Defeating the Modern Cyber Attack
Carolyn CrandallChief Marketing Officer
Attivo Networks@AttivoNetworks
3
Carolyn Crandall | CMO| May 3, 2017
Defeating the Modern Cyber Attacker
4
Know how an attacker attacks
Know how to defend & respond
Understand the tools & techniques
attackers use to move laterally &
compromise assets
Build an adaptive defense with
attack sharing, incident response
automations
Defeating the Modern Cyber Attacker
1
43
2
It is not enough to only
think like an attacker, you
must also know how to
defend and respond.
5
Anatomy of a Breach
Complete
MissionInitial
Compromise
Initial
Recon
Establish
Foothold
Escalate
Privileges
Source:
Infosecinstitute.org
1. Compromise
2. Reconnaissance
3. Lateral Movement
4. Complete Mission
6
Compromise
Credentials
Internal Reconnaissance
Actions on the
Objective
CompromiseUser or Network
The Target
4
3
2
3
Complete Mission5
Attackers are Bypassing Prevention and Evading Detection
Attack Sequence and Methods
Advanced Attack Methods: HTTPS Zero-day Stolen employee
credentials MiTM End-point/ BYOD
Phishing
Intelligence Gathering
C&C
1
7
Attackers Are Bypassing Defense and Once Inside, Can Remain Undetected for Months
A Shift to Detection
Build a Strong Perimeter
Why Breaches are hard to investigate.
Pre
ve
ntio
n-
Ba
sed
Se
cu
rity
Secure the Entry Points
Monitor Suspicious Behavior
• Lack of Accurate Visibility to In-Network Threats
• Too Much Data to Correlate
• Alerts are Not Substantiated or Actionable
• Too Many False Positives / Investigation
Complexity
• Limited Resources to Respond
Traditional security tools are not designed to detect
threats that are already Inside-the-network
8
Detect Known Attacks
(Signature Based)
Detect Advanced Threats
(No Signatures)
Efficient: Not Resource Intensive
Accurate: No False Positives
Automated Incident Handling
Slows Down the Attack
UEBANetwork
Anomaly
Detection
Deception
SIEMFirewall/IDS
/Proxy/AV
Hunt
Teams
Deception: Detecting Attackers Better and Detecting Better Attackers
Choices in Closing the Detection Blind Spot
9
Obscures the Attack Surface and Disrupts Attackers
Deception to divert attacker’s attention
• Decoy systems to misdirect attacker
• Deception credentials and bait lure attackers
The entire network becomes a
Trap and a hall of mirrors
Deception
Deception Forces the Attacker to Have to Be Right 100% of the Time.
10
Complete
MissionEstablish
Foothold
Escalate
Privileges
Network and Endpoint Deception for Comprehensive Detection
Deception for Early Detection throughout Attack Phases
Deception Engagement Server
Initial
Compromise
Initial
Reconnaissance
De
tec
tio
n
11
Once small security gap will present opportunity for attackers
Typical Attack Path Sequence
Exploit Target
Target
De
tec
tio
n
12
Deception Obscures the Attack Surface and Disrupts Attacks
Changing the Game with Deception and Decoys
Target
• Deception lures to divert attention
• Decoys to misdirect attacker
• Appear identical to production assets
• Evidence-based alerts
Exploit Target
Target
De
tec
tio
n
13
Confuse and Misdirect to Make the Attacker’s job harder
Obscuring Your Infrastructure
Before Deception
Production Medical Servers and Devices
With Deception
Production Medical Servers and Devices
What Attacker Sees With
Deception
Production Medical Servers and Devices
Decoy Multiple HR Clusters
14
Distributed Deception PlatformsContinuous Threat Management
Scalable Complete
Accurate Authentic
Incident
Handling
Response
Forensics
Analysis
Real-time
Detection
Visibility
15
Entire Network is a Trap with Decoys, Deceptions, End-Point Lures
Distributed Deception & Response Platform
Data Center
User VLAN 3
SCADA/ IoT/ POS VLAN …
Engagement Servers
Deceptions
• Operating System
• Network Services
• Data and Document
Cloud Engagement Server
Att
rac
tiv
e &
Au
the
ntic
Virtual Engagement Server: Remote Networks
16
An
aly
sis
& F
ore
nsi
cs
Understand and Automate Incident Response
C&C
Port for communications
1 ATTRACK
VM 1
OS 1
VM n
OS n Sinkhole
Detect
2 ENGAGE 3 COMMUNICATE
Analyze Analyze and Auto-Correlate Attack information
ForensicsEvidence-based AlertsForensic Analysis and Reporting
Decoy and Lures to Attract EngagementSIEM Query for Credential Use
Response3rd Party Integrations for Auto Quarantine, Blocking, Threat Hunting (SIEM, EP, NAC, FW)
ENGAGEMENT SERVER: ANALYZE, REPORT, RESPOND4
17
• Attack paths based on misused
credentials, misconfigurations,
orphaned credentials
• Network map: possible lateral
movement paths
Assess Potential Attack Paths/Vulnerability AssessmentV
isib
ility
18
Network Visualization and Attack Insights
Network Visualization
Vis
ibili
ty
Time-lapse Attack Replay
19
Information Sharing and Automated Playbooks
Building an Adaptive DefenseIn
cid
en
t R
esp
on
se
Playbook Based Response
• Auto-correlation of attack details
• Automated blocking and quarantine
• Threat Hunting
20
Early and Accurate Detection, Visibility, Accelerated Incident Response
Proven Deception Use Cases
1. Early and Accurate Detection
• In-network Lateral Movement
• Stolen Credential & Man-in-the-Middle Attacks
• Insider, 3rd Party, Acquisition Integration
• Ransomware
• Specialized Environments Detection IOT (medical
devices), POS, SCADA
• Cloud and Data Center Security
2. Visibility and Streamlining Incident Response
• Exposed Credential & Attack Path Assessment
• Automation of Attack Analysis
• Evidence-based alerts & Incident Response Automations
21
It is Easy to Detect
False: Real OS/Golden Images, dynamic deception, Active Directory integration match production assets; Pen Testers consistently deceived.
It is Resource Intensive
False: Alerts are engagement based and automated attack analysis simplifies incident handling and response.
It is Hard to Operate and Not
Scalable
Depends: Non-inline designs are Friction-less to deploy and provide Cloud and Data Center Scalability; End-point deployment depends on approach.
It Creates a Dirty Network
Depends: Understand how decoys are deployed; see what tools they provide to whitelist and not interfere with other tools.
No Incremental Value
False: Achieves early detection at the end-point and in-network. DDP’s also provide the automations and integrations for simplified response.
There is Legal Risk
False: Unless counter hacking, deception is viewed in line with typical security defense controls.
Myths and Realities of Deception
22
Accelerate Incident Handling
Early In-Network Threat Detection
(All Attack Vectors)
Ev
alu
atio
n C
rite
ria
Types of Deception Technology
Environments
Authenticity
Ease of Deployment and Operations
Attack Analysis
Forensic Reporting
Threat Vulnerability Assessment
Response Automation
Deception Technology
Visibility and Incident Response