Using Deception to Detect and Profile Hidden Threats
Download as PPTX, PDF2 likes141 views
The document discusses using deception techniques and Splunk to detect hidden threats. It describes how adversaries can hide within networks and how deception can be used to detect lateral movement and network scans. The presentation covers different types of deceptions like lures, decoys, and breadcrumbs and how a deception farm works. It demonstrates how to customize deceptions, deploy them, and triage deception alerts with security events in Splunk to profile threats.
Using Deception to Detect and Profile Hidden Threats
- 1. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Detecting and Profiling Hidden Threats using Deception and Splunk Satnam Singh Chief Data Scientist, Acalvio Technologies Oct 2, 2018
- 2. © 2018 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved. Forward-Looking Statements
- 3. © 2018 SPLUNK INC. Agenda ▶ Hidden threats ▶ Introduction to deception and use cases ▶ Triage of deceptive alerts with security events in Splunk ▶ Profiling threats: Demo
- 4. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Hidden Threats ▶ Adversaries move within the network to find valuable or vulnerable assets ▶ Perimeter-based controls can’t detect the threats that have already infiltrated and are hiding within the enterprise network ▶ Adversaries are using “living off the land” tactics makes it difficult for Endpoint detection tools to detect them
- 5. © 2018 SPLUNK INC. How to Defend? 1. Slowdown the Attacker 2. Speed up the Defender
- 6. © 2018 SPLUNK INC. Deception ▶ Deception needs to blend with the environment ▶ Multiple types of Deception ▶ Deception needs to dynamic, morph and adapt over time
- 7. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Deceptive Security - Use Cases ▶ Detect Lateral Movement in the Corporate Network ▶ Detect Network Scans, Ransomware ▶ Detect advanced threats that are targeting specific verticals e.g., SWIFT, ICS
- 8. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Deceptive Security - Use Cases ▶ Get visibility of threats in unmanaged networks, encrypted traffic, IOT devices ▶ Generate actionable threat intelligence with high fidelity alerts ▶ Need only a few resources to deploy another security layer
- 9. © 2018 SPLUNK INC. Deception Types LURES DECOYS BREADCRUMBS
- 10. © 2018 SPLUNK INC. ▶ Interaction Types - Low, Medium, High ▶ Services - SSH, Telnet, SMB, FTP, … ▶ Workstations ▶ Databases ▶ Servers ▶ Routers, Switches ▶ … Decoys
- 11. © 2018 SPLUNK INC. Extends deception to production devices ▶ Credentials - Shares, Servers ▶ In-Memory hashes ▶ Files ▶ Registry entries ▶ Browser Cookies ▶ … Breadcrumbs
- 12. © 2018 SPLUNK INC. Makes deceptions more attractive ▶ Vulnerable Shares ▶ Network Printer ▶ Vulnerable Webserver ▶ PACS DICOM Server ▶ Contents of breadcrumbs and decoys (ex: files, user account, share, database, address book) ▶ …. Lures & Baits
- 13. © 2018 SPLUNK INC. Deception Farms Threat Analysis Engine AI Engines Sensor Sensor Enterprise Network On-premises SERVER SOFTWARE TUNNELS Network 1 VPC 1 Projections Projections SERVER SDN Fabric Cloud VPC Acalvio Deception Farm VPC 1 Network 1 SERVER SERVER
- 14. © 2018 SPLUNK INC. Fluid Deception A3 HI A4 A5 A6 LI SDN Fabric A1 A2 Sensor A3 Low Interaction Deceptions High Interaction Deceptions ATTACK B4 A4 A5 A6 Acalvio Deception Farm B1 B2 B3 SOFTWARE TUNNEL Enterprise Network On-premises Projected Deceptions
- 15. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Threat Profiling 3. Triage with Deception Alerts 1. Customise Deception - Customise decoys to blend - Determine Deception Strategy Splunk App 2. Deception Platform Deploy Deceptions
- 16. © 2018 SPLUNK INC. Demo Threat Profiling
- 17. © 2018 SPLUNK INC. 1. Deception provides an ability to detect hidden threats 2. Deception needs to be customized and dynamic 3. Triage deception alerts with network, endpoint logs in Splunk to generate actionable internal threat intelligence Key Takeaways