SlideShare a Scribd company logo

Cyber D&D

Download as PPTX, PDF
S
Sachin Nandakumar

It is now widely recognized that traditional approaches to cyber defense have been inadequate. Boundary controllers and filters such as firewalls and guards, virus scanners, and intrusion detection and prevention technologies have all been deployed over the last decade. Based on the IEEE paper, "Denial and Deception in Cyber Defense", it assumes that an adversary will breach border controls and establish footholds within the defender’s network. So we need to study and engage the adversary on the defender’s turf in order to influence any future moves. A key component in this new paradigm is cyber denial and deception (cyber D&D). The goal of D&D is to influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behavior.

Internet
1 of 55
CYBER D&D
Shut Up Carl! DENIAL Prevent adversary from gaining useful information
Influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour Denial: prevents target from gaining information & stimuli Deception: provides misleading information & stimuli
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D Techniques
TABLE 1. D&D methods matrix. Deception objects Deception: Mislead (M)- type methods Revealing Denial: Ambiguity (A)- type methods Concealing Facts Reveal facts: Nonessential elements of friendly information • Reveal true information to the target • Reveal true physical entities, events, or processes to the target Conceal facts (dissimulation): Essential elements of friendly information • Conceal true information from the target • Conceal true physical entities, events, or processes from the target Fiction Reveal fiction (simulation): Essential elements of deception information • Reveal false information to the target • Reveal false physical entities, events, or processes to the target Conceal fiction: Nondisclosable deception information • Conceal false information from the target • Conceal false physical entities, events, or processes from the target
Denial prevent detection of essential elements of friendly information (EEFI) -> hiding what’s real hide the false information -> the nondisclosable deception information (NDDI) -> protect the D&D plan
Deception Appearances can be deceiving
Deception induce misperception -> using the essential elements of deception information (EEDI) -> show what’s false show the real information -> nonessential elements of friendly information (NEFI) -> enhance the D&D cover story
Better you don’t think about it right now ;)
Deception chain • Analogous to Lockheed Martin’s “cyber kill chain” model. • Deception chain adapted from Barton Whaley’s 10-step process for • Planning • Preparation • Executing deception operations • Facilitates integration of 3 systems: • Cyber D&D • Cyber intelligence • Security operations
PHASES OF DECEPTION CHAIN
Helps enterprise managers define strategic, operational, or tactical goal i.e., the purpose of the deception and the criteria that would indicate the deception’s success Purpose
C llect Intelligence WHAT the adversary will observe?
C llect Intelligence the adversary might interpret it? the adversary might react to it? to monitor adversary’s behavior? HOW
C llect Intelligence Source of Intelligence: framework that combines all the related information about a particular intrusion into a set of activities. Intrusion Campaign Analysis
C llect Intelligence Source of Intelligence: might involve government, private industry, or non-profit organizations. Threat-Sharing Partnerships
Design Cover Story Cover Story is what the defender wants the adversary to perceive and believe.
Design Cover Story The D&D planner considers • critical components of the operation • assess the adversary’s observation and analysis capabilities • develop a convincing story that “explains” the operation’s components observable to the adversary
Design Cover Story BUT MISLEADS THE ADVERSARY
Design Cover Story The D&D planners decide • What information must be hidden • What information must be revealed
Planning Plans to use Denial tactics and Deception tactics
Planning WHY DENIAL TACTICS? D&D planners analyse characteristics of real events & activities that must be hidden to support deception cover story, identify corresponding signatures that would be observed by adversary, and plan to use denial tactics to hide signatures from adversary.
Planning Denial tactics: MASKING REPACKAGING DAZZLING RED FLAGGING
Planning Denial tactics: MASKING REPACKAGING DAZZLING RED FLAGGING
Planning WHY DECEPTION TACTICS? D&D planners analyse characteristics of notional events & activities that must be portrayed and observed to support cover story, identify corresponding signatures the adversary would observe, and plan to use deception tactics to mislead the adversary.
Planning Deception tactics: MIMIC INVENT DECOY DOUBLE PLAY
Planning D&D planners turn the matrix cell information into operational activities that reveal or conceal the key information conveying the cover story.
Preparation D&D planners design the desired effect of the deception operation and explore the available means and resources to create the effect on the adversary. Thus coordinates with security operations on timing for developing the notional and real equipment, staffing, training, and other preparations to support the deception cover story
Execute If the deception and real operational preparations can be synchronized and supported -> then D&D planners and security operations must coordinate and control all relevant preparations to execute deception cover story
Monitor Monitors • Both friendly & adversary operational preparations • Carefully watching the observation channels and sources selected to convey the deception to the adversary • Adversary’s reaction to the performance,” i.e., the cover story execution.
