Defending Critical Assets with Deception Contact Us: - - PowerPoint PPT Presentation

defending critical assets with deception
SMART_READER_LITE
LIVE PREVIEW

Defending Critical Assets with Deception Contact Us: - - PowerPoint PPT Presentation

Jun 18, 2023 166 likes •394 views

Defending Critical Assets with Deception Contact Us: https://www.illusivenetworks.com/contact sales@illusivenetworks.com Appearanes can be deceiving Confidential Confidential Who am I A Sr. Solutions Architect for Illusive Networks

slide-1
SLIDE 1

Confidential Confidential

Appearan¢es can be deceiving

Defending Critical Assets with Deception

Contact Us: https://www.illusivenetworks.com/contact sales@illusivenetworks.com

slide-2
SLIDE 2

Confidential Confidential

Chad J. Gasaway

Illusive Networks | Sr. Systems Engineer chad@illusivenetworks.com

  • A Sr. Solutions Architect for Illusive Networks based
  • Has over 22 years in the IT Industry
  • With over 17 years of cybersecurity experience with leading

companies like CloudPassage, RSA Security, SilverTail Systems, HP ArcSight and Crossbeam Systems.

  • Assisted customers with Cloud Security, Incident Response,

Penetration Testing, Anti-Fraud, Governance Risk and Compliance, and Security Architecture

  • Has developed and employed effective security strategies

across several verticals including financial, healthcare, telecom, retail, industrial, as well as federal, state, and local government.

  • Chad is a proud husband and father to a 7 year old son a 5 year
  • ld daughter and a dog named Harper (don’t ask where the

name came from)

Who am I

slide-3
SLIDE 3

Confidential Confidential

Introduction

“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” ― Sun Tzu, The Art of War

slide-4
SLIDE 4

Confidential Confidential

The Challenge

Current environment

  • A Breach Will Occur - Assumed
  • Advanced Attacks are Top of Mind
  • Most of the security spend is on prevention
  • Attackers still make their way through all defenses

Challenges

  • Security has become a big data problem
  • Budgets are tightening and resources are limited and tale

nt is hard to find.

  • Actionable alerts are scarce - Alert Fatigue
  • Executive Management now have to answer

to the Board

slide-5
SLIDE 5

Confidential Confidential

146

slide-6
SLIDE 6

Confidential Confidential

Almost No Cost Dynamic Only Need to be Right Once No Rules Highly Regulated Enough to Get it Wrong Once Predictable & Static Cost of Defense is Skyrocketing Getting Easier Can’t Keep Pace

slide-7
SLIDE 7

VS

Confidential Confidential

Attackers only need a single attack path to successfully infiltrate the network Organizations need to secure 360 degrees of their network to protect their business

THE ASYMMETRIC ARENA

VS

99/100 = LOSE the battle 1/100 = WIN the battle

slide-8
SLIDE 8

Confidential Confidential

Attack Example: Ukrainian Power Grid

Department of Homeland Security issued a formal report titled IR-ALERT-H-16-056-01. In the DHS report, three Ukrainian distribution companies experienced a coordinated cyber- attack that were executed within 30 minutes of each other. These attacks where directed primarily at the regional distribute level impacting over 225,000 customers. The motive and sophistication of the attacker was consistent with a highly organized and well-resourced adversary. The attacker varied tactics and techniques to “Match” the defenses and environment of the impacted target.

Source: http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18 Mar2016.pdf

slide-9
SLIDE 9

Confidential Confidential

Attack Example: Ukrainian Power Outage Cont.

Access Recon/Exfiltrate Navigate Disrupt

  • Access - Spear phishing to bypass automated controls or static policy and engage

a “person”.

  • Recon/Exfiltrate - State sponsored modified variant of Black Energy Malware

used for subversion of system resources, data collection and exfiltration and network monitoring.

  • Navigate - Leveraged stolen credentials from business networks to access VPN to

Industrial Control System network (ICS).

  • Disrupt - Used modified killdisk freeware to erase master boot records and to

delete logs. Scheduled service outages in UPS System. Denied telephone service by attacking the call center.

slide-10
SLIDE 10

Confidential Confidential

Verizon 2016 DBIR – Attacker Trends

Phishing continues to be the #1 way an attacker enters an environment

slide-11
SLIDE 11

Confidential Confidential

Why does phishing work so well

Phishing is Deception

What is Phishing: Impersonation in an effort to fool people to respond to a call to action. Example: Click link, provide personal information, request access, provide credentials. Phishing Types: Deceptive Phishing: Impersonates a business Spear Phishing: Highly personalized with a specific target Whaling: Specifically targets CEO or high level employee Pharming: DNS Cache poisoning to redirect victim to a “Deceptive” website Phishing works off the same principles as social engineering. It removes static logic and pre-defined policy to engage the human and trigger a favorable emotional response.

slide-12
SLIDE 12

Confidential Confidential

It’s all about the

PEOPLE

behind the attack

slide-13
SLIDE 13

Confidential Confidential

FLIP THE ASYMMETRY

THINK LIKE AN ATTACKER

slide-14
SLIDE 14

Confidential Confidential

Just a matter of perspective

Logical IT View Social Sciences Map

slide-15
SLIDE 15

Confidential Confidential

15

slide-16
SLIDE 16

TS

Confidential Confidential

ADMIN ACCOUN

The keys are under the welcome matt

slide-17
SLIDE 17

Confidential Confidential

People and the Process

  • Favors agility over raw power when dealing with

human opponents in any endeavor

  • Originally developed for fighter pilots by military

strategist of the US Air Force Colonel John Boyd

  • A set of interacting loops that are kept in continuous
  • peration during an engagement

With current security models, how do we impact this process?

  • Works both ways!

Observe Orient Decide Act

The OODA Loop

slide-18
SLIDE 18

Confidential Confidential

People and the Process

What if we create a different reality for the attacker? What if we disorient the attacker? What if we increase the probability that the attacker makes the wrong decision? What if we Act by automatically deploying forensics at the point where the decision was made?

Observe Deceptions

Disorient Attacker

Decide Incorrectly Automate Forensic Response

slide-19
SLIDE 19

Confidential Confidential

Getting Answers

To be successful the Attacker has to move

After the attacker has entered the environment he must answer 3 questions for himself

What is available around me How can I get there

Endpoints Assets

Establish Persistence Determine Context Identify user

Credentials

Now that I am here

slide-20
SLIDE 20

Confidential Confidential

Turning the tables

Deception techniques as a defensive strategy enables:

  • Create an environment where detection is nearly unavoidable
  • Reduce False positives
  • Actionable alerts enable automation.
slide-21
SLIDE 21

Confidential Confidential

Thank You

Contact Us: https://www.illusivenetworks.com/contact info@illusivenetworks.com