1Attivo Confidential© 2017 Attivo Networks. All rights reserved.

Deception-based Threat DetectionMyths and Realities

Carolyn Crandall Chief Deception Officer, Attivo Networks

Myth 1

100% Security is Achievable.

Reality

• Threats Can and Will Get In.• Detection as a Security Control is Critical.

Designed for an Ever-changing Threat LandscapeDetection for the Modern Day Attacker

Evolving Attack SurfaceAdvanced Methods

Reconnaissance

Credential Theft

Active Directory

Man-in-the-Middle

Endpoint

Network & Campus

Data Center & Cloud

IOT, ICS, POS & more

Malicious Actor

Insider

3rd Party

What’s Lurking in Your Network?

Deception: Better Detection Against Better AttackersDetection Technology Comparison

Slows Down the Attack

Scalable, Operationally Efficient

Substantiated Alerts

Detect Adv. Threats(No Signatures)

Detect Known Attacks(Signature Based)

Firewall/IDS/Proxy/AV

UEBA

NetworkAnomaly Detection

Deception

Hunt Teams

SIEM

Signature based – misses attacks

False Positives, Resources, TuningLacks early attack cycle visibilityMisses credential theft and reuse

Expensive, Resources

Perception

Limitations

6© 2018 Attivo Networks. All rights reserved.

• Social engineering

• External

compromise

• Custom malware

• C2

• App exploitation

• Credential theft

• Password

cracking

• “Pass-the-hash”

• Critical system

recon

• System, AD &

user enumeration

• Staging servers

• Data consolidation

• Data theft

Establish Foothold

Escalate Privileges

Internal Recon

Complete Mission

Initial Compromise

MoveLaterally

MaintainPresence

Deception’s Role in Attack Life Cycle

• Backdoor variants

• VPN subversion

• Sleeper malware

• Net use

commands

• Reverse shell

access

Deception Detections

Myth 2

Isn’t Deception Just a Honeypot?

Reality

Only if you believe a horse and buggy and a Tesla Model S are the same.

Why Honey Pots are Not the Same as Deception

Outside the Network

Emulated

Low Interaction

IR Automation

Analysis/Forensics

Operations/Scalability

Ransomware

Real OS, Services

Network, Credential

BOTs and Brute Force Attacker Designed for

Research

the Human Attacker

Inside the Network

Deception-based Detection for Evolving Threat Landscape Entire Network Becomes a Trap for All Threats Types and Attack Surfaces

• Operating System

• Network Services

• Active Directory

• Application and Data

Deception Server

Data Center

User Network

SCADA/IOT/POS

Cloud and Remote Networks

Active Directory Deception Objects

1

2

3

4

Lateral Movement

Credential Theft

Active Directory Recon

Ransomware

Deception for Closing the Detection DeficitAnd to Change the Asymmetry and Slow Down Attacks

In-network: Recon, Credential Harvest; Slowing of Attack

Detect Endpoint & Domain Credential Theft; Attack Path Visibility

User Networks, Datacenters, Specialized (SCADA, IoT, POS, SWIFT,

Telecom, Router Decoys), Cloud (AWS, Azure, OpenStack)

Detection, Analysis, Interaction to Slow Attack

Compliance and Forensics; Pen Test, Evaluate Latent Threats

Easy to Deploy and Operationalize

Automated Attack Analysis and Incident Response

Closes the Detection Gap with Accurate Detection and Threat Visibility

Challenges Deception Technology to Close the Gap

Compliance, Breach Investigation, M&A Visibility

Skills Shortage and Ability to Respond to Incident

Credential Theft

Lateral Movement Threat Detection

Ransomware

Evolving Attack Surface

Myth 3

All Deception is Created Equal

Reality

Solutions vary widely. Deception for Detection vs. an Active Defense.

Not All Deception Technology Provides an Active Defense

Authenticity

Evolving Attack Surface

Ease to Operationalize

Attack Threat and Malware Analysis

Simplifies Incident Response

Attack Simulation & Threat Assessment

Depth of Deception

Real OS, Apps, high interaction,

Dynamic

Network, DC, Cloud, Specialty IOT, ICS, POS, more

Not inline; Agentless

Full sandbox and forensic reporting

Integrations for automated for blocking, quarantine, hunting

Attack path and replay visual maps, simulators

Network, EP, Application, Data

Low interaction, emulated, static

Limited environments

Inline, reliant on agents

Limited forensics and analysis

No or limited automation

Partial assessment tools

Only Network or EP

Enterprise Grade Limited Functionality

Relies on the element of surpriseBuilt for the anticipating attacker

Deception Must Be AuthenticCredential Authenticity

Genuine Credentials: roger@acme.com/Asia-pacific.sales.acme.com

Deceptive Credentials: roger@acme.com/us.sales.acme.com

Asia-pacific.sales.acme.com

us.sales.acme.com

Deception Campaigns for Scalability and AuthenticityMachine Learning for On Demand Ability to Change the Game Board on Attackers

