NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
689 -
download
0
Transcript of NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
![Page 1: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/1.jpg)
@NTXISSA#NTXISSACSC4
DetectingandCatchingtheBadGuysUsingDeception
JamesMurenSecurityEvangelistIllusiveNetworksOctober4,2016
![Page 2: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/2.jpg)
@NTXISSA#NTXISSACSC4
Whatthisisnot…
• …arehashofbreachnews.• ...orwhatcausesabreach.• ...numbers,dataandfiguresonbreaches.• ...arehashonthreatstoyourendpointsorsocialmediaprofile.
• …not”motherhood”or“applepie”
NTXISSACyberSecurityConference– October7-8,2016 2
![Page 3: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/3.jpg)
@NTXISSA#NTXISSACSC4
Whatthisis…
• ...aboutcatchingbadguys.• ...deceivingandfrustratingbadguys.• ...usingnewanddynamicwaystodisruptattackeroperations.
• ...quicklygiveauthoritieswhattheyneedtoprosecute.
• AlldiscussedwithinthescopeoftheDeceptionParadigm
NTXISSACyberSecurityConference– October7-8,2016 3
![Page 4: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/4.jpg)
@NTXISSA#NTXISSACSC4
CurrentStateofAffairs
• Organizationsareincreasinginvestmentsincybersecuritytechnologiesandcontrols.
• Buttheyarestillgettinghacked.Badguysnotcaught.
• Existingdefensesareoverlystatic-attackers“fingerprint”defensesandbypass
NTXISSACyberSecurityConference– October7-8,2016 4
![Page 5: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/5.jpg)
@NTXISSA#NTXISSACSC4
Staticdefenses...
NTXISSACyberSecurityConference– October7-8,2016 5
![Page 6: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/6.jpg)
@NTXISSA#NTXISSACSC4
…workedwellatonetime
NTXISSACyberSecurityConference– October7-8,2016 6
![Page 7: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/7.jpg)
@NTXISSA#NTXISSACSC4
Dynamicattackers…
NTXISSACyberSecurityConference– October7-8,2016 7
![Page 8: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/8.jpg)
@NTXISSA#NTXISSACSC4
...arecircumventingtheline
NTXISSACyberSecurityConference– October7-8,2016 8
![Page 9: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/9.jpg)
@NTXISSA#NTXISSACSC4
CurrentStateofAffairs
• Themajorityofcybersecuritybudgetsstillspentonpreventioncontrols
• Thisistruedespitethediminishingmarginaldefensiveeffectivenessofthesecontrols
• Maynotknowifanattackerisintheirnetwork
NTXISSACyberSecurityConference– October7-8,2016 9
![Page 10: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/10.jpg)
@NTXISSA#NTXISSACSC4
Breach&ControlInvestment
NTXISSACyberSecurityConference– October7-8,2106 10
![Page 11: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/11.jpg)
@NTXISSA#NTXISSACSC4
Assumptions
• Don’taskwhattodo“if”abreachhasoccurred
• Assumeabreachhasoccurredandworktowardsdisproving.
• “Onlytheparanoidsurvive”
NTXISSACyberSecurityConference– October7-8,2106 11
![Page 12: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/12.jpg)
@NTXISSA#NTXISSACSC4
Assumptions• Yourdefenseswilllikelyfailoralreadyhave– howwouldyouknow?
• Attackerswillfocusonaccountaccessandapplication“opendoors”
• Attackerswillmove“laterally”throughyournetworkandworktoaccomplishtheirmission
• Youwillneedapost-breachcapabilityasalastlineofdefensetoaugmentdetection
NTXISSACyberSecurityConference– October7-8,2016 12
![Page 13: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/13.jpg)
@NTXISSA#NTXISSACSC4
DefendersNeedtoEvolve
NTXISSACyberSecurityConference– October7-8,2016 13
![Page 14: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/14.jpg)
@NTXISSA#NTXISSACSC4
CyberControlInvestment– Butwhere?
• Minimalcapital&operationalinvestment–lowestpossibleTCO.
• Diversifiedspend• Augmentpeople,process• Augmentexistingintrusiondetectioncapability
• OperationallylightNTXISSACyberSecurityConference– October7-8,2016 14
![Page 15: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/15.jpg)
@NTXISSA#NTXISSACSC4
RiskManagement101
• Youcannevereliminateallrisk
• Youcanreducerisktoanacceptablelevel
• Organizationsthatcannotadequatelyreduceforegobusinessopportunity
• Prove orconvince whatyouaredoingiseffective
NTXISSACyberSecurityConference– October7-8,2016 15
![Page 16: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/16.jpg)
@NTXISSA#NTXISSACSC4
DeceptionProgramPractices• CyberRiskManagement–measureinvestment,effectivenessandjustifycontinuedcapabilityinvestmentorexpansion.
