© 2017 attivo networks. all rights reserved. attivo ... · endpoint network & campus data...
TRANSCRIPT
Deception-based Threat DetectionMyths and Realities
Carolyn Crandall Chief Deception Officer, Attivo Networks
Myth 1
100% Security is Achievable.
Reality
• Threats Can and Will Get In.• Detection as a Security Control is Critical.
Designed for an Ever-changing Threat LandscapeDetection for the Modern Day Attacker
Evolving Attack SurfaceAdvanced Methods
Reconnaissance
Credential Theft
Active Directory
Man-in-the-Middle
Endpoint
Network & Campus
Data Center & Cloud
IOT, ICS, POS & more
Malicious Actor
Insider
3rd Party
What’s Lurking in Your Network?
Deception: Better Detection Against Better AttackersDetection Technology Comparison
Slows Down the Attack
Scalable, Operationally Efficient
Substantiated Alerts
Detect Adv. Threats(No Signatures)
Detect Known Attacks(Signature Based)
Firewall/IDS/Proxy/AV
UEBA
NetworkAnomaly Detection
Deception
Hunt Teams
SIEM
Signature based – misses attacks
False Positives, Resources, TuningLacks early attack cycle visibilityMisses credential theft and reuse
Expensive, Resources
Perception
Limitations
6© 2018 Attivo Networks. All rights reserved.
• Social engineering
• External
compromise
• Custom malware
• C2
• App exploitation
• Credential theft
• Password
cracking
• “Pass-the-hash”
• Critical system
recon
• System, AD &
user enumeration
• Staging servers
• Data consolidation
• Data theft
Establish Foothold
Escalate Privileges
Internal Recon
Complete Mission
Initial Compromise
MoveLaterally
MaintainPresence
Deception’s Role in Attack Life Cycle
• Backdoor variants
• VPN subversion
• Sleeper malware
• Net use
commands
• Reverse shell
access
Deception Detections
Myth 2
Isn’t Deception Just a Honeypot?
Reality
Only if you believe a horse and buggy and a Tesla Model S are the same.
Why Honey Pots are Not the Same as Deception
Outside the Network
Emulated
Low Interaction
IR Automation
Analysis/Forensics
Operations/Scalability
Ransomware
Real OS, Services
Network, Credential
BOTs and Brute Force Attacker Designed for
Research
the Human Attacker
Inside the Network
Deception-based Detection for Evolving Threat Landscape Entire Network Becomes a Trap for All Threats Types and Attack Surfaces
• Operating System
• Network Services
• Active Directory
• Application and Data
Deception Server
Data Center
User Network
SCADA/IOT/POS
Cloud and Remote Networks
Active Directory Deception Objects
1
2
3
4
Lateral Movement
Credential Theft
Active Directory Recon
Ransomware
Deception for Closing the Detection DeficitAnd to Change the Asymmetry and Slow Down Attacks
In-network: Recon, Credential Harvest; Slowing of Attack
Detect Endpoint & Domain Credential Theft; Attack Path Visibility
User Networks, Datacenters, Specialized (SCADA, IoT, POS, SWIFT,
Telecom, Router Decoys), Cloud (AWS, Azure, OpenStack)
Detection, Analysis, Interaction to Slow Attack
Compliance and Forensics; Pen Test, Evaluate Latent Threats
Easy to Deploy and Operationalize
Automated Attack Analysis and Incident Response
Closes the Detection Gap with Accurate Detection and Threat Visibility
Challenges Deception Technology to Close the Gap
Compliance, Breach Investigation, M&A Visibility
Skills Shortage and Ability to Respond to Incident
Credential Theft
Lateral Movement Threat Detection
Ransomware
Evolving Attack Surface
Myth 3
All Deception is Created Equal
Reality
Solutions vary widely. Deception for Detection vs. an Active Defense.
Not All Deception Technology Provides an Active Defense
Authenticity
Evolving Attack Surface
Ease to Operationalize
Attack Threat and Malware Analysis
Simplifies Incident Response
Attack Simulation & Threat Assessment
Depth of Deception
Real OS, Apps, high interaction,
Dynamic
Network, DC, Cloud, Specialty IOT, ICS, POS, more
Not inline; Agentless
Full sandbox and forensic reporting
Integrations for automated for blocking, quarantine, hunting
Attack path and replay visual maps, simulators
Network, EP, Application, Data
Low interaction, emulated, static
Limited environments
Inline, reliant on agents
Limited forensics and analysis
No or limited automation
Partial assessment tools
Only Network or EP
Enterprise Grade Limited Functionality
Relies on the element of surpriseBuilt for the anticipating attacker
Deception Must Be AuthenticCredential Authenticity
Genuine Credentials: [email protected]/Asia-pacific.sales.acme.com
Deceptive Credentials: [email protected]/us.sales.acme.com
Asia-pacific.sales.acme.com
us.sales.acme.com
Deception Campaigns for Scalability and AuthenticityMachine Learning for On Demand Ability to Change the Game Board on Attackers
Deploy Dynamic Deception Campaigns based on Machine Learning
Learn Suspicious Behavior
Network
Profiling & Assessmen
t
IOT/SCADAData Center/Cloud
User Networks
Network
Discovery
SIEM
Feeds
Security
Partner
Feeds
Manual1 Auto-Propose2 Auto-Deploy3
Deception for Automated Attack AnalysisThreat Intelligence and Attacker Engagement
User VLAN 1
Operating Systems
Windows
SINKHOL
E
VLAN n
SMB Web servers File servers AD
Win 7 Win XP Win 8 Win 10
C&C
Multi-Dimensional Forensics CapabilitiesFor Faster Remediation and Hunting
Capture forensic artifacts
Capture and analyze attacker memory
Assemble and report full TTP
Polymorphic attack tracking and signatures
Counterintelligence with Honeydocs
Data Loss Tracking (DLT)
Data Collection
and Analysis
SIEM integration and attacker behavior analysis
Repeatable playbooks based on company’s security infrastructure and policies
3rd Party integrations with automated response
Data Sharing
and Actioning
Repeatable
Processes
Myth 4
It’s a “nice to have,” not a “need to have.”
Reality
Deception is customer proven for early and accurate threat detection.
Deception for Insider Threat Detection
The customer was able to monitor for insider threats and collect the necessary evidence to support legal action.
Concern Overview Outcome
CustomerValue
• The customer was concerned about internal risks to the network and sensitive client information.
• After installing the BOTsinksolution, security saw SMB share connections to multiple endpoints followed by recon scans.
• Network administrator with credentials had infected endpoints as zombies to scan network.
• Only the BOTsink solution efficiently and accurately detected the recon activity.
• Network administrator was terminated by customer and legal action are pending.
Deception for Mergers & Acquisitions: Security Concerns
The organization assessed the security readiness of the acquired networks and resolved issues before connecting them to the corporate network.
Concern Overview Outcome
CustomerValue
• The organization wanted visibility into the networks of recently acquired companies.
• Mitigation of risk associated with acquired companies having insufficient security controls and being targeted at announcement.
• They deployed the BOTsink and ThreatStrikesolutions to the subsidiary networks for visibility, and a central manager in the cloud for reporting and alerting.
• They were able to assess the network security infrastructure remotely,
• Validated visibility by running Red Team tests in the acquired networks
Deception for Network Resiliency Validation
The customer successfully validated their security infrastructure resiliency for annual compliance requirements.
Concern Overview Outcome
CustomerValue
• Validate that their network resiliency achieved annual security compliance requirements.
• The team had failed multiple penetration tests because of their inability to detect advanced, in-network threats.
• Customer installed BOTsinksolution for pen test.
• Pen tester compromised an endpoint, stole deceptive credentials, and engaged with BOTsink solution decoy, thinking it was a real system.
• The BOTsink solution immediately detected when the pentester used stolen credentials during the penetration test.
• The InfoSec team was able to track and record their every move.
Summary and Conclusions
Summary
• Myths and Realities
• Value of Deception
• Differentiation
Conclusion
• Deception Efficiently Closes the Detection Deficit
• Deception Platforms are Not All Created Equal
• Deception is a Mainstream Security Control for Early, In-network Detection
What’s Lurking in Your Network?
22© 2018 Attivo Networks. All rights reserved. 22© 2018 Attivo Networks. All rights reserved. Attivo Confidential
Extensive Expertise in Defending Against the Attacker
Meet Attivo!
DeceptionIn-Network Detection
Accelerated Incident Response
Deceive. Detect. Defend.
Active Defense
Security Engineering Heritage: 400+ collective years
Shipping Since 2014; Globally and F500 Proven Millions of Endpoints Protected
Well Funded: Bain Capital, Trident Capital Cyber Ventures, Omidyar Ventures, Innov8 (Singtel), Macnica Networks
Mature Customer Success Programs