Reinforce At times, the D&D planners may need to reinforce the cover story through additional deceptions, or to convey the deception operation to the adversary through other channels or sources. The planners may have to revisit the fist phase of the deception chain, execute a backup deception, or plan another operation
MALICIOUS ACTORS FOLLOW A COMMON MODEL OF BEHAVIOR TO COMPROMISE VALUABLE INFORMATION IN A TARGET NETWORK.
CYBER KILL CHAIN Attackers generally employ a cyber attack strategy, divided into the six phases described below, called the cyber kill chain or kill chain.
CYBER KILL CHAIN Recon Weaponize Exploit Control Execute Maintain
CYBER KILL CHAIN & DECEPTION CHAIN • Unlike cyber kill chain, deception chain is not always linear • Progression through the phases can be recursive or disjoint • The deception chain is also applicable at each phase of the cyber kill chain
CYBER D&D MATURITY MODEL Provides a blueprint that organizations can use to assess, measure, and increase maturity of their current cyber D&D operations and develop specific cyber D&D innovations
CYBER D&D MATURITY MODEL • Must function in concert with the organization’s overall defensive operations and must support cyber defense • Represents the overall approach to managing cyber D&D capabilities and operations from the perspectives of capability and operations and services
• Tools • Threat data • Shared repositories • Metrics databases • Fine-tune deployments • Monitor observables • Collect field reports • Collect metrics • Outcome analysis • D&D improvements • Feedback to planning Increasing maturity of cyber D&D people, processes, and techniques Plan Revise plan for next iteration Post- deployment analysis Deploy and execute Prototype 1 Prototype 2 Prototype 3 Implement • Establish D&D goals • Training curricula • Cyber D&D TTTPs • Best practices and standards • Cyber D&D metrics Spiral D&D Life-Cycle Management Process
Spiral D&D Life-Cycle Management Process Helps an organization assess risks & effectiveness with each iteration of the spiral while promoting agile and rapid prototyping as well as tuning of D&D techniques and services based on observed outcomes
Spiral D&D Life-Cycle Management Process incorporate cyber D&D into active cyber defense • establishing clear and achievable program goals • The planning phase should include • establishing D&D program goals • developing • training curricula • cyber D&D TTTPs • cyber D&D best practices and standards • cyber D&D metrics
Spiral D&D Life-Cycle Management Process • In the implementation phase, the organization will start to plan based on the goals and actions from the previous phase. The plan must address both the “what” and the “how.” • organization must deploy and execute cyber D&D TTTPs, services, and supporting processes in a target environment such as a honeynetwork or a honeypot, the real cyber infrastructure, or some combination • At each iteration, the organization must evaluate the risks and effectiveness of the current prototype
Spiral D&D Life-Cycle Management Process • Post-deployment analysis, the last phase in the spiral, has 3 essential elements: • Outcome analysis • Process improvements • Feedback. • Outcome analysis centers on the overall outcome of the current spiral, addressing questions such as: › How effective were the cyber D&D techniques developed and operationally deployed? › What were the successes and failures? › How well did the organization manage the total life-cycle costs within the spiral?
To answer these questions… • Organization must analyse metrics data and file reports, using the results to formulate specific D&D improvements in processes, services, and technologies. • Requires careful attention to managing change for all of the D&D elements.
Finishing Touches…
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Purpose & Collect Intelligence Stages • Models for strategic D&D objectives can be built from both offensive and defensive perspectives • Game-theory models could help analyse moves and countermoves to produce promising TTTPs for cyber D&D.
Research & Technology Challenges Cover Story Stage • it is important to create believable deception material to attract the adversary’s interest • Network and host-based deception material such as honeypots, crafted documents, and email are referred to as honeytokens
Research & Technology Challenges Plan Stage • What moves has the adversary made? • To what extent do these moves signal the adversary’s intentions? • Which baits have worked well, or not? • What is the adversary’s sphere of interest?
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Preparing & Executing Stage • can be made more scalable and efficient by leveraging existing tools and training materials. • A standalone “honeypot in a box” product might be developed to adapt to an organization’s network structure with a truncated setup time. • Novel ways of training personnel in cyber D&D technology are also important, such as simulated intrusions and response
Research & Technology Challenges Monitoring Stage • Tracking honeytoken files is helpful in the monitoring stage, and can involve watermarking to alert defenders to an intruder
Research & Technology Challenges Reinforce Stage • Technical and operational metrics are needed to continuously improve cyber D&D operations • These measure the precision and believability of honeytokens in that they attract the intended target and are readily mistaken as real.
Conclusion Cyber D&D should be part of the national cyber strategy… The national center of gravity program must facilitate a strategic “working group” to begin developing national cyber D&D plans, formulate US government policies, create programs, and establish goals and objectives within the strategy.
Cyber D&D

Recommended

Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Options based decisions processes
Options based decisions processesOptions based decisions processes
Options based decisions processes
Glen Alleman
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)
Glen Alleman
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
Nur E Alam Siddike
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 

Recommended

Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Options based decisions processes
Options based decisions processesOptions based decisions processes
Options based decisions processes
Glen Alleman
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)
Glen Alleman
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
Nur E Alam Siddike
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 
Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normative
Glen Alleman
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
"Apolonio \"Apps\"" Garcia
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
Digicomp Academy AG
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Risk analysis
Risk analysis Risk analysis
Risk analysis
Samuel Gher
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)
Glen Alleman
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
Carahsoft
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
Association for Project Management
 
Root causes
Root causesRoot causes
Root causes
Glen Alleman
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Ricardo Viana Vargas
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
Rick Lemieux
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
Enterprising Non-Profits
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
Resilient Systems
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data science
Spartan60
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
festockton
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
Resilient Systems
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 

More Related Content

What's hot

Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normative
Glen Alleman
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
"Apolonio \"Apps\"" Garcia
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
Digicomp Academy AG
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Risk analysis
Risk analysis Risk analysis
Risk analysis
Samuel Gher
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)
Glen Alleman
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
Carahsoft
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
Association for Project Management
 
Root causes
Root causesRoot causes
Root causes
Glen Alleman
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Ricardo Viana Vargas
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
Rick Lemieux
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
Enterprising Non-Profits
 

What's hot (16)

Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normative
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Risk analysis
Risk analysis Risk analysis
Risk analysis
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
 
Root causes
Root causesRoot causes
Root causes
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
 

Similar to Cyber D&D

5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
Resilient Systems
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data science
Spartan60
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
festockton
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
Resilient Systems
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
CompTIA
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
SY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation KitSY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation Kit
bronxfugly43
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by steps
JayeshGadhave1
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
Chris Mullins
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
7. using planning & decision aids
7. using planning & decision aids 7. using planning & decision aids
7. using planning & decision aids
Sudhir Upadhyay
 

Similar to Cyber D&D (20)

5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data science
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
SY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation KitSY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation Kit
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by steps
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
7. using planning & decision aids
7. using planning & decision aids 7. using planning & decision aids
7. using planning & decision aids
 

Recently uploaded

cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 

Recently uploaded (12)

cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 

Cyber D&D

  • 2. Shut Up Carl! DENIAL Prevent adversary from gaining useful information
  • 3.
  • 4. Influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour Denial: prevents target from gaining information & stimuli Deception: provides misleading information & stimuli
  • 5. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D Techniques
  • 6. TABLE 1. D&D methods matrix. Deception objects Deception: Mislead (M)- type methods Revealing Denial: Ambiguity (A)- type methods Concealing Facts Reveal facts: Nonessential elements of friendly information • Reveal true information to the target • Reveal true physical entities, events, or processes to the target Conceal facts (dissimulation): Essential elements of friendly information • Conceal true information from the target • Conceal true physical entities, events, or processes from the target Fiction Reveal fiction (simulation): Essential elements of deception information • Reveal false information to the target • Reveal false physical entities, events, or processes to the target Conceal fiction: Nondisclosable deception information • Conceal false information from the target • Conceal false physical entities, events, or processes from the target
  • 7.
  • 8. Denial prevent detection of essential elements of friendly information (EEFI) -> hiding what’s real hide the false information -> the nondisclosable deception information (NDDI) -> protect the D&D plan
  • 10. Deception induce misperception -> using the essential elements of deception information (EEDI) -> show what’s false show the real information -> nonessential elements of friendly information (NEFI) -> enhance the D&D cover story
  • 11. Better you don’t think about it right now ;)
  • 12. Deception chain • Analogous to Lockheed Martin’s “cyber kill chain” model. • Deception chain adapted from Barton Whaley’s 10-step process for • Planning • Preparation • Executing deception operations • Facilitates integration of 3 systems: • Cyber D&D • Cyber intelligence • Security operations
  • 14.
  • 15. Helps enterprise managers define strategic, operational, or tactical goal i.e., the purpose of the deception and the criteria that would indicate the deception’s success Purpose
  • 16. C llect Intelligence WHAT the adversary will observe?
  • 17. C llect Intelligence the adversary might interpret it? the adversary might react to it? to monitor adversary’s behavior? HOW
  • 18. C llect Intelligence Source of Intelligence: framework that combines all the related information about a particular intrusion into a set of activities. Intrusion Campaign Analysis
  • 19. C llect Intelligence Source of Intelligence: might involve government, private industry, or non-profit organizations. Threat-Sharing Partnerships
  • 20. Design Cover Story Cover Story is what the defender wants the adversary to perceive and believe.
  • 21. Design Cover Story The D&D planner considers • critical components of the operation • assess the adversary’s observation and analysis capabilities • develop a convincing story that “explains” the operation’s components observable to the adversary
  • 23. Design Cover Story The D&D planners decide • What information must be hidden • What information must be revealed
  • 24. Planning Plans to use Denial tactics and Deception tactics
  • 25. Planning WHY DENIAL TACTICS? D&D planners analyse characteristics of real events & activities that must be hidden to support deception cover story, identify corresponding signatures that would be observed by adversary, and plan to use denial tactics to hide signatures from adversary.
  • 28. Planning WHY DECEPTION TACTICS? D&D planners analyse characteristics of notional events & activities that must be portrayed and observed to support cover story, identify corresponding signatures the adversary would observe, and plan to use deception tactics to mislead the adversary.
  • 30. Planning D&D planners turn the matrix cell information into operational activities that reveal or conceal the key information conveying the cover story.
  • 31. Preparation D&D planners design the desired effect of the deception operation and explore the available means and resources to create the effect on the adversary. Thus coordinates with security operations on timing for developing the notional and real equipment, staffing, training, and other preparations to support the deception cover story
  • 32. Execute If the deception and real operational preparations can be synchronized and supported -> then D&D planners and security operations must coordinate and control all relevant preparations to execute deception cover story
  • 33. Monitor Monitors • Both friendly & adversary operational preparations • Carefully watching the observation channels and sources selected to convey the deception to the adversary • Adversary’s reaction to the performance,” i.e., the cover story execution.
  • 34. Reinforce At times, the D&D planners may need to reinforce the cover story through additional deceptions, or to convey the deception operation to the adversary through other channels or sources. The planners may have to revisit the fist phase of the deception chain, execute a backup deception, or plan another operation
  • 35. MALICIOUS ACTORS FOLLOW A COMMON MODEL OF BEHAVIOR TO COMPROMISE VALUABLE INFORMATION IN A TARGET NETWORK.
  • 36. CYBER KILL CHAIN Attackers generally employ a cyber attack strategy, divided into the six phases described below, called the cyber kill chain or kill chain.
  • 38. CYBER KILL CHAIN & DECEPTION CHAIN • Unlike cyber kill chain, deception chain is not always linear • Progression through the phases can be recursive or disjoint • The deception chain is also applicable at each phase of the cyber kill chain
  • 39. CYBER D&D MATURITY MODEL Provides a blueprint that organizations can use to assess, measure, and increase maturity of their current cyber D&D operations and develop specific cyber D&D innovations
  • 40. CYBER D&D MATURITY MODEL • Must function in concert with the organization’s overall defensive operations and must support cyber defense • Represents the overall approach to managing cyber D&D capabilities and operations from the perspectives of capability and operations and services
  • 41. • Tools • Threat data • Shared repositories • Metrics databases • Fine-tune deployments • Monitor observables • Collect field reports • Collect metrics • Outcome analysis • D&D improvements • Feedback to planning Increasing maturity of cyber D&D people, processes, and techniques Plan Revise plan for next iteration Post- deployment analysis Deploy and execute Prototype 1 Prototype 2 Prototype 3 Implement • Establish D&D goals • Training curricula • Cyber D&D TTTPs • Best practices and standards • Cyber D&D metrics Spiral D&D Life-Cycle Management Process
  • 42. Spiral D&D Life-Cycle Management Process Helps an organization assess risks & effectiveness with each iteration of the spiral while promoting agile and rapid prototyping as well as tuning of D&D techniques and services based on observed outcomes
  • 43. Spiral D&D Life-Cycle Management Process incorporate cyber D&D into active cyber defense • establishing clear and achievable program goals • The planning phase should include • establishing D&D program goals • developing • training curricula • cyber D&D TTTPs • cyber D&D best practices and standards • cyber D&D metrics
  • 44. Spiral D&D Life-Cycle Management Process • In the implementation phase, the organization will start to plan based on the goals and actions from the previous phase. The plan must address both the “what” and the “how.” • organization must deploy and execute cyber D&D TTTPs, services, and supporting processes in a target environment such as a honeynetwork or a honeypot, the real cyber infrastructure, or some combination • At each iteration, the organization must evaluate the risks and effectiveness of the current prototype
  • 45. Spiral D&D Life-Cycle Management Process • Post-deployment analysis, the last phase in the spiral, has 3 essential elements: • Outcome analysis • Process improvements • Feedback. • Outcome analysis centers on the overall outcome of the current spiral, addressing questions such as: › How effective were the cyber D&D techniques developed and operationally deployed? › What were the successes and failures? › How well did the organization manage the total life-cycle costs within the spiral?
  • 46. To answer these questions… • Organization must analyse metrics data and file reports, using the results to formulate specific D&D improvements in processes, services, and technologies. • Requires careful attention to managing change for all of the D&D elements.
  • 48. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Purpose & Collect Intelligence Stages • Models for strategic D&D objectives can be built from both offensive and defensive perspectives • Game-theory models could help analyse moves and countermoves to produce promising TTTPs for cyber D&D.
  • 49. Research & Technology Challenges Cover Story Stage • it is important to create believable deception material to attract the adversary’s interest • Network and host-based deception material such as honeypots, crafted documents, and email are referred to as honeytokens
  • 50. Research & Technology Challenges Plan Stage • What moves has the adversary made? • To what extent do these moves signal the adversary’s intentions? • Which baits have worked well, or not? • What is the adversary’s sphere of interest?
  • 51. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Preparing & Executing Stage • can be made more scalable and efficient by leveraging existing tools and training materials. • A standalone “honeypot in a box” product might be developed to adapt to an organization’s network structure with a truncated setup time. • Novel ways of training personnel in cyber D&D technology are also important, such as simulated intrusions and response
  • 52. Research & Technology Challenges Monitoring Stage • Tracking honeytoken files is helpful in the monitoring stage, and can involve watermarking to alert defenders to an intruder
  • 53. Research & Technology Challenges Reinforce Stage • Technical and operational metrics are needed to continuously improve cyber D&D operations • These measure the precision and believability of honeytokens in that they attract the intended target and are readily mistaken as real.
  • 54. Conclusion Cyber D&D should be part of the national cyber strategy… The national center of gravity program must facilitate a strategic “working group” to begin developing national cyber D&D plans, formulate US government policies, create programs, and establish goals and objectives within the strategy.