Deploy Dynamic Deception Campaigns based on Machine Learning

Learn Suspicious Behavior

Network

Profiling & Assessmen

t

IOT/SCADAData Center/Cloud

User Networks

Network

Discovery

SIEM

Feeds

Security

Partner

Feeds

Manual1 Auto-Propose2 Auto-Deploy3

Deception for Automated Attack AnalysisThreat Intelligence and Attacker Engagement

User VLAN 1

Operating Systems

Windows

SINKHOL

E

VLAN n

SMB Web servers File servers AD

Win 7 Win XP Win 8 Win 10

C&C

Multi-Dimensional Forensics CapabilitiesFor Faster Remediation and Hunting

Capture forensic artifacts

Capture and analyze attacker memory

Assemble and report full TTP

Polymorphic attack tracking and signatures

Counterintelligence with Honeydocs

Data Loss Tracking (DLT)

Data Collection

and Analysis

SIEM integration and attacker behavior analysis

Repeatable playbooks based on company’s security infrastructure and policies

3rd Party integrations with automated response

Data Sharing

and Actioning

Repeatable

Processes

Myth 4

It’s a “nice to have,” not a “need to have.”

Reality

Deception is customer proven for early and accurate threat detection.

Deception for Insider Threat Detection

The customer was able to monitor for insider threats and collect the necessary evidence to support legal action.

Concern Overview Outcome

CustomerValue

• The customer was concerned about internal risks to the network and sensitive client information.

• After installing the BOTsinksolution, security saw SMB share connections to multiple endpoints followed by recon scans.

• Network administrator with credentials had infected endpoints as zombies to scan network.

• Only the BOTsink solution efficiently and accurately detected the recon activity.

• Network administrator was terminated by customer and legal action are pending.

Deception for Mergers & Acquisitions: Security Concerns

The organization assessed the security readiness of the acquired networks and resolved issues before connecting them to the corporate network.

Concern Overview Outcome

CustomerValue

• The organization wanted visibility into the networks of recently acquired companies.

• Mitigation of risk associated with acquired companies having insufficient security controls and being targeted at announcement.

• They deployed the BOTsink and ThreatStrikesolutions to the subsidiary networks for visibility, and a central manager in the cloud for reporting and alerting.

• They were able to assess the network security infrastructure remotely,

• Validated visibility by running Red Team tests in the acquired networks

Deception for Network Resiliency Validation

The customer successfully validated their security infrastructure resiliency for annual compliance requirements.

Concern Overview Outcome

CustomerValue

• Validate that their network resiliency achieved annual security compliance requirements.

• The team had failed multiple penetration tests because of their inability to detect advanced, in-network threats.

• Customer installed BOTsinksolution for pen test.

• Pen tester compromised an endpoint, stole deceptive credentials, and engaged with BOTsink solution decoy, thinking it was a real system.

• The BOTsink solution immediately detected when the pentester used stolen credentials during the penetration test.

• The InfoSec team was able to track and record their every move.

Summary and Conclusions

Summary

• Myths and Realities

• Value of Deception

• Differentiation

Conclusion

• Deception Efficiently Closes the Detection Deficit

• Deception Platforms are Not All Created Equal

• Deception is a Mainstream Security Control for Early, In-network Detection

What’s Lurking in Your Network?

22© 2018 Attivo Networks. All rights reserved. 22© 2018 Attivo Networks. All rights reserved. Attivo Confidential

Extensive Expertise in Defending Against the Attacker

Meet Attivo!

DeceptionIn-Network Detection

Accelerated Incident Response

Deceive. Detect. Defend.

Active Defense

Security Engineering Heritage: 400+ collective years

Shipping Since 2014; Globally and F500 Proven Millions of Endpoints Protected

Well Funded: Bain Capital, Trident Capital Cyber Ventures, Omidyar Ventures, Innov8 (Singtel), Macnica Networks

Mature Customer Success Programs

Let’s Stay in Touch!

Carolyn Crandallcarolyn@attivonetworks.com

Deceive. Detect. Defend.