SlideShare a Scribd company logo

6 Ways to Deceive Cyber Attackers

Sirius
Sirius

This document discusses 6 ways that organizations can use deception techniques to deter cyber attackers. It describes how distributed decoy systems can be used to distribute fake endpoint systems and reduce false positives. It also explains how intrusion prevention systems, next-generation firewalls, and web application firewalls can incorporate deception. Specific deception tactics covered include concealing valuable data, making infrastructure a moving target, providing false information, creating fake resources, using defensive feints, and gathering threat intelligence. The goal of these techniques is to waste attackers' time, shake their confidence, and make continued attacks difficult and time-consuming so they are abandoned.

1 of 29
1 6 WAYS TO DECEIVE CYBER ATTACKERS
2 www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses. Sponsored by
3 Ask yourself… a) Very confident b) Somewhat confident c) Not at all confident
4 Source: Ponemon Institute Cost of Malware Containment Report, 2015 alerts a week are received by the average organization through security controls of these alerts are deemed reliable
5 We are gathering unprecedented amounts of data about threats. This helps with security, but also adds to the problem of false positives. They distract companies from dealing with legitimate security alerts False positives waste time, manpower and money we can’t afford to lose
6 Source: Enterprise Management Associates “Data-Driven Security Reloaded”, 2015 More than half of 200 IT and security administrators recently surveyed said too many false positives are keeping them from being confident on breach detection.
7
8 It takes an average of just 82 seconds before a phishing campaign gets its first click 70-90 percent of malware samples are unique to a single organization In 60 percent of breaches, hackers are getting in within minutes Source: Verizon 2015 Data Breach Investigations Report
6 Ways to Deceive Cyber Attackers
10 Ask yourself… a) Yes b) No c) Not sure
11 Source: Gartner, Emerging Technology Analysis: Deception Techniques & Technologies Create Security Technology Business Opportunities, July 16, 2015 By 2018, 10 percent of large enterprises will use deception tools and tactics, and actively participate in deception operations against attackers.
These solutions distribute fake decoy endpoint systems throughout the enterprise, and offer enhanced detection compared to more traditional solutions. Because legitimate users have no reason to interact with decoys attacks can be rapidly identified, and false positives greatly reduced. These systems can leverage deception to thwart malware installation by making attackers believe the endpoint is in a virtual environment in order to throw off malware profiling processes, or by emulating the processes of disparate anti-virus products to induce dormancy. IPS appliances can invoke deception within TCP at the network protocol layer. Basic deception techniques such as TCP tarpits can be used, and/or integration with more advanced deception technology such as decoy systems can be leveraged. Firewalls with next-generation capabilities can enhance deception in protected network zones. Actions in specific policies can be set to “deceive”, and deception responses can be generated either by the firewall itself, or through integration with other deception solutions. Web Application firewalls (WAFs) and application deception solutions can help to disrupt attackers’ automation with Web and Web application deceptions, Web browser and HTTP countermeasures, as well as the obfuscation of HTML content and application inputs to reduce attack surfaces. Distributed Decoy Systems Endpoint Protection Platforms Intrusion Prevention Systems Next-Generation Firewalls WAFs and Application Deceptions Solutions
6 Ways to Deceive Cyber Attackers
