SlideShare a Scribd company logo

Decoy documents: Baiting an Insider

Download as PPTX, PDF
D Dastagiri
D Dastagiri

Mitigating Insider Data Theft Attacks by baiting decoys

Education
1 of 14
1 of 14 By: Dastagiri, Software Engineer. @dast999 | dast.sofiya@facebook.com Decoy Documents
Contents 2 of 14 Introduction to decoy documents Threat Model Generating and Distributing bait Questions
Introduction to decoy documents Decoy Document: “On demand machine generated document. It contains the content to entice the attacker into steeling bogus information”. Contains:  Different types of bogus credentials (Honeytokens)  Stealthy beacons  Embedded markers Development:  At Intrusion Detection Systems Lab, Columbia University 3 of 14
4 of 14 Introduction to decoy documents Basic Idea: Insider attack. Detect insider actions against the enterprise system as well as individual hosts and laptops Report back to the control server or Alerting administrators Configuring the system and setting policies using management platform
Introduction to decoy documents Existing solutions:  Blocking exfiltration  Prevention techniques - User modeling and Profiling techniques e.g. Anomaly detection, Honeypots, etc. - Policy and access enforcement techniques e.g. Limiting the scope  Misuse detection Proposed solutions:  Monitoring and detection techniques are used when prevention technique fails  Trap-based defense mechanisms  Preventive disinformation attack 5 of 14
6 of 14 Threat Model 1. Insider threats  Malicious Insiders -Traitors -Masqueraders -Attacks(e.g., Viruses and worm)  Non-Malicious Insiders 2. Outsider threats  Outsider internal network access -Attacks(e.g., Spyware and rootkits)
Threat Model Level of Sophistication of the attacker 1. Low - Direct observation 2. Medium - Thorough investigation, decisions based on other, Possibly outside evidence 3. High - Super computers and other informed people who have organizational information 4. Highly privileged - being aware of baiting and using tools to analyze, avoid and disable decoys entirely 7 of 14
Generating and Distributing bait Properties of decoy documents:  Used to guide decoy design and maximize the deception (achieved by hiding)  Deception -masking, repacking, dazzling, mimicking, inventing and decoying. 1. Believable - Appearing true Using realistic names, addresses and logins 2. Enticing - Highly attractive. Creating decoys based on attacker interest(passwords, credit card numbers). 8 of 14
Properties of decoy documents(contd.): 3. Conspicuous - easily visible or obvious to the eye or mind 4. Detectable - To discover/catch in the performance of some act 5. Variability - The quality of being subject to variation 6. Non-interference - Easily identified by the actual user 7. Differentiable - Constitute a difference that distinguishes Generating and Distributing bait 9 of 14
Generating and Distributing bait The Decoy Document Distributor(D3) System :  Generates and places decoy documents within a file system.  D3 is integrated with a variety of services to enable monitoring of these decoy documents.  http://sneakers.cs.columbia.edu:8080/fog/index.jsp  http://www.alluresecurity.com  Types of bait Information - Online banking logins provided by a collaborating financial institutions, - Login accounts for online servers and - Web based email accounts 10 of 14
Generating and Distributing bait Design of Decoy Document: 1. A watermark is embedded in the binary format of the document file to detect when the decoy is loaded in memory, or egressed in the open over a network. 2. A beacon is embedded in the decoy document that signals a remote web site upon opening of the document indicating the malfeasance of an insider illicitly reading bait information. 3. If 1 and 2 fails, the content of the documents contain bait (honeytokens)and decoy information that is monitored as well. Bogus logins at multiple organizations as well as bogus and realistic bank information is monitored by external means. 11 of 14
Generating and Distributing bait Implementation : 1. Honeytokens - e.g., login credentials, banking credentials etc. 2. Beacon - Uses obfuscation technique called Spectrum Shaping - Unique token is used - Document type and rendering environment influences the data collection - The signaling mechanism relies on the document type or stealthily embedded remote image 12 of 14
Generating and Distributing bait Implementation (contd.): 3. Embedded Markers - Constructed as a unique pattern of word tokens uniquely tied to the document creator - The sequence of word tokens is embedded within the beacon document’s meta-data area or reformatted as comments within the document format structure. - The embedded markers can be used in Snort signatures for detecting exfiltration. 13 of 14
Questions 14 of 14

Recommended

Web security
Web securityWeb security
Web securityIqbal Shaikh
 
CSC103 Digital Security
CSC103 Digital SecurityCSC103 Digital Security
CSC103 Digital SecurityRichard Homa
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting ServicesMarco Balduzzi
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hackingBeing Uniq Sonu
 
CV updated
CV updatedCV updated
CV updatedDeborah Brosene
 
Methods of Cybersecurity Attacks
Methods of Cybersecurity AttacksMethods of Cybersecurity Attacks
Methods of Cybersecurity AttacksZyrellLalaguna
 
Dorking Protection - Hacking Search Engine Queries
Dorking Protection - Hacking Search Engine QueriesDorking Protection - Hacking Search Engine Queries
Dorking Protection - Hacking Search Engine QueriesRyan Siddle
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities NickHarris84
 

Recommended

Web security
Web securityWeb security
Web securityIqbal Shaikh
 
CSC103 Digital Security
CSC103 Digital SecurityCSC103 Digital Security
CSC103 Digital SecurityRichard Homa
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting ServicesMarco Balduzzi
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hackingBeing Uniq Sonu
 
CV updated
CV updatedCV updated
CV updatedDeborah Brosene
 
Methods of Cybersecurity Attacks
Methods of Cybersecurity AttacksMethods of Cybersecurity Attacks
Methods of Cybersecurity AttacksZyrellLalaguna
 
Dorking Protection - Hacking Search Engine Queries
Dorking Protection - Hacking Search Engine QueriesDorking Protection - Hacking Search Engine Queries
Dorking Protection - Hacking Search Engine QueriesRyan Siddle
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities NickHarris84
 
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationPeter Choi
 
Majdi_Halawani_CV
Majdi_Halawani_CVMajdi_Halawani_CV
Majdi_Halawani_CVJad Halawani
 
Computer security
Computer securityComputer security
Computer securitysruthiKrishnaG
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authenticationmbadhi
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor AuthenticationPing Identity
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityEY Belgium
 
Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey Smith
 
DENGAROUS CYBER ATTACKS
DENGAROUS CYBER ATTACKSDENGAROUS CYBER ATTACKS
DENGAROUS CYBER ATTACKSHackingmantra
 
Intruders detection
Intruders detectionIntruders detection
Intruders detectionEhtisham Ali
 
Certied Ethical Hacker
Certied Ethical HackerCertied Ethical Hacker
Certied Ethical HackerKnowledgehut
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-wantSecurity Bootcamp
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
Teaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence FilesTeaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence Filesamiable_indian
 
Digital physical security[present]
Digital physical security[present]Digital physical security[present]
Digital physical security[present]Zawawi Mohamad
 
Zamayla chap2 lab 1
Zamayla chap2 lab 1Zamayla chap2 lab 1
Zamayla chap2 lab 1zamayla143
 
Dungogan chap2 lab 1
Dungogan chap2 lab 1Dungogan chap2 lab 1
Dungogan chap2 lab 1ricky098
 
Resume NEW
Resume NEWResume NEW
Resume NEWCourtney Dayter
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of HackingSatria Ady Pradana
 
The EDUCAUSE Security Professionals Experience [ppt]
The EDUCAUSE Security Professionals Experience [ppt]The EDUCAUSE Security Professionals Experience [ppt]
The EDUCAUSE Security Professionals Experience [ppt]Videoguy
 
Is4560
Is4560Is4560
Is4560Tara Hardin
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 

More Related Content

What's hot

Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationPeter Choi
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authenticationmbadhi
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor AuthenticationPing Identity
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityEY Belgium
 
Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey Smith
 
DENGAROUS CYBER ATTACKS
DENGAROUS CYBER ATTACKSDENGAROUS CYBER ATTACKS
DENGAROUS CYBER ATTACKSHackingmantra
 
Intruders detection
Intruders detectionIntruders detection
Intruders detectionEhtisham Ali
 
Certied Ethical Hacker
Certied Ethical HackerCertied Ethical Hacker
Certied Ethical HackerKnowledgehut
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-wantSecurity Bootcamp
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
Teaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence FilesTeaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence Filesamiable_indian
 
Digital physical security[present]
Digital physical security[present]Digital physical security[present]
Digital physical security[present]Zawawi Mohamad
 
Zamayla chap2 lab 1
Zamayla chap2 lab 1Zamayla chap2 lab 1
Zamayla chap2 lab 1zamayla143
 
Dungogan chap2 lab 1
Dungogan chap2 lab 1Dungogan chap2 lab 1
Dungogan chap2 lab 1ricky098
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
The EDUCAUSE Security Professionals Experience [ppt]
The EDUCAUSE Security Professionals Experience [ppt]The EDUCAUSE Security Professionals Experience [ppt]
The EDUCAUSE Security Professionals Experience [ppt]Videoguy
 

What's hot (20)

Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
 
Majdi_Halawani_CV
Majdi_Halawani_CVMajdi_Halawani_CV
Majdi_Halawani_CV
 
Computer security
Computer securityComputer security
Computer security
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authentication
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor Authentication
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016
 
DENGAROUS CYBER ATTACKS
DENGAROUS CYBER ATTACKSDENGAROUS CYBER ATTACKS
DENGAROUS CYBER ATTACKS
 
Intruders detection
Intruders detectionIntruders detection
Intruders detection
 
Certied Ethical Hacker
Certied Ethical HackerCertied Ethical Hacker
Certied Ethical Hacker
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
 
Teaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence FilesTeaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence Files
 
Digital physical security[present]
Digital physical security[present]Digital physical security[present]
Digital physical security[present]
 
Zamayla chap2 lab 1
Zamayla chap2 lab 1Zamayla chap2 lab 1
Zamayla chap2 lab 1
 
Dungogan chap2 lab 1
Dungogan chap2 lab 1Dungogan chap2 lab 1
Dungogan chap2 lab 1
 
Resume NEW
Resume NEWResume NEW
Resume NEW
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of Hacking
 
The EDUCAUSE Security Professionals Experience [ppt]
The EDUCAUSE Security Professionals Experience [ppt]The EDUCAUSE Security Professionals Experience [ppt]
The EDUCAUSE Security Professionals Experience [ppt]
 

Similar to Decoy documents: Baiting an Insider

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.Rishabh Gupta
 
Bug Bounty Guide Tools and Resource.pdf
Bug Bounty Guide Tools and Resource.pdfBug Bounty Guide Tools and Resource.pdf
Bug Bounty Guide Tools and Resource.pdfhacktube5
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Mohammed Abdul Lateef
 
Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Lana Sorrels
 
Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...
Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...
Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...cyberprosocial
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji JacobBeji Jacob
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 

Similar to Decoy documents: Baiting an Insider (20)

Is4560
Is4560Is4560
Is4560
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Internet security
Internet securityInternet security
Internet security
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.
 
Bug Bounty Guide Tools and Resource.pdf
Bug Bounty Guide Tools and Resource.pdfBug Bounty Guide Tools and Resource.pdf
Bug Bounty Guide Tools and Resource.pdf
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
 
Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...
 
Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...
Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...
Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
 
UNIT-4.docx
UNIT-4.docxUNIT-4.docx
UNIT-4.docx
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
FBI Ransomware Report
FBI Ransomware ReportFBI Ransomware Report
FBI Ransomware Report
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 

Recently uploaded

MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 

Recently uploaded (20)

MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 

Decoy documents: Baiting an Insider

  • 1. 1 of 14 By: Dastagiri, Software Engineer. @dast999 | dast.sofiya@facebook.com Decoy Documents
  • 2. Contents 2 of 14 Introduction to decoy documents Threat Model Generating and Distributing bait Questions
  • 3. Introduction to decoy documents Decoy Document: “On demand machine generated document. It contains the content to entice the attacker into steeling bogus information”. Contains:  Different types of bogus credentials (Honeytokens)  Stealthy beacons  Embedded markers Development:  At Intrusion Detection Systems Lab, Columbia University 3 of 14
  • 4. 4 of 14 Introduction to decoy documents Basic Idea: Insider attack. Detect insider actions against the enterprise system as well as individual hosts and laptops Report back to the control server or Alerting administrators Configuring the system and setting policies using management platform
  • 5. Introduction to decoy documents Existing solutions:  Blocking exfiltration  Prevention techniques - User modeling and Profiling techniques e.g. Anomaly detection, Honeypots, etc. - Policy and access enforcement techniques e.g. Limiting the scope  Misuse detection Proposed solutions:  Monitoring and detection techniques are used when prevention technique fails  Trap-based defense mechanisms  Preventive disinformation attack 5 of 14
  • 6. 6 of 14 Threat Model 1. Insider threats  Malicious Insiders -Traitors -Masqueraders -Attacks(e.g., Viruses and worm)  Non-Malicious Insiders 2. Outsider threats  Outsider internal network access -Attacks(e.g., Spyware and rootkits)
  • 7. Threat Model Level of Sophistication of the attacker 1. Low - Direct observation 2. Medium - Thorough investigation, decisions based on other, Possibly outside evidence 3. High - Super computers and other informed people who have organizational information 4. Highly privileged - being aware of baiting and using tools to analyze, avoid and disable decoys entirely 7 of 14
  • 8. Generating and Distributing bait Properties of decoy documents:  Used to guide decoy design and maximize the deception (achieved by hiding)  Deception -masking, repacking, dazzling, mimicking, inventing and decoying. 1. Believable - Appearing true Using realistic names, addresses and logins 2. Enticing - Highly attractive. Creating decoys based on attacker interest(passwords, credit card numbers). 8 of 14
  • 9. Properties of decoy documents(contd.): 3. Conspicuous - easily visible or obvious to the eye or mind 4. Detectable - To discover/catch in the performance of some act 5. Variability - The quality of being subject to variation 6. Non-interference - Easily identified by the actual user 7. Differentiable - Constitute a difference that distinguishes Generating and Distributing bait 9 of 14
  • 10. Generating and Distributing bait The Decoy Document Distributor(D3) System :  Generates and places decoy documents within a file system.  D3 is integrated with a variety of services to enable monitoring of these decoy documents.  http://sneakers.cs.columbia.edu:8080/fog/index.jsp  http://www.alluresecurity.com  Types of bait Information - Online banking logins provided by a collaborating financial institutions, - Login accounts for online servers and - Web based email accounts 10 of 14
  • 11. Generating and Distributing bait Design of Decoy Document: 1. A watermark is embedded in the binary format of the document file to detect when the decoy is loaded in memory, or egressed in the open over a network. 2. A beacon is embedded in the decoy document that signals a remote web site upon opening of the document indicating the malfeasance of an insider illicitly reading bait information. 3. If 1 and 2 fails, the content of the documents contain bait (honeytokens)and decoy information that is monitored as well. Bogus logins at multiple organizations as well as bogus and realistic bank information is monitored by external means. 11 of 14
  • 12. Generating and Distributing bait Implementation : 1. Honeytokens - e.g., login credentials, banking credentials etc. 2. Beacon - Uses obfuscation technique called Spectrum Shaping - Unique token is used - Document type and rendering environment influences the data collection - The signaling mechanism relies on the document type or stealthily embedded remote image 12 of 14
  • 13. Generating and Distributing bait Implementation (contd.): 3. Embedded Markers - Constructed as a unique pattern of word tokens uniquely tied to the document creator - The sequence of word tokens is embedded within the beacon document’s meta-data area or reformatted as comments within the document format structure. - The embedded markers can be used in Snort signatures for detecting exfiltration. 13 of 14