The document discusses the evolution and significance of deception technologies in cybersecurity, detailing its historical applications from natural survival to modern cyber warfare. It explains various types of deception tactics, such as low and high interaction deceptions, and emphasizes the need for dynamic deception methods to counteract attackers. Additionally, it highlights the challenges of deploying these technologies and their effectiveness in detecting cybersecurity threats like ransomware.

1. DECEPTION
TECHNOLOGIES
Raj Gopalakrishna
Co-founder & Chief Product Architect
AcalvioTechnologiesCopyright AcalvioTechnologies 1

2. Brief History of Deception
DeceptionTypes
Under the Hood
Some Use Cases
Touch Points

3. Deception over the years
• Millions of years in Natural World for
survival/aggression
• Millions of years in bacteria and virus to
thrive
• 1000s of years in Warfare/Military to attack
or defend
• Decades in Cyber Warfare
• Attackers use Deception
• Phishing, spoofing, encryption
• Defender should use Deceptions
• Honeypots, Cryptographic Camouflage
• French Election used it recently
Owl Butterfly for Survival
3Copyright AcalvioTechnologies
Transmitter
Passion Fruit Leaf
with spots

4. UNDER
THE
HOOD
Copyright AcalvioTechnologies 4

5. Breadcrumbs: Extend Deceptions to Production Devices
Many flavors and forms:
1. Registry entries
2. Files & Folders
3. Memory hashes
4. User Profiles
5. Browser cookies
Few Challenges:
1. Need deployment Automation
and Intelligence
2. Avoid Accidental Alerts by
Users
5
DeceptionAnywhere or Everywhere
Copyright AcalvioTechnologies

6. Lures: Another powerful arrow in the quiver
Deliberately placed
1. Vulnerabilities in OS, Application,
Protocols
2. Weak configurations and permissions
3. Powerful fake Service Accounts
4. Shares
5. Interesting Data
6
Make Deceptions more attractive
Copyright AcalvioTechnologies

7. DecoyTypes
Low Interaction Deceptions
• Attacker typically cannot login
• Emulated Hosts, Applications,
Database Servers
High Interaction Deceptions
• Attacker can login – full interaction
• RealVM Hosts, Applications, Database
Servers, Shares
Copyright AcalvioTechnologies 7

8. Low Interaction Deceptions
 Deploy OS, Network services orApplications
 Lots of deceptions possible.
 Low IT cost
 Low Risk to Enterprise Networks
 Dynamic: easy to morph on-the-fly
 Need not be emulations!
× Cannot Engage with theAttacker
× If Emulated then Easy to fingerprint Deceptions
Key Challenge:
Odds of attacker identifying deceptions
Copyright AcalvioTechnologies 8

9. High Interaction Deceptions
Deploy real OS, Services, Applications
Deceptions are not finger-printable.
Possible to Engage with Attacker
× Only Few deceptions
× High Cost of licensing & maintaining
× Need Containment to reduce RISK
× Static: pre-build, unable to morph quickly
× Often used with Breadcrumbs to lead
attacker to Decoys. But then attacker needs
to find breadcrumbs first
Key Challenge:
Odds of Attacker/Malware running into the few deceptions
Copyright AcalvioTechnologies 9

10. Often we need both
Scale and Depth (Believable Deceptions)
Copyright AcalvioTechnologies 10

11. Static vs Dynamic Deceptions
Static Deceptions
• Hardly changes
• Easy to fingerprint & avoid
Dynamic Deceptions
Mimic Octopus:
Mimics upto 15 creatures
ActiveCamouflage:
Counter-illumination by Squids
• Changing always
• Hard to predict or identify
HoneyAnts
Copyright AcalvioTechnologies
11

12. Intelligence Component
Human only
• Expert decides type and number of
deceptions to deploy
• Manually/Automatically configures
traps atTime T0
Key Challenges:
• What happens atTimeT1 orT10 ?
• How many Experts can company
send to front-line for 24x7x365?
Human + AI based = Future
System recommends type, number,
placement, duration of deceptions.
System Responds to
• Events and Incidents
• Adversary Behavior
• When you are sleeping
Copyright AcalvioTechnologies 12

13. Some major Challenges in Cyber Security
Compromise Detection Identifying malicious intent
© AcalvioTechnologiesCompany 13
Alerts Deluge Too many False positives
DeceptionTechnology can help in all of above

14. Internal Facing vs External Facing
Deceptions
Internal Facing
• Good for Enterprises
• A new layer of Defense
• Acts like a motion detector inside
Enterprises
• Corporate Network
• Data Centers
• Detects attackers who have gone past
the perimeter defenses
• Few, High FidelityAlerts raised
• Can optionally Engage & Respond
External Facing
• Great for security researchers
• Typically deployed on the Internet or
in the DMZ.
• Lots of alerts per hour/day as there
are lots of malicious Attackers and
Bots on the Internet
• Often used to show demo of
DeceptionTechnologies
Copyright AcalvioTechnologies 14

15. Detecting Ransomware: current
approaches
AV and Sandbox approach
• Look for known Signatures
• Look for known C&C
 Low False +ve
× High False -ve
Data Science approach
• Look for Anomalous Behavior
• High File I/O
• Lots of different Files accessed
• Lots of crypto
× Anomaly ≠Threat
× High False +ve
15Copyright AcalvioTechnologies

16. Detecting Ransomware using Deceptions
• Leverages Decoys,
Breadcrumbs and Lures
• Set specific traps in specific
locations
• Monitor only activity against
decoys, breadcrumbs & lures
Auto Detects and confirms
Ransomware
Very Efficient and Accurate
16
Always High Fidelity Signals
Zero false +ve
Copyright AcalvioTechnologies

17. Protecting Secrets in
software is hard
Examples
Crypto keys
Passwords
Payment card
numbers
Copyright AcalvioTechnologies 17

18. THANKYOU
Copyright AcalvioTechnologies 18
• Raj Gopalakrishna
• raj@Acalvio.com
• AcalvioTechnologies Inc

19. CONTACT ACALVIO
IFYOU ARE LOOKING FOR
DECEPTION PRODUCT
Copyright AcalvioTechnologies 19