14 Conceal valuable data in innocuous- looking files, and set up honeypots and facades that divert attackers from real assets, lead them to false intellectual property, or cause them to trip alarms. These techniques waste the attackers’ time, shake their confidence, and increase their anxiety over being caught and exposed.
15 Obscure your infrastructure by making it a moving target, changing addresses, infrastructure topologies, and available resources daily. Virtualization makes it possible to build up and tear down resources at will. Software-defined networking (SDN) technology can virtualize the deception process while helping to build security management and control features into the network fabric. In short, take steps to prevent attackers from seeing the same infrastructure twice.
16 Divert or confuse attackers with false information. As highlighted under “concealment,” you can supply the hacker with fake successes, responses, files, and assets to exploit. Lie about the most basic things that matter to an attacker: the presence of files, and ability to open and use them. Your system could issue false error messages when asked to do something suspicious, or could claim that it can't download or open a suspicious file when it really can. However, it is important to remember that any false information given must not be easily disprovable.
17 Create counterfeit resources for the attacker to find, such as a fake website that looks like a Web portal to a large directory with a list of typical-sounding files and subdirectories (all fake). The attacker can click on subdirectory and file names to see what appear to be encrypted files, but the 'encryption' is just a random number generator. A variety of unauthorized or error messages will persuade the intruder to think they’ve stumbled upon valuable information, thereby wasting their time and drawing them away from the information they seek.
18 ENDPOINT4 IP: 193.168.20.130 Host Type: Workstation Domain name: Dom-RU OU: OU-489 OS Name: windows 7 Subnets: 193.168.20.0 OS Version: 6.1 (7601) Connection Types: Windows User 6 Connections | 5 Deceptions Decoy User Credentials Decoy Admin Credentials Real User Credentials In this zooming, we see a machine that had only 1 real user credential and now added 5 deception user credentials in which 2 are admin (crown).
19 Ransomware Browsers Databases Files FTP RDP Recents Scanners Shares SSH Windows
20 Use defensive feints to pretend to succumb to one form of attack in order to conceal a second, less-obvious defense (this is called a nested deception). For instance, you could deny buffer-overflow attacks on most ports (access points) of a computer system with a warning message, but pretend to allow them on a few for which the effects of the attack are simulated.
21 Gain actionable insights and intelligence by gathering threat intelligence feeds and adversary indicators that define and describe trends, tendencies, methods, and actions taken by attackers. This will help you maintain an awareness of existing and emerging threats and achieve insight into attackers’ plans, so your deception strategy can be adjusted before those plans turn into action. There are a variety of threat intelligence services your organization can subscribe to in order to aggregate data and help to determine which information is actionable.
22 Ask yourself… a) Yes b) No c) Not sure
Attackers don’t waste time on an attacks that won’t result in high-value information. The use of deception techniques can uniquely position your organization to detect and disrupt an attacker’s lateral movement, and make it so difficult and time-consuming for them to continue that they are likely to abandon the effort.
24
25 Real View 5,000 machines 10,000 attack vectors With Deceptions 25,000 machines 250,000 attack vectors
http://focus.forsythe.com/articles/337/6- Ways-to-Deceive-Cyber-Attackers CHECK OUT THE ORIGINAL ARTICLE:
http://focus.forsythe.com OR FIND MORE ARTICLES ABOUT BUSINESS AND TECHNOLOGY SOLUTIONS AT FOCUS ONLINE:
28 Authors: Ben Holder Master Consultant Forsythe Security Solutions Shlomo Touboul CEO Illusive Networks www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses.
6 Ways to Deceive Cyber Attackers

