Weitere ähnliche Inhalte Ähnlich wie Applying intelligent deception to detect sophisticated cyber attacks (20) Kürzlich hochgeladen (20) Applying intelligent deception to detect sophisticated cyber attacks2. © Fidelis Cybersecurity
Today’sSpeaker
Tom Clare
Product/Technical Marketing, Fidelis
Background: Deception, UEBA/SIEM,
Web Proxies, Vulnerability Assessments,
Firewalls, and Endpoint (EPP/EDR)
Companies: Fidelis, Gurucul, Websense,
Check Point Technologies, and McAfee
LinkedIn – www.linkedin.com/in/tomclare/
4. © Fidelis Cybersecurity
Before the Allies stormed the beaches of
Normandy in history’s largest amphibious
assault, they staged one of history’s
greatest military deceptions.
The top-secret ruse — complete with rubber
tanks, body doubles, fake radio chatter and
double agents — successfully duped Adolf
Hitler and Nazi commanders and laid the
groundwork for D-Day success on
June 6, 1944.
WWII - OperationBodyguard
7. © Fidelis Cybersecurity
CaptureTheFlag(CTF)
Cyber CTF Games
Jeopardy-Style
Different challenges
Broad range of categories
Earn points per challenge
Quality vs time/race
Attack-Defense
Blue team defends network
Goal to detect attacks
Red team attacks network
Goal to capture flag(s)
8. © Fidelis Cybersecurity
BluevsRedTeams
Blue Team focus includes:
Defending networks and systems
Monitoring security defenses
Security control effectiveness
Hardening systems and controls
Identifying security flaws
Incident response
Red Team focus includes:
White-hat hacker role as threat actors
Adversarial assessments (or pen-testing)
Real-world attack simulations w/o damage
Assess vulnerabilities to improve defenses
Challenge preconceived notions
In 1932, Rear Admiral Yarnell demonstrated how the Japanese could
attack Pearl Harbor to wipe out the Pacific fleet almost exactly as it
occurred nine years later. The attack simulation was deemed a
success, however not in the final report. Japanese radio deception
was effective on US intelligence for the offensive strike.
11. © Fidelis Cybersecurity
CTFRealNetwork
Real-world network complete with assets, users, services and data.
29 Users
1,491 Documents
5,532 Emails
31 Applications installed
3 Full browser profiles (Chrome, IE, FF)
2 Corporate web applications
2 Databases
1 Domain Controller (DC)
1 DNS Server
1 Private cloud service
12. © Fidelis Cybersecurity
CTFDeceptionLayer
The decoys were defined with a variation of
interactive capabilities.
Some decoy services appeared only as open ports,
while others were full-blown services, appearing to run
real applications.
Among the services made available were TCP, UDP,
SMB, HTTP, ICMP, RDP, FTP, MYSQL, SMTP and
SSH.
10 decoys
• 7 Workstations (user and development machines
running Windows 7)
• 2 Windows Servers (running Windows 2012 and
Windows 2008)
• 1 Ubuntu Linux server
95 decoy services
Breadcrumbs or traps include:
61 files
39 beacon traps
27 emails
26 credentials
12 applications
10 IoT devices
2 network traps
Breadcrumbs make deception deterministic by
leading attackers to decoys, versus static
honeypots waiting to be found.
14. © Fidelis Cybersecurity
CTFDeceptionChallenge
CTF challenge to find 5 file hashes for information spread across assets
Participants provided access to one asset via RAT (Remote Access Trojan)
The first file hash containing key information resides on this infected asset
Each subsequent file hash was technically harder to find requiring more expertise
Each attacker or team worked solo on a fresh instance of the environment
Tasks include gathering intelligence, collecting information, and moving laterally
Public invitation to:
• Red teams
• Pen-testers
• Security researchers
Best applicants selected
Written mission brief & goals
Challenge ran for 1+ month
52 participants w/global profile
6-7 hours of time/participant
Dozen+ malware types also
tested in parallel
15. © Fidelis Cybersecurity
TheKnowledgeGap
Mission brief provided key intel
on first challenge
• Read the brief, averaged ~100
commands
• Did not read, used spray and
pray efforts
Knowledge before and during
phases reduces knowledge
gap/commands
Over time hackers become
quieter and harder to detect
Early detection is critical
Deception layers need to be
automatically kept current and
dynamic
17. © Fidelis Cybersecurity
Traps:ManvsMachine
Average human triggered 10.5 traps
Humans target files, email &
unstructured data
Malware targets apps and structured
data
Passwords/credentials:
• Found 2 on average
• Utilized 2.5 times/avg
• Max reuse: 11 times in 11
places
Password traps near decoys are very
effective
Trap variety is important to cover
attack types
18. © Fidelis Cybersecurity
DecoyAccess
On average, each attacker
interacted with nearly 10
decoy services
No decoy had more than
47% activity, signaling variety
is important
Sloppy attacks used
scanners with pings and
SYNs, non-interactive noise,
easy for decoys to detect
Sophisticated attacks were
focused on specific decoys
with high interaction
Decoy variety is important
with live services to engage
attackers
19. © Fidelis Cybersecurity
CTFDeceptionSummary
Sophisticated attacks are more targeted and
highly interactive than careless and noisy low
interaction scanning
Deception needs to be diverse to be effective
against malware and human attackers
Deception layers should as realistic as possible,
kept current, and dynamic to increase the
knowledge gap against attackers
Augment deception layers with network and
traffic analysis for increased visibility and
accuracy
Deception lures, detects and consumes attacker
time, thus diverting and slowing attacks
20. © Fidelis Cybersecurity
LearnMore –CTFWhitePaper
In-depth Research White Paper
More details on Traps/Breadcrumbs
More depth on Decoy Services
Online at - www.fidelissecurity.com
21. © Fidelis Cybersecurity
LeaderinAutomatedDetection&Response
Global Presence
• Established 2002
• Headquartered in Washington, DC
• Fortune 100 & DoD enterprise proven
• Proactive, MDR, and, IR service expertise
Comprehensive visibility across network to endpoints
Real-time and historical forensics analysis
Extensible patented deep session inspection platform
On-premise and/or cloud deployable form factors
23. © Fidelis Cybersecurity
FidelisElevate Platform
23
Fidelis
Network
Fidelis
Endpoint
Fidelis
Deception
Improve Security Operations’
Efficiency and Effectiveness
• Shift from clues to conclusions by
combining similar alerts with context for
quick action
• Pre-validate network alerts at the
endpoint
• Reduce the time to respond
• Gain visibility across the entire kill chain
• Employ an active post-breach defense
that lures attackers to decoys and
adapts to your network as it changes
24. © Fidelis Cybersecurity
QuestionsandNextSteps
Key Resources
Fidelis Deception Datasheet
https://www.fidelissecurity.com/resources/
fidelis-deception-module
Case Study on How First MidWest Bank
Uses Fidelis Deception
https://www.fidelissecurity.com/case-
study-first-midwest-bank