• ChangeManagement–otherwiseattackerscanfingerprint.
• Assessment &Redteam• Ecosystemofcyberexperts,partners,vendorsasprogrammatures
NTXISSACyberSecurityConference– October7-8,2016 16
![Page 17: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/17.jpg)
@NTXISSA#NTXISSACSC4
DeceptionProgramOutcomes
• DisrupttheAttackerOODALoop!
NTXISSACyberSecurityConference– October7-8,2016 17
![Page 18: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/18.jpg)
@NTXISSA#NTXISSACSC4
DeceptionProgramOutcomes
• Deceive,Disorient,Confuse,ParalyzeAttacker
• Understandwhatanattackerislookingfor– attribution.
• Understandfullyandquicklyhowattackerbreached-forensics
• Tactically– Buyyoursecurityteam/IR/Forensicsteamtimetorespond.
NTXISSACyberSecurityConference– October7-8,2016 18
![Page 19: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/19.jpg)
@NTXISSA#NTXISSACSC4
DeceptionTechnology– Legacy&Now
• Honeypots• Honeynets• Decoys• Breadcrumbs• BrokenGlass
NTXISSACyberSecurityConference– October7-8,2016 19
![Page 20: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/20.jpg)
@NTXISSA#NTXISSACSC4
DeceptionTechnology- Challenges• Ingeneral:
• Youneedexpertstooperate,maintain,patchandtrackbadguys
• Alertingfidelityisonlyasgoodasyouranti-fingerprintingmethodology
• Forensicexpertiseandeffortneedsindividualsfocusedonthiscapability.Nottrivial.
• Scalability– Deploymentandmaintenance
• Youleavevulnerablesystem(s)onyournetwork!!!!
NTXISSACyberSecurityConference– October7-8,2016 20
![Page 21: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/21.jpg)
@NTXISSA#NTXISSACSC4
DeceptionEverywhereTM Technology
• DeceptionManagementSystem• DeceptionsEverywhere– notjustinafewtargetedareas
• Ratioofdeceptionstorealhigh• Manydeceptionfamilies
• Scalable• Highfidelityalerting• Honeyeverywhere!
NTXISSACyberSecurityConference– October7-8,2016 21
![Page 22: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/22.jpg)
@NTXISSA#NTXISSACSC4
AdditionalBenefits
• Operationallylight(Deception~256Kbyte)• LeveragesOSlevelobjectsandgeneratesdeceptionsonlyahackerwouldfind
• Noagent– lessattacksurface• Deceptionsblendinforattackersandransomware
• AdvancedSourcedForensics• AncestorTracking• Allinoneplace
NTXISSACyberSecurityConference– October7-8,2016 22
![Page 23: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/23.jpg)
@NTXISSA#NTXISSACSC4
illûsive Overvièw
![Page 24: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/24.jpg)
@NTXISSA#NTXISSACSC4
Architecture
NTXISSACyberSecurityConference– October7-8,2016 24
![Page 25: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/25.jpg)
@NTXISSA#NTXISSACSC4
DeceptionFamilies
NTXISSACyberSecurityConference– October7-8,2016 25
![Page 26: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/26.jpg)
@NTXISSA#NTXISSACSC4
illûsive Attâcker Vièw™
![Page 27: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/27.jpg)
@NTXISSA#NTXISSACSC4
EnvironmentPre-Deception
NTXISSACyberSecurityConference– October7-8,2016 27
![Page 28: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/28.jpg)
@NTXISSA#NTXISSACSC4
EnvironmentPost-Deception
NTXISSACyberSecurityConference– October7-8,2016 28
![Page 29: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/29.jpg)
@NTXISSA#NTXISSACSC4
Credentials
NTXISSACyberSecurityConference– October7-8,2016 29
![Page 30: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/30.jpg)
@NTXISSA#NTXISSACSC4
CalltoAction
• Considerhowadeceptionprogramfitsintoyourcyberriskmanagementstrategy
• Considerimplementingadeceptionprogramtoaddadaptiveandeffectivecapabilities
• Consideranecosystemofexperts,partnersandtechnologiesasyourdeceptionprogrammatures
• Startwithlowtotalcost&highlyeffectivedeceptioncontrols(bangforbuck)
NTXISSACyberSecurityConference– October7-8,2016 30
![Page 31: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/31.jpg)
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 31
Thankyou
![Page 32: NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception](https://reader031.fdocuments.net/reader031/viewer/2022022414/587059901a28aba2118b6273/html5/thumbnails/32.jpg)
@NTXISSA#NTXISSACSC4
Backup Slides