the endpoint • Reduce the time to respond • Gain visibility across the entire kill chain • Employ an active post-breach defense that lures attackers to decoys and adapts to your network as it changes
  • 24. © Fidelis Cybersecurity QuestionsandNextSteps Key Resources Fidelis Deception Datasheet https://www.fidelissecurity.com/resources/ fidelis-deception-module Case Study on How First MidWest Bank Uses Fidelis Deception https://www.fidelissecurity.com/case- study-first-midwest-bank