Applying intelligent deception to detect sophisticated cyber attacks
1 like210 views
The document discusses the application of intelligent deception in cybersecurity to detect sophisticated cyber attacks, drawing parallels with historical military strategies. It highlights the effectiveness of deception techniques, such as creating decoys and traps, to lure and monitor attackers while enhancing incident response through active defense measures. Additionally, it emphasizes the need for dynamic and realistic deception layers to improve detection and analysis against both human and malware threats.
Applying intelligent deception to detect sophisticated cyber attacks
- 1. Applying Intelligent Deception to Detect Sophisticated Cyber Attacks
- 2. © Fidelis Cybersecurity Today’sSpeaker Tom Clare Product/Technical Marketing, Fidelis Background: Deception, UEBA/SIEM, Web Proxies, Vulnerability Assessments, Firewalls, and Endpoint (EPP/EDR) Companies: Fidelis, Gurucul, Websense, Check Point Technologies, and McAfee LinkedIn – www.linkedin.com/in/tomclare/
- 4. © Fidelis Cybersecurity Before the Allies stormed the beaches of Normandy in history’s largest amphibious assault, they staged one of history’s greatest military deceptions. The top-secret ruse — complete with rubber tanks, body doubles, fake radio chatter and double agents — successfully duped Adolf Hitler and Nazi commanders and laid the groundwork for D-Day success on June 6, 1944. WWII - OperationBodyguard
- 5. © Fidelis Cybersecurity SavingSeaTurtles PROBLEM 140 Million Years on Earth Top Endangered Species Poachers Steal/Sell Eggs Consistent/Pervasive Problem SOLUTION 3D Printed Fake GPS Eggs Decoy Eggs Look Real Poachers Cannot Detect Enables Tracking/Mapping
- 6. © Fidelis Cybersecurity OpportunityforCyberDeception Knowing what attackers desire creates an opportunity for an active defense; to lure, detect, and defend. Global Average Dwell Time 99 Days Preventive Defenses Deception Layer Lures Attack Lures
- 7. © Fidelis Cybersecurity CaptureTheFlag(CTF) Cyber CTF Games Jeopardy-Style Different challenges Broad range of categories Earn points per challenge Quality vs time/race Attack-Defense Blue team defends network Goal to detect attacks Red team attacks network Goal to capture flag(s)
- 8. © Fidelis Cybersecurity BluevsRedTeams Blue Team focus includes: Defending networks and systems Monitoring security defenses Security control effectiveness Hardening systems and controls Identifying security flaws Incident response Red Team focus includes: White-hat hacker role as threat actors Adversarial assessments (or pen-testing) Real-world attack simulations w/o damage Assess vulnerabilities to improve defenses Challenge preconceived notions In 1932, Rear Admiral Yarnell demonstrated how the Japanese could attack Pearl Harbor to wipe out the Pacific fleet almost exactly as it occurred nine years later. The attack simulation was deemed a success, however not in the final report. Japanese radio deception was effective on US intelligence for the offensive strike.
- 11. © Fidelis Cybersecurity CTFRealNetwork Real-world network complete with assets, users, services and data. 29 Users 1,491 Documents 5,532 Emails 31 Applications installed 3 Full browser profiles (Chrome, IE, FF) 2 Corporate web applications 2 Databases 1 Domain Controller (DC) 1 DNS Server 1 Private cloud service
- 12. © Fidelis Cybersecurity CTFDeceptionLayer The decoys were defined with a variation of interactive capabilities. Some decoy services appeared only as open ports, while others were full-blown services, appearing to run real applications. Among the services made available were TCP, UDP, SMB, HTTP, ICMP, RDP, FTP, MYSQL, SMTP and SSH. 10 decoys • 7 Workstations (user and development machines running Windows 7) • 2 Windows Servers (running Windows 2012 and Windows 2008) • 1 Ubuntu Linux server 95 decoy services Breadcrumbs or traps include: 61 files 39 beacon traps 27 emails 26 credentials 12 applications 10 IoT devices 2 network traps Breadcrumbs make deception deterministic by leading attackers to decoys, versus static honeypots waiting to be found.
- 13. © Fidelis Cybersecurity ExampleTraps Email Trap (unstructured data) Chrome Browser Trap (structured data)
- 14. © Fidelis Cybersecurity CTFDeceptionChallenge CTF challenge to find 5 file hashes for information spread across assets Participants provided access to one asset via RAT (Remote Access Trojan) The first file hash containing key information resides on this infected asset Each subsequent file hash was technically harder to find requiring more expertise Each attacker or team worked solo on a fresh instance of the environment Tasks include gathering intelligence, collecting information, and moving laterally Public invitation to: • Red teams • Pen-testers • Security researchers Best applicants selected Written mission brief & goals Challenge ran for 1+ month 52 participants w/global profile 6-7 hours of time/participant Dozen+ malware types also tested in parallel
- 15. © Fidelis Cybersecurity TheKnowledgeGap Mission brief provided key intel on first challenge • Read the brief, averaged ~100 commands • Did not read, used spray and pray efforts Knowledge before and during phases reduces knowledge gap/commands Over time hackers become quieter and harder to detect Early detection is critical Deception layers need to be automatically kept current and dynamic
- 16. © Fidelis Cybersecurity TrapConsumption Attacker Profiles • 52 Humans • 12 Malware dynamic
- 17. © Fidelis Cybersecurity Traps:ManvsMachine Average human triggered 10.5 traps Humans target files, email & unstructured data Malware targets apps and structured data Passwords/credentials: • Found 2 on average • Utilized 2.5 times/avg • Max reuse: 11 times in 11 places Password traps near decoys are very effective Trap variety is important to cover attack types
- 18. © Fidelis Cybersecurity DecoyAccess On average, each attacker interacted with nearly 10 decoy services No decoy had more than 47% activity, signaling variety is important Sloppy attacks used scanners with pings and SYNs, non-interactive noise, easy for decoys to detect Sophisticated attacks were focused on specific decoys with high interaction Decoy variety is important with live services to engage attackers
- 19. © Fidelis Cybersecurity CTFDeceptionSummary Sophisticated attacks are more targeted and highly interactive than careless and noisy low interaction scanning Deception needs to be diverse to be effective against malware and human attackers Deception layers should as realistic as possible, kept current, and dynamic to increase the knowledge gap against attackers Augment deception layers with network and traffic analysis for increased visibility and accuracy Deception lures, detects and consumes attacker time, thus diverting and slowing attacks
- 20. © Fidelis Cybersecurity LearnMore –CTFWhitePaper In-depth Research White Paper More details on Traps/Breadcrumbs More depth on Decoy Services Online at - www.fidelissecurity.com
- 21. © Fidelis Cybersecurity LeaderinAutomatedDetection&Response Global Presence • Established 2002 • Headquartered in Washington, DC • Fortune 100 & DoD enterprise proven • Proactive, MDR, and, IR service expertise Comprehensive visibility across network to endpoints Real-time and historical forensics analysis Extensible patented deep session inspection platform On-premise and/or cloud deployable form factors
- 22. © Fidelis Cybersecurity AutomatedDetection&Response(ADR) 22 Breach Detection Endpoint Detection & Response Intelligent Deception Highlights • Automatically do what experienced security analysts would do. • Leverage native visibility across enterprise to detect threats using a wide variety of techniques. • Enable investigation, containment, and remediation process by validating alerts. • Lure, detect and defend against attackers in your network.
- 23. © Fidelis Cybersecurity FidelisElevate Platform 23 Fidelis Network Fidelis Endpoint Fidelis Deception Improve Security Operations’ Efficiency and Effectiveness • Shift from clues to conclusions by combining similar alerts with context for quick action • Pre-validate network alerts at the endpoint • Reduce the time to respond • Gain visibility across the entire kill chain • Employ an active post-breach defense that lures attackers to decoys and adapts to your network as it changes
- 24. © Fidelis Cybersecurity QuestionsandNextSteps Key Resources Fidelis Deception Datasheet https://www.fidelissecurity.com/resources/ fidelis-deception-module Case Study on How First MidWest Bank Uses Fidelis Deception https://www.fidelissecurity.com/case- study-first-midwest-bank
- 25. Thank You!