This webinar includes a live demo of Cymmetria's MazeRunner, as well as training on how your organization can use cyber deception to gain visibility and control in your network in the face of attackers. Original broadcast date: December 12, 2017.
2. 11/14/2017 2
About Cymmetria
Founded in 2014, Cymmetria is a cyber
deception company focused on
changing the asymmetry of
cybersecurity, tilting the traditional
security odds so that hackers are the
ones who are left vulnerable.
3. 3
Hunting
Cyber Threat Hunting refers to proactively and iteratively searching through
networks and datasets to detect threats that evade existing automated tools.
-sqrrl
•Cyber hunting requires significant maturity
•Requirements for hunting:
•Dedicated personnel + management sign-off
•Existing security infrastructure
•In this presentation we will show how deception helps hunting
5. 10/18/17 5
Hunting the attackers, not the attacks
10 years of APT investigations and reports paint a clear picture:
● Attacks change constantly. New malware, vulnerabilities, tools. Every day.
● Attackers are predictable. They follow the kill chain with a set methodology and
decision-making process.
● Rarely are the attackers able to reach their final target on the first successful
beachhead
6. 10/18/17 6
Attackers follow a “kill chain” methodology
// start with spearphishing, and then
…
while ( !TargetFound )
{
/* compromise endpoint → escalate
privileges → recon (mimikatz, net
use, etc.) → lateral movement */
}
8. 10/18/17 8
Controlling the attackers
Attackers use information they find in our networks to make
lateral movement and attack targets in the organization.
Deception feeds them real-looking information that causes
them to follow a defender-controlled path.
Once they hit a deception target, their modus operandi is
exposed and their attacks are detected and prevented.
9. 10/18/17 9
How it works
Breadcrumbs on organizational
endpoints lead attackers to Decoys
Decoys collect forensic data
14. 14
Deception
Deception is an accelerator/shortcut for security maturity
• Deployment cost is very low
• Relevant even for low security-maturity organizations
• Adds an important layer for security-mature organizations
• Improves KPIs for existing security processes
• Provides tools for threat hunters
15. 15
The value of deception
Visibility, Investigation, Control, Containment
16. 16
Deception maturity
• A deception deployment has its own maturity model
• You don’t need to spend a lot to get immediate value
• Factors:
•Completeness of deployment
•Realism & attractiveness of deception stories
•Additional deception capabilities
•Integration with the security process
17. 17
Level 0: Deception maturity – no deception
• Instead of an empty slide…
• Pain points:
• Defenders have to defend everywhere – we need to fail just once
in order for the attacker to succeed
• Attackers have all the advantages – they need to succeed just
once
• Once attackers are past the perimeter they are hard to detect
18. 18
Level 1: Deception maturity – hitting next on that wizard
• Time cost: 20 minutes overall
• No customization
• Gain immediate visibility
• Visibility that in the past was available on
the edge
• Lateral movement becomes risky for
attackers
• You can detect attacks such as responder
and pass the hash
19. 19
Level 2: Tailored deception stories
• Introducing deception stories
• A surgical approach based on the
attackers’ narrative
• Expecting the attackers where they
are likely to come
• Defending business processes
20. ActiveSOC for investigation, automation and orchestration
• ActiveSOC automatically
deploys deception elements
based on triggers from security
controls
• Low-scoring alerts can be
validated by applying
deception techniques, without
need for human intervention
• This can save analyst time, and
allow the SOC to handle more
incoming alerts
21. 21
Level 3: Even stronger deception
• Automatic periodic deployment and
campaign refresh
• Relay for multiple MazeRunner instances
• Advanced Responder.py protection
• Golden Image
• AWS or other cloud integration
• Forensic Puller
• Integrations
• SIEM, orchestration, PAM
22. 22
Level 4+: Control and containment through deception
• Control & Containment
•Legal Hackback (automatic engagement)
•Honeydocs over the internet
• Integrations
•Sandbox, playbooks, EDR, firewall, threat intel….