SlideShare uma empresa Scribd logo

Capturing the Flag with Active Deception Defenses

Fidelis Cybersecurity
Fidelis Cybersecurity

Capture the flag (CTF) exercises and events continue to increase in popularity providing essential training and skills development for defenders on blue teams and attackers on red teams. Jeopardy style or attack-defense CTF cyber exercises enable experienced participants and novices to work side by side on teams developing communication, time management and problem solving skills in a safe environment with ground rules and prizes for winners. Defending blue teams often dread the embarrassment of being attacked and compromised until modern deception defenses arrived. Deception defenses mimic a real environment with decoys and breadcrumbs creating an unknown mine field for attackers to detect their activity and movements giving defending blue teams a new advantage.

Tecnologia
1 de 29
Baixar para ler offline
Capturing the Flag with Active Deception Defenses
© Fidelis Cybersecurity Agenda Introductions Capture The Flag Cyber Games Red vs Blue Teams Opportunity for Deception Capture the Flag Exercise with Deception Results and Key Highlights Lesson Learned Chenxi Wang Ph.D Managing General Partner Rain Capital Tom Clare Product/Technical Marketing Fidelis Cybersecurity 2
© Fidelis Cybersecurity3 Capture The Flag - A Cyber Game What is Capture The Flag? • A Security Puzzle The Goal of a CTF? • Find the flag embedded in the target system w/in a set time window • A file • A secret • A piece of information
© Fidelis Cybersecurity Challenge-based CTF You get to the goal by solving a series of challenges You get points for each challenge Challenges: ● A vulnerability in application/protocol ● A weakness in crypto primitive or implementation ● Reverse engineering a piece of code ● Write code to exploit a known flaw 4
© Fidelis Cybersecurity Real-time Attack/Defense CTF There are two opposing teams: ● Blue team defends the flag ● Red team tries to capture it The flag is not an inanimate object! It is much more challenging and fun! 5
© Fidelis Cybersecurity Blue vs Red Teams Blue Team focus includes: Defending networks and systems Monitoring security defenses Security control effectiveness Hardening systems and controls Identifying security flaws Incident response Red Team focus includes: White-hat hacker role as threat actors Adversarial assessments (or pen-testing) Real-world attack simulations w/o damage Assess vulnerabilities to improve defenses Effective against fixed procedures & processes, plus strong cultures Challenge preconceived notions 6
© Fidelis Cybersecurity Why Do We Do CTF? Because we don’t put drivers who only read the driving handbook on the road ● Learn through hands-on exercises ● Learn to think like a hacker/attacker ● Learn problem solving skills ● Learn to collaborate in a team ● But ultimately - learn to protect our systems And it’s fun! - it’s a game and a puzzle! 7
© Fidelis Cybersecurity A Taste of CTF Challenges: • Forensics • Crypto • Reverse engineering • Web exploitation • Binary exploitation Source: https://2017.picoctf.com/get_started 8
© Fidelis Cybersecurity A Taste of CTF - “Pingpong 200” There is a secret message from evil organization ZOR contained in two similar looking image files. Find the message. Solution: XOR the files, turn all pixels the same into white, all pixels not the same into black, and you get: “sammyshoulddomorework” Source: https://jakobdegen.gitbooks.io/hsctf-4-writeups/content/ + 9
© Fidelis Cybersecurity 2016 and 2017 program Room filled to the brim 2-hour training program “This helped me to think outside the box” “Computer security is more fun than I thought” “I wish my teacher did that in school!” Grace Hopper Conference - CTF training 10
© Fidelis Cybersecurity CTF Teaches Critical Thinking Skills Most SOC analysts or threat hunters require these skills • Spot signs • Understand scenarios and intentions • Quickly decide on a course of action • Respond to changes 11
© Fidelis Cybersecurity CTF Competitions Practice attack and defense techniques Live sandboxed safe environment with ground rules and prizes for winners Discovery and exploitation of vulnerabilities Points to secure and defend systems Various security challenges for extra points Teams with seasoned and new players in an open safe and social environment Develop communication, time management and problem solving skills within teams Professional development and an invaluable experience 12
© Fidelis Cybersecurity Cyber Warfare Exercises Locked Shields – NATO Cooperative Cyber Defense Center of Excellenceractice attack and defense techniques Largest live-fire cyber defense exercise in the world Over 550 people representing 26 nations 20 Blue Teams and NATO CIRC, many joint teams Maintain networks and services of fictional country Berylia Over 1700 possible attacks with over 1500 virtualized systems Incidents, forensic challenges, legal, media and scenario injects Servers, online services and industrial control systems 13
© Fidelis Cybersecurity14
© Fidelis Cybersecurity Opportunity for Cyber Deception Knowing what attackers desire creates an opportunity for an active defense; to lure, detect, and defend. Global Average Dwell Time 99 Days Preventive Defenses Deception Bait & Decoys Attack Lures 15
© Fidelis Cybersecurity Deception Elements 16
© Fidelis Cybersecurity Deception Alerts 17
© Fidelis Cybersecurity End Goals for Deception Research Security Intelligence Zero-Day Capture Malware & Tools Attribution/Mitigation Increase Attack Surface Detect & Defend Post-Breach Visibility Few False Positives Automation/Scale Enterprise-Wide Use Low Risk/Friction Highly Skilled Security Researchers Cyber Stakeout Tier-1 Security Analysts Accurate Alarm System 18
© Fidelis Cybersecurity CTF Real Network Real-world network complete with assets, users, services and data. • 29 Users • 1,491 Documents • 5,532 Emails • 31 Applications installed • 3 Full browser profiles (Chrome, IE, FF) • 2 Corporate web applications • 2 Databases • 1 Domain Controller (DC) • 1 DNS Server • 1 Private cloud service 19
© Fidelis Cybersecurity CTF Deception Layer The decoys were defined with a variation of interactive capabilities. • Some decoy services appeared only as open ports, while others were full-blown services, appearing to run real applications. • Among the services made available were TCP, UDP, SMB, HTTP, ICMP, RDP, FTP, MYSQL, SMTP and SSH. • 10 decoys • 7 Workstations (user and development machines running Windows 7) • 2 Windows Servers (running Windows 2012 and Windows 2008) • 1 Ubuntu Linux server • 95 decoy services Breadcrumbs or traps include: • 61 files • 39 beacon traps • 27 emails • 26 credentials • 12 applications • 10 IoT devices • 2 network traps Breadcrumbs make deception deterministic by leading attackers to decoys, versus static honeypots waiting to be found. 20
© Fidelis Cybersecurity Example Traps Email Trap (unstructured data) Chrome Browser Trap (structured data) 21
© Fidelis Cybersecurity CTF Deception Challenge • CTF challenge to find 5 file hashes for information spread across assets • Participants provided access to one asset via RAT (Remote Access Trojan) • The first file hash containing key information resides on this infected asset • Each subsequent file hash was technically harder to find requiring more expertise • Each attacker or team worked solo on a fresh instance of the environment • Tasks include gathering intelligence, collecting information, and moving laterally • Public invitation to: • Red teams • Pen-testers • Security researchers • Best applicants selected • Written mission brief & goals • Challenge ran for 1+ month • 52 participants w/global profile • 6-7 hours of time/participant • Dozen+ malware types also tested in parallel 22
© Fidelis Cybersecurity The Knowledge Gap • Mission brief provided key intel on first challenge • Read the brief, averaged ~100 commands • Did not read, used spray and pray efforts • Knowledge before and during phases reduces knowledge gap/commands • Over time hackers become quieter and harder to detect • Early detection is critical • Deception layers need to be automatically kept current and dynamic 23
© Fidelis Cybersecurity Trap Consumption (61)(27)(12) (26)(10) (2)(39) Attacker Profiles • 52 Humans • 12 Malware 24
© Fidelis Cybersecurity Traps: Man vs Machine (61)(27)(12) (26)(10) (2)(39) • Average human triggered 10.5 traps • Humans target files, email & unstructured data • Malware targets apps and structured data • Passwords/credentials: • Found 2 on average • Utilized 2.5 times/avg • Max reuse: 11 times in 11 places • Password traps near decoys are very effective • Trap variety is important to cover attack types 25
© Fidelis Cybersecurity Decoy Access • On average, each attacker interacted with nearly 10 decoy services • No decoy had more than 47% activity, signaling variety is important • Sloppy attacks used scanners with pings and SYNs, non-interactive noise, easy for decoys to detect • Sophisticated attacks were focused on specific decoys with high interaction • Decoy variety is important with live services to engage attackers 26
© Fidelis Cybersecurity CTF Deception Summary Sophisticated attacks are more targeted and highly interactive than careless and noisy low interaction scanning Deception needs to be diverse to be effective against malware and human attackers Deception layers should as realistic as possible, kept current, and dynamic to increase the knowledge gap against attackers Augment deception layers with network and traffic analysis for increased visibility and accuracy Deception lures, detects and consumes attacker time, thus diverting and slowing attacks 27
© Fidelis Cybersecurity Questions & Next Steps In-depth Research White Paper www.fidelissecurity.com/resources/applying- deception-mechanisms-detecting-cyber-attacks Case Study www.fidelissecurity.com/case-study-first-midwest- bank Schedule a Demonstration www.fidelissecurity.com/schedule-demo 28
Thank You!

Recomendados

My house
My houseMy house
My houseSilvia Fink
 
5a gestalt
5a gestalt5a gestalt
5a gestaltScenicProps Design
 
Computer Virus
Computer VirusComputer Virus
Computer VirusMiddle East International School
 
Alan Turing un brillante matemático
Alan Turing un brillante matemático Alan Turing un brillante matemático
Alan Turing un brillante matemático keelvalencia12
 
An introduction to Scratch
An introduction to ScratchAn introduction to Scratch
An introduction to ScratchPiers Midwinter
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 

Recomendados

My house
My houseMy house
My houseSilvia Fink
 
5a gestalt
5a gestalt5a gestalt
5a gestaltScenicProps Design
 
Computer Virus
Computer VirusComputer Virus
Computer VirusMiddle East International School
 
Alan Turing un brillante matemático
Alan Turing un brillante matemático Alan Turing un brillante matemático
Alan Turing un brillante matemático keelvalencia12
 
An introduction to Scratch
An introduction to ScratchAn introduction to Scratch
An introduction to ScratchPiers Midwinter
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...Net4All
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutAdvanced Technology Consulting (ATC)
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsAbbie Hosta
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 
Avoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsAvoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsJumpCloud
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensiveFidelis Cybersecurity
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchFidelis Cybersecurity
 

Mais conteúdo relacionado

Semelhante a Capturing the Flag with Active Deception Defenses

The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...Net4All
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsAbbie Hosta
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 
Avoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsAvoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsJumpCloud
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 

Semelhante a Capturing the Flag with Active Deception Defenses (20)

The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...
A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal Threats
 
Network Security
Network SecurityNetwork Security
Network Security
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 
Avoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsAvoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security Threats
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 

Mais de Fidelis Cybersecurity

Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensiveFidelis Cybersecurity
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchFidelis Cybersecurity
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
Cybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOCCybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOCFidelis Cybersecurity
 

Mais de Fidelis Cybersecurity (13)

Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the Defensive
 
Threat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and ResearchThreat intelligence Primary Tradecraft and Research
Threat intelligence Primary Tradecraft and Research
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
Cybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOCCybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOC
 

Último

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Capturing the Flag with Active Deception Defenses

  • 1. Capturing the Flag with Active Deception Defenses
  • 2. © Fidelis Cybersecurity Agenda Introductions Capture The Flag Cyber Games Red vs Blue Teams Opportunity for Deception Capture the Flag Exercise with Deception Results and Key Highlights Lesson Learned Chenxi Wang Ph.D Managing General Partner Rain Capital Tom Clare Product/Technical Marketing Fidelis Cybersecurity 2
  • 3. © Fidelis Cybersecurity3 Capture The Flag - A Cyber Game What is Capture The Flag? • A Security Puzzle The Goal of a CTF? • Find the flag embedded in the target system w/in a set time window • A file • A secret • A piece of information
  • 4. © Fidelis Cybersecurity Challenge-based CTF You get to the goal by solving a series of challenges You get points for each challenge Challenges: ● A vulnerability in application/protocol ● A weakness in crypto primitive or implementation ● Reverse engineering a piece of code ● Write code to exploit a known flaw 4
  • 5. © Fidelis Cybersecurity Real-time Attack/Defense CTF There are two opposing teams: ● Blue team defends the flag ● Red team tries to capture it The flag is not an inanimate object! It is much more challenging and fun! 5
  • 6. © Fidelis Cybersecurity Blue vs Red Teams Blue Team focus includes: Defending networks and systems Monitoring security defenses Security control effectiveness Hardening systems and controls Identifying security flaws Incident response Red Team focus includes: White-hat hacker role as threat actors Adversarial assessments (or pen-testing) Real-world attack simulations w/o damage Assess vulnerabilities to improve defenses Effective against fixed procedures & processes, plus strong cultures Challenge preconceived notions 6
  • 7. © Fidelis Cybersecurity Why Do We Do CTF? Because we don’t put drivers who only read the driving handbook on the road ● Learn through hands-on exercises ● Learn to think like a hacker/attacker ● Learn problem solving skills ● Learn to collaborate in a team ● But ultimately - learn to protect our systems And it’s fun! - it’s a game and a puzzle! 7
  • 8. © Fidelis Cybersecurity A Taste of CTF Challenges: • Forensics • Crypto • Reverse engineering • Web exploitation • Binary exploitation Source: https://2017.picoctf.com/get_started 8
  • 9. © Fidelis Cybersecurity A Taste of CTF - “Pingpong 200” There is a secret message from evil organization ZOR contained in two similar looking image files. Find the message. Solution: XOR the files, turn all pixels the same into white, all pixels not the same into black, and you get: “sammyshoulddomorework” Source: https://jakobdegen.gitbooks.io/hsctf-4-writeups/content/ + 9
  • 10. © