VTT Webinar 21.3.2018 - VTT Technical Research Centre of Finland
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
VTT Webinar 21.3.2018
VTT 2018 1
VTT Webinars - Technology
insights with an impact
VTT 2018 2
THANK YOU!
VTT 2018 3
Practicalities of the webinar
• All attendees join muted
• Please ask questions via the control panel
• Moderator will address the questions to presenters in Q&A
• Having problems with audio?
• Please use high-wifi or hardwire
• Please use a headset to optimise
• Make a phone call: Toll dial-in numbers in the invitation
(standard long-distance charges)
• Presentation material
• A follow-up email will be sent with presentation material
included
VTT 2018 4
Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 5
VTT Technical Research Centre of
Finland Ltd
We address challenges of global significance
CLIMATE RESOURCE GOOD SAFETY AND INDUSTRIAL
ACTION SUFFICIENCY LIFE SECURITY RENEWAL
VTTVTT
2018
2018 7 7
Services we offer
We offer our customers access to our cross-disciplinary
technological and business expertise, unique research
infrastructure and comprehensive partnership networks.
WE FOCUS ON TECHNOLOGIES OF THE FUTURE
BIOECONOMY HEALTH AND DIGITAL SOCIETY LOW CARBON
WELLBEING ENERGY
SMART SUSTAINABLE BUSINESS
INDUSTRY AND SMART CITY DEVELOPMENT
VTT 2018 8
Cyber Deception 101 – What, how, why, when, where,
so what, who cares?
Presenters
Teemu Väisänen Pasi Ahonen
Research Scientist Principal Scientist
VTT 2018 9
Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 10What is cyber deception?
Computer-security deception is defined as the planned actions
taken to mislead hackers and to thereby cause them to take
(or not take) specific actions that aid computer security defenses.
J. J. Yuill, Defensive Computer-Security Deception Operations: Processes, Principles and
Techniques. PhD Dissertation, North Carolina State University, 2007.
VTT 2018 11What is cyber deception?
VTTVTT
2018
2018 12 12Honeystuff
Honeynets Honey medias
Honeypots Honey actions
Honeycode Honey domains
Honeybaits Honey accounts
Honeyports Honey functions
Honeywalls Honey metadata
Honey docs Honey comments
Honeywords Honey addresses
Honeyclients Honey access points
Honeytokens Honey
Honey folders
Honey hashes
VTT 2018 13Computer system components
Deception of...
Functionality of the State of the
Decision (the systems systems Activity
system’s (currently in
decisions) the system)
System responses
(can be considered
Software and as public data) Performance
services (in the (of the system)
targeted system)
Internal data Public data Weakness (i.e. Impact [damage
(stored in our (disseminated outside Configurations vulnerabilities in assessment] (of
system) our systems) the system) malicious activites)
Network System
Administrative Raw
Re-drawn from Almeshekah and Spafford:
Cyber Security Deception
VTT 2018 14VTT 2018 VTT 2018 15
Cyber kill-chain vs defence with deception
Cyber kill-chain
Reconnaissance Faking the picture e.g., with moving target defense, disinformation, social
honeypots, artificial ports, fake sites, honey metadata and comments, baits, funny
responses,,…
Weaponization Faking the picture,…
Delivery Artificial bouncing back, sticky honeypots, fake automated users, client honeypots
Exploitation Artificial exploitation responses, slow system responses to anomalous system
calls,…
Installation Honeystuff such as honey medias, code, functions and libraries
Command and control (operation) Traffic modification, honeystuff such as honeypots and nets,…
Actions on objectives Moving target defense, baits, honeystuff such as honey accounts, access points,
nets, tokens, files, words and hashes, endless files, fake documents with
classification level higher than the maximum, decoy and fake credentials, tarpits,…
VTT 2018 16There are many different use cases
Early Insider
Faking the
detection threat
picture
systems detection
Slowing
Deception down
based intrusion scanning
detection
system (IDS)
VTT 2018 17Poll question 1
VTT 2018 18Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 19There are only two
types of companies:
Those that
HAVE BEEN HACKED,
and those that
WILL BE HACKED
VTT 2018 20 20There are only two
types of companies:
Those that
HAVE BEEN HACKED,
and those that DO NOT
YET KNOW THEY HAVE
BEEN HACKED
VTT 2018 21 21https://www.hackmageddon.com
VTT 2018 22Who needs cyber deception?
If anyone has major valuables or secrets...
THEN THERE PROBABLY IS A NEED
FOR DECEPTION TO GUARD THEM!
How?
Apply UNIQUE deception solutions
Apply at least a TINY (set of) deception / traps for your secrets
VTT 2018 23Who needs cyber deception?
Attackers use deception, so why not you?
Do you want to keep up in pace?
1. You must THINK like an adversary, sometimes (against your own systems):
2. ANALYSE what are your really critical valuables and secrets?
VTT 2018 24Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 25Emerging INSIDER THREATS predict big risks
RedOwl and IntSights reported (early 2017):
The recruitment of insiders within the dark web is active and growing.
Forum discussions and insider outreach nearly double from 2015 to 2016. The dark web has
created a market for employees to easily monetize insider access.
Sophisticated threat actors use the dark web to find and engage insiders to help place
malware behind an organization’s perimeter security.
To combat the problem, risk management teams should actively build insider threat programs.
Ironically, 80 percent of security initiatives focus on perimeter defenses…
Ref: IntSights & RedOwl co-op: ”Monetizing the Insider, The Growing Symbiosis of Insiders and the Dark Web”
VTT 2018 26The defenders need
Attacker to protect
needs to against all potential
vulnerabilities in
know only
their systems which
one weakness is impossible as
in a system to every system has
potentially vulnerabilities
mount
an attack Why is it
needed?
Perimeter
defense All of our
security model resources are
does not work not inside our
when perimeter
adversaries
are already
inside
VTT 2018 27Why is it needed?
Actually, has cyber Antivirus software not There are too many
security grown too identifying all different threats to
complex? malware? handle?
Systems and IDS/IPS is
networks are too overloaded or
complex and dynamic requires too much
to be understandable work?
and monitorable? Etc…
VTT 2018 28Why is it needed?
Or actually, attackers may simply
steal and misuse user accounts to install backdoors!
Cheat honest employees to install backdoors as legitimate applications!
Attacker acquires ”legitimate” presence!
VTT 2018 29Why is it needed?
The threat landscape indicates that
each critical industrial asset would require close monitoring
– Yes, but what to monitor in real life?
Selected ”honey baked”assets?
VTT 2018 30Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 31What does cyber deception offer?
We can change or move the attack surface
We can detect attacks faster
We can have quality instead of quantity
We can give them fake targets
We can slow them down
We can frustrate them
We can gather more information about them
We can scare them away
We can
VTT 2018 32Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 33VTT 2018 VTT 2018 34
https://hakshop.com/products/usb-rubber-ducky-deluxe
VTT 2018 35https://usbkill.com/
VTT 2018 36Awesome Honeypots @ GitHub
by paralax (Jose Nazario)
https://github.com/paralax/awesome-honeypots VTT 2018 37Poll question 2
VTT 2018 38Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 39Is it possible to fingerprint cyber deception tools?
Yes, it is possible to fingerprint deception tools and techniques
VTT 2018 40test_s7_server.
py of Conpot
VTT 2018 41test_s7_server.
py of Conpot
VTT 2018 42VTT 2018 43
VTT 2018 44
VTT 2018 45
VTT 2018 46
Searching for honeypot
VTT 2018 47Fingerprinting problem is in both commercial and
open source tools
• Default management ports • Executable commands
• X.509 certificates • Metadata
• Firewall rules • Comments or function names in
• Credentials source code
• Virtualization and sandboxing • IDs and serial numbers
•
VTT 2018 48Make fingerprinting harder
• Your decoys must be unique
• Never copy-paste them
• Let your red team analyze them
• Change default configurations
• Review source code
• Customize any selected product
• Design and create your own solutions
VTT 2018 49About tools…
Adversary might use the tools you have in your devices
– no extra stuff is required
Adversary may have tested and analyzed
the cyber deception tools you are using
VTT 2018 50Looking for
"honey"
VTT 2018 51Poll question 3
VTT 2018 52Contents
1 Introduction
2 What is Cyber deception?
3 Who needs it?
4 Why is it needed?
5 What does it offer?
6 Examples
7 Challenges
8 How to get started
9 Q&A
VTT 2018 53How to get started (1/2)
How cyber How your type of To identify the
attackers cheat organization is cyber security
and how you can suffering about Literature Red team gaps of your
defend? (e.g. Course cyber deception production.
half-day at your globally? Which study service
premises). way and how the
organizations
reacted?
How your
Cyber organization (e.g.
security company,
How cyber Hands-on production site,
attackers cheat mapping business line) Interview
and how you can course suffers about
defend? (e.g. all-
cyber deception? study
Targeted staff and
day).
To investigate the assets, methods
cyber security used, possible
level of your damage done
production. (confidential).
VTT 2018 54How to get started (2/2)
How to defend your Developing unique
production environment cyber defensive traps
by utilizing cyber Proof-of- & deception into your
deception technologies; Feasibility production
Feasible platform tools, Concept environment.
methods and overall analysis
approach. (PoC)
Developing unique To verify the
cyber defensive Red team effectiveness of your
traps & deception
Proof-of- cyber defensive traps
service & deception methods
into your pilot or Concept (or related PoC or
test system.
(PoC) pilot).
VTT 2018 55EXAMPLE Proof-of-Concept (PoC):
Developing unique cyber defensive traps & deception into
production environment
Continuous monitoring &
analysis of the plant network
Suspected attacks or weaknesses
Learn deception, PoC-experiment, develop strategy & plans
Install the traps and reporting
Goal is to get
Legal deception operations EARLY
information
Alarms from traps… about attacks
and to enable
Validation of alarm
investigation &
Incident response RESPONSE!
Time t
VTT 2018 56To remember
Cyber deception is more than honeystuff
Cyber deception is a powerful but underutilized cyber security tool
Cyber deception is not a silver bullet
VTT 2018 57Poll question 4
VTT 2018 58VTT 2018 59
Impact from excellence through
science and technology
Pasi Ahonen Teemu Väisänen
Principal Scientist Research Scientist
pasi.ahonen@vtt.fi teemu.vaisanen@vtt.fi
+358 44 730 7152 +358 40 521 9506
www.vttresearch.com
#vttpeople / @VTTFinlandYou can also read
