Deception Technology: Use Cases & Implementation Approaches
4 likes2,350 views
The document discusses the evolution and significance of deception technologies in cybersecurity, detailing its historical applications from natural survival to modern cyber warfare. It explains various types of deception tactics, such as low and high interaction deceptions, and emphasizes the need for dynamic deception methods to counteract attackers. Additionally, it highlights the challenges of deploying these technologies and their effectiveness in detecting cybersecurity threats like ransomware.
Deception Technology: Use Cases & Implementation Approaches
- 1. DECEPTION TECHNOLOGIES Raj Gopalakrishna Co-founder & Chief Product Architect AcalvioTechnologiesCopyright AcalvioTechnologies 1
- 2. Brief History of Deception DeceptionTypes Under the Hood Some Use Cases Touch Points
- 3. Deception over the years • Millions of years in Natural World for survival/aggression • Millions of years in bacteria and virus to thrive • 1000s of years in Warfare/Military to attack or defend • Decades in Cyber Warfare • Attackers use Deception • Phishing, spoofing, encryption • Defender should use Deceptions • Honeypots, Cryptographic Camouflage • French Election used it recently Owl Butterfly for Survival 3Copyright AcalvioTechnologies Transmitter Passion Fruit Leaf with spots
- 5. Breadcrumbs: Extend Deceptions to Production Devices Many flavors and forms: 1. Registry entries 2. Files & Folders 3. Memory hashes 4. User Profiles 5. Browser cookies Few Challenges: 1. Need deployment Automation and Intelligence 2. Avoid Accidental Alerts by Users 5 DeceptionAnywhere or Everywhere Copyright AcalvioTechnologies
- 6. Lures: Another powerful arrow in the quiver Deliberately placed 1. Vulnerabilities in OS, Application, Protocols 2. Weak configurations and permissions 3. Powerful fake Service Accounts 4. Shares 5. Interesting Data 6 Make Deceptions more attractive Copyright AcalvioTechnologies
- 7. DecoyTypes Low Interaction Deceptions • Attacker typically cannot login • Emulated Hosts, Applications, Database Servers High Interaction Deceptions • Attacker can login – full interaction • RealVM Hosts, Applications, Database Servers, Shares Copyright AcalvioTechnologies 7
- 8. Low Interaction Deceptions Deploy OS, Network services orApplications Lots of deceptions possible. Low IT cost Low Risk to Enterprise Networks Dynamic: easy to morph on-the-fly Need not be emulations! × Cannot Engage with theAttacker × If Emulated then Easy to fingerprint Deceptions Key Challenge: Odds of attacker identifying deceptions Copyright AcalvioTechnologies 8
- 9. High Interaction Deceptions Deploy real OS, Services, Applications Deceptions are not finger-printable. Possible to Engage with Attacker × Only Few deceptions × High Cost of licensing & maintaining × Need Containment to reduce RISK × Static: pre-build, unable to morph quickly × Often used with Breadcrumbs to lead attacker to Decoys. But then attacker needs to find breadcrumbs first Key Challenge: Odds of Attacker/Malware running into the few deceptions Copyright AcalvioTechnologies 9
- 10. Often we need both Scale and Depth (Believable Deceptions) Copyright AcalvioTechnologies 10
- 11. Static vs Dynamic Deceptions Static Deceptions • Hardly changes • Easy to fingerprint & avoid Dynamic Deceptions Mimic Octopus: Mimics upto 15 creatures ActiveCamouflage: Counter-illumination by Squids • Changing always • Hard to predict or identify HoneyAnts Copyright AcalvioTechnologies 11
- 12. Intelligence Component Human only • Expert decides type and number of deceptions to deploy • Manually/Automatically configures traps atTime T0 Key Challenges: • What happens atTimeT1 orT10 ? • How many Experts can company send to front-line for 24x7x365? Human + AI based = Future System recommends type, number, placement, duration of deceptions. System Responds to • Events and Incidents • Adversary Behavior • When you are sleeping Copyright AcalvioTechnologies 12
- 13. Some major Challenges in Cyber Security Compromise Detection Identifying malicious intent © AcalvioTechnologiesCompany 13 Alerts Deluge Too many False positives DeceptionTechnology can help in all of above
- 14. Internal Facing vs External Facing Deceptions Internal Facing • Good for Enterprises • A new layer of Defense • Acts like a motion detector inside Enterprises • Corporate Network • Data Centers • Detects attackers who have gone past the perimeter defenses • Few, High FidelityAlerts raised • Can optionally Engage & Respond External Facing • Great for security researchers • Typically deployed on the Internet or in the DMZ. • Lots of alerts per hour/day as there are lots of malicious Attackers and Bots on the Internet • Often used to show demo of DeceptionTechnologies Copyright AcalvioTechnologies 14
- 15. Detecting Ransomware: current approaches AV and Sandbox approach • Look for known Signatures • Look for known C&C Low False +ve × High False -ve Data Science approach • Look for Anomalous Behavior • High File I/O • Lots of different Files accessed • Lots of crypto × Anomaly ≠Threat × High False +ve 15Copyright AcalvioTechnologies
- 16. Detecting Ransomware using Deceptions • Leverages Decoys, Breadcrumbs and Lures • Set specific traps in specific locations • Monitor only activity against decoys, breadcrumbs & lures Auto Detects and confirms Ransomware Very Efficient and Accurate 16 Always High Fidelity Signals Zero false +ve Copyright AcalvioTechnologies
- 17. Protecting Secrets in software is hard Examples Crypto keys Passwords Payment card numbers Copyright AcalvioTechnologies 17
- 18. THANKYOU Copyright AcalvioTechnologies 18 • Raj Gopalakrishna • raj@Acalvio.com • AcalvioTechnologies Inc
- 19. CONTACT ACALVIO IFYOU ARE LOOKING FOR DECEPTION PRODUCT Copyright AcalvioTechnologies 19