More Related Content

6 Ways to Deceive Cyber Attackers

  • 1. 1 6 WAYS TO DECEIVE CYBER ATTACKERS
  • 2. 2 www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses. Sponsored by
  • 3. 3 Ask yourself… a) Very confident b) Somewhat confident c) Not at all confident
  • 4. 4 Source: Ponemon Institute Cost of Malware Containment Report, 2015 alerts a week are received by the average organization through security controls of these alerts are deemed reliable
  • 5. 5 We are gathering unprecedented amounts of data about threats. This helps with security, but also adds to the problem of false positives. They distract companies from dealing with legitimate security alerts False positives waste time, manpower and money we can’t afford to lose
  • 6. 6 Source: Enterprise Management Associates “Data-Driven Security Reloaded”, 2015 More than half of 200 IT and security administrators recently surveyed said too many false positives are keeping them from being confident on breach detection.
  • 7. 7
  • 8. 8 It takes an average of just 82 seconds before a phishing campaign gets its first click 70-90 percent of malware samples are unique to a single organization In 60 percent of breaches, hackers are getting in within minutes Source: Verizon 2015 Data Breach Investigations Report
  • 11. 11 Source: Gartner, Emerging Technology Analysis: Deception Techniques & Technologies Create Security Technology Business Opportunities, July 16, 2015 By 2018, 10 percent of large enterprises will use deception tools and tactics, and actively participate in deception operations against attackers.
  • 12. These solutions distribute fake decoy endpoint systems throughout the enterprise, and offer enhanced detection compared to more traditional solutions. Because legitimate users have no reason to interact with decoys attacks can be rapidly identified, and false positives greatly reduced. These systems can leverage deception to thwart malware installation by making attackers believe the endpoint is in a virtual environment in order to throw off malware profiling processes, or by emulating the processes of disparate anti-virus products to induce dormancy. IPS appliances can invoke deception within TCP at the network protocol layer. Basic deception techniques such as TCP tarpits can be used, and/or integration with more advanced deception technology such as decoy systems can be leveraged. Firewalls with next-generation capabilities can enhance deception in protected network zones. Actions in specific policies can be set to “deceive”, and deception responses can be generated either by the firewall itself, or through integration with other deception solutions. Web Application firewalls (WAFs) and application deception solutions can help to disrupt attackers’ automation with Web and Web application deceptions, Web browser and HTTP countermeasures, as well as the obfuscation of HTML content and application inputs to reduce attack surfaces. Distributed Decoy Systems Endpoint Protection Platforms Intrusion Prevention Systems Next-Generation Firewalls WAFs and Application Deceptions Solutions
  • 14. 14 Conceal valuable data in innocuous- looking files, and set up honeypots and facades that divert attackers from real assets, lead them to false intellectual property, or cause them to trip alarms. These techniques waste the attackers’ time, shake their confidence, and increase their anxiety over being caught and exposed.
  • 15. 15 Obscure your infrastructure by making it a moving target, changing addresses, infrastructure topologies, and available resources daily. Virtualization makes it possible to build up and tear down resources at will. Software-defined networking (SDN) technology can virtualize the deception process while helping to build security management and control features into the network fabric. In short, take steps to prevent attackers from seeing the same infrastructure twice.
  • 16. 16 Divert or confuse attackers with false information. As highlighted under “concealment,” you can supply the hacker with fake successes, responses, files, and assets to exploit. Lie about the most basic things that matter to an attacker: the presence of files, and ability to open and use them. Your system could issue false error messages when asked to do something suspicious, or could claim that it can't download or open a suspicious file when it really can. However, it is important to remember that any false information given must not be easily disprovable.
  • 17. 17 Create counterfeit resources for the attacker to find, such as a fake website that looks like a Web portal to a large directory with a list of typical-sounding files and subdirectories (all fake). The attacker can click on subdirectory and file names to see what appear to be encrypted files, but the 'encryption' is just a random number generator. A variety of unauthorized or error messages will persuade the intruder to think they’ve stumbled upon valuable information, thereby wasting their time and drawing them away from the information they seek.
  • 18. 18 ENDPOINT4 IP: 193.168.20.130 Host Type: Workstation Domain name: Dom-RU OU: OU-489 OS Name: windows 7 Subnets: 193.168.20.0 OS Version: 6.1 (7601) Connection Types: Windows User 6 Connections | 5 Deceptions Decoy User Credentials Decoy Admin Credentials Real User Credentials In this zooming, we see a machine that had only 1 real user credential and now added 5 deception user credentials in which 2 are admin (crown).
  • 20. 20 Use defensive feints to pretend to succumb to one form of attack in order to conceal a second, less-obvious defense (this is called a nested deception). For instance, you could deny buffer-overflow attacks on most ports (access points) of a computer system with a warning message, but pretend to allow them on a few for which the effects of the attack are simulated.
  • 21. 21 Gain actionable insights and intelligence by gathering threat intelligence feeds and adversary indicators that define and describe trends, tendencies, methods, and actions taken by attackers. This will help you maintain an awareness of existing and emerging threats and achieve insight into attackers’ plans, so your deception strategy can be adjusted before those plans turn into action. There are a variety of threat intelligence services your organization can subscribe to in order to aggregate data and help to determine which information is actionable.
  • 23. Attackers don’t waste time on an attacks that won’t result in high-value information. The use of deception techniques can uniquely position your organization to detect and disrupt an attacker’s lateral movement, and make it so difficult and time-consuming for them to continue that they are likely to abandon the effort.
  • 24. 24
  • 25. 25 Real View 5,000 machines 10,000 attack vectors With Deceptions 25,000 machines 250,000 attack vectors
  • 27. http://focus.forsythe.com OR FIND MORE ARTICLES ABOUT BUSINESS AND TECHNOLOGY SOLUTIONS AT FOCUS ONLINE:
  • 28. 28 Authors: Ben Holder Master Consultant Forsythe Security Solutions Shlomo Touboul CEO Illusive Networks www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses.