Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception for red and blue teams

984 views

Published on

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception for red and blue teams

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception for red and blue teams

  1. 1. Sudarshan Pisupati Principal Consultant - Smokescreen @sudartion Sahir Hidayatullah CEO - Smokescreen @sahirh ACTIVE DECEPTION FOR Red & Blue Teams
  2. 2. “The more you know about the past, the better prepared you are for the future.” Theodore Roosevelt
  3. 3. “Gauge your opponent’s mind and send it in different directions. Make him think various things, and wonder if you will be slow or quick.” Miyamoto Musashi The Book of Five Rings
  4. 4. “Never win by force what can be won 
 with deception” Niccolò Machiavelli, 
 The Discourses (paraphrased)
  5. 5. “Never interrupt your enemy when he’s making a mistake.” Napoléon Bonaparte
  6. 6. There are 3 reasons 
 why companies get hacked…
  7. 7. Low visibility INITIAL INTRUSION HACKERS 
 UNDETECTED DATA BREACH 1
  8. 8. Ever changing threat landscape2
  9. 9. Too many false positives3 13,72655,19872,61489,45296,825 = • Event fatigue • Data paralysis • Missed alerts • Game Over
  10. 10. Human psychology is an attacker’s greatest weapon. It’s also their greatest weakness. We’re losing. So why don’t we change the game?
  11. 11. 1 Deception Benefits No false positives High attacker impact Focused on intent, not tools
  12. 12. Deception Benefits No false positives High attacker impact Focused on intent, not tools Source: David J. Bianco, personal blog The Pyramid of Pain
  13. 13. 60% of attacks do not involve malware! Deception Benefits No false positives High attacker impact Focused on intent, not tools
  14. 14. Why does deception work?
  15. 15. LEVEL 2 Deception ?!?!#@!
  16. 16. Next-gen firewall Sandboxing Two-factor authentication DAST / SAST Network analytics Endpoint detection and response Thinking in lists v/s Thinking in graphs
  17. 17. Different colors, different languages… Blue Team talks about SQL injection Password cracking Phishing Port-scanning Patch management Red Team talks About Squiblydoo AS-REP roasting Hot potato attacks SPN enumeration LocalAccountTokenFilterPolicy Unquoted service paths Process hollowing OLE embedded phishing LLMNR poisoning Bloodhound / user hunting DLL side loading GPP exploitation Time-stomping
  18. 18. Wait a minute, how is deception different from…
  19. 19. Honeypots… Honeypots • Attract attacks • Public facing • Vulnerable • Network focused • Low signal / noise ratio • Poor realism • Not scalable • Useful for research
  20. 20. AT = Sum(RT, D, TH, IR) Red-teaming Deception Threat hunting Incident response
  21. 21. Good deception blankets the kill chain Internet Assets Active Directory Objects Application Credentials Files Network Traffic Endpoints People Servers Applications RECONNAISSANCE DATA EXFILTRATION PRIVILEGE ESCALATION EXPLOITATION LATERAL MOVEMENT
  22. 22. Chronology of an Attack - “The Double Cycle Pattern” Breach Complete Compromise targets and effect impact Privilege escalation #1 Escalated to local administrator Privilege escalation #2 Escalate to domain administrator Initial Intrusion Low privilege normal user Lateral Movement Hunt domain administrators C2 and persist Establish remote control channel
  23. 23. S M O K E S C R E E N sahirh@smokescreen.io | www.smokescreen.io | @sahirh WE CAN NOW TAKE QUESTIONS!

×