Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

Detecting and Catching the Bad Guys Using Deception

Traditional controls are well known for their short comings in the face of modern cyber-attacks. Cyber security technologies will make use of signature based, behavioral, Next Generation capabilities or attempt to augment capabilities by leveraging cloud based or on premise cyber analytics warehouse and threat intelligence feeds via indicator of compromise (IOC) or other mechanisms. Although the later efforts have increased organizational cyber capabilities, they only do so with proper investments in people, process and technology. Additionally, as attackers adapt to defenses, these controls begin to experience decreasing marginal rates of defensive capability.

Deception programs, architectures and technologies endeavor to augment existing cyber security capabilities through the use of honeypots or honey net (decoys) or breadcrumbs or broken glass (deceptions).

Advanced deception technologies are differentiated by the use of distributed deception technology which features agentless, simple deployment capabilities with lightweight deceptions that leverage operating system objects deceive attackers into triggering alerts. Normal users would never trigger the deceptions as an attacker would, resulting in high fidelity alerting with near-zero false positives. Such technology consequently serves to not only augment cyber security capabilities post-breach but provides a new, highly effective post-breach cyber security capability along with precise real-time forensics.

James Muren is a strategist and delivers workshops in cyber security strategy, GRC and security architecture that are used to develop long-term strategies and tactical roadmaps for customers that addresses security for legacy and cloud architectures. As a strategic management consultant and having built fully capable cyber programs in the past, he helps mentor and lead teams for programs & projects in information technology & cyber security. James is primarily focused on the business benefits of cyber security, and the demonstration of those benefits through metrics that can be quickly communicated to executive leadership. By properly integrating security controls within a regulatory and policy context, security programs such as breach and incident response, data governance, forensics, etc. can properly demonstrate value, receive proper investment and adequately secure organizations.

James is also a researcher. His areas of research include: Continuous GRC, cyber analytics, Trusted Computing Group (TCG), Security Automation, Hardware & Software Security, ICS, SCADA, IOT, Malware Research, Full System Security Design Lifecycle and Leap Ahead technology.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Login to see the comments

NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception

  1. 1. @NTXISSA #NTXISSACSC4 Detecting and Catching the Bad Guys Using Deception James Muren Security Evangelist Illusive Networks October 4, 2016
  2. 2. @NTXISSA #NTXISSACSC4 What this is not … • … a rehash of breach news. • ... or what causes a breach. • ... numbers, data and figures on breaches. • ... a rehash on threats to your end points or social media profile. • … not ”motherhood” or “apple pie” NTX ISSA Cyber Security Conference – October 7-8, 2016 2
  3. 3. @NTXISSA #NTXISSACSC4 What this is … • ... about catching bad guys. • ... deceiving and frustrating bad guys. • ... using new and dynamic ways to disrupt attacker operations. • ... quickly give authorities what they need to prosecute. • All discussed within the scope of the Deception Paradigm NTX ISSA Cyber Security Conference – October 7-8, 2016 3
  4. 4. @NTXISSA #NTXISSACSC4 Current State of Affairs • Organizations are increasing investments in cyber security technologies and controls. • But they are still getting hacked. Bad guys not caught. • Existing defenses are overly static - attackers “finger print” defenses and bypass NTX ISSA Cyber Security Conference – October 7-8, 2016 4
  5. 5. @NTXISSA #NTXISSACSC4 Static defenses ... NTX ISSA Cyber Security Conference – October 7-8, 2016 5
  6. 6. @NTXISSA #NTXISSACSC4 … worked well at one time NTX ISSA Cyber Security Conference – October 7-8, 2016 6
  7. 7. @NTXISSA #NTXISSACSC4 Dynamic attackers … NTX ISSA Cyber Security Conference – October 7-8, 2016 7
  8. 8. @NTXISSA #NTXISSACSC4 ... are circumventing the line NTX ISSA Cyber Security Conference – October 7-8, 2016 8
  9. 9. @NTXISSA #NTXISSACSC4 Current State of Affairs • The majority of cyber security budgets still spent on prevention controls • This is true despite the diminishing marginal defensive effectiveness of these controls • May not know if an attacker is in their network NTX ISSA Cyber Security Conference – October 7-8, 2016 9
  10. 10. @NTXISSA #NTXISSACSC4 Breach & Control Investment NTX ISSA Cyber Security Conference – October 7-8, 2106 10
  11. 11. @NTXISSA #NTXISSACSC4 Assumptions • Don’t ask what to do “if” a breach has occurred • Assume a breach has occurred and work towards disproving. • “Only the paranoid survive” NTX ISSA Cyber Security Conference – October 7-8, 2106 11
  12. 12. @NTXISSA #NTXISSACSC4 Assumptions • Your defenses will likely fail or already have – how would you know? • Attackers will focus on account access and application “open doors” • Attackers will move “laterally” through your network and work to accomplish their mission • You will need a post-breach capability as a last line of defense to augment detection NTX ISSA Cyber Security Conference – October 7-8, 2016 12
  13. 13. @NTXISSA #NTXISSACSC4 Defenders Need to Evolve NTX ISSA Cyber Security Conference – October 7-8, 2016 13
  14. 14. @NTXISSA #NTXISSACSC4 Cyber Control Investment – But where? • Minimal capital & operational investment – lowest possible TCO. • Diversified spend • Augment people, process • Augment existing intrusion detection capability • Operationally light NTX ISSA Cyber Security Conference – October 7-8, 2016 14
  15. 15. @NTXISSA #NTXISSACSC4 Risk Management 101 • You can never eliminate all risk • You can reduce risk to an acceptable level • Organizations that cannot adequately reduce forego business opportunity • Prove or convince what you are doing is effective NTX ISSA Cyber Security Conference – October 7-8, 2016 15
  16. 16. @NTXISSA #NTXISSACSC4 Deception Program Practices • Cyber Risk Management – measure investment, effectiveness and justify continued capability investment or expansion. • Change Management – otherwise attackers can fingerprint. • Assessment & Red team • Ecosystem of cyber experts, partners, vendors as program matures NTX ISSA Cyber Security Conference – October 7-8, 2016 16
  17. 17. @NTXISSA #NTXISSACSC4 Deception Program Outcomes • Disrupt the Attacker OODA Loop! NTX ISSA Cyber Security Conference – October 7-8, 2016 17
  18. 18. @NTXISSA #NTXISSACSC4 Deception Program Outcomes • Deceive, Disorient, Confuse, Paralyze Attacker • Understand what an attacker is looking for – attribution. • Understand fully and quickly how attacker breached - forensics • Tactically – Buy your security team/IR/Forensics team time to respond. NTX ISSA Cyber Security Conference – October 7-8, 2016 18
  19. 19. @NTXISSA #NTXISSACSC4 Deception Technology – Legacy & Now • Honeypots • Honeynets • Decoys • Breadcrumbs • Broken Glass NTX ISSA Cyber Security Conference – October 7-8, 2016 19
  20. 20. @NTXISSA #NTXISSACSC4 Deception Technology - Challenges • In general: • You need experts to operate, maintain, patch and track bad guys • Alerting fidelity is only as good as your anti-fingerprinting methodology • Forensic expertise and effort needs individuals focused on this capability. Not trivial. • Scalability – Deployment and maintenance • You leave vulnerable system(s) on your network!!!! NTX ISSA Cyber Security Conference – October 7-8, 2016 20
  21. 21. @NTXISSA #NTXISSACSC4 Deception EverywhereTM Technology • Deception Management System • Deceptions Everywhere – not just in a few targeted areas • Ratio of deceptions to real high • Many deception families • Scalable • High fidelity alerting • Honey everywhere! NTX ISSA Cyber Security Conference – October 7-8, 2016 21
  22. 22. @NTXISSA #NTXISSACSC4 Additional Benefits • Operationally light (Deception ~256 Kbyte) • Leverages OS level objects and generates deceptions only a hacker would find • No agent – less attack surface • Deceptions blend in for attackers and ransomware • Advanced Sourced Forensics • Ancestor Tracking • All in one place NTX ISSA Cyber Security Conference – October 7-8, 2016 22
  23. 23. @NTXISSA #NTXISSACSC4 illûsive Overvièw
  24. 24. @NTXISSA #NTXISSACSC4 Architecture NTX ISSA Cyber Security Conference – October 7-8, 2016 24
  25. 25. @NTXISSA #NTXISSACSC4 Deception Families NTX ISSA Cyber Security Conference – October 7-8, 2016 25
  26. 26. @NTXISSA #NTXISSACSC4 illûsive Attâcker Vièw™
  27. 27. @NTXISSA #NTXISSACSC4 Environment Pre-Deception NTX ISSA Cyber Security Conference – October 7-8, 2016 27
  28. 28. @NTXISSA #NTXISSACSC4 Environment Post-Deception NTX ISSA Cyber Security Conference – October 7-8, 2016 28
  29. 29. @NTXISSA #NTXISSACSC4 Credentials NTX ISSA Cyber Security Conference – October 7-8, 2016 29
  30. 30. @NTXISSA #NTXISSACSC4 Call to Action • Consider how a deception program fits into your cyber risk management strategy • Consider implementing a deception program to add adaptive and effective capabilities • Consider an ecosystem of experts, partners and technologies as your deception program matures • Start with low total cost & highly effective deception controls (bang for buck) NTX ISSA Cyber Security Conference – October 7-8, 2016 30
  31. 31. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – October 7-8, 2016 31 Thank you
  32. 32. @NTXISSA #NTXISSACSC4 Backup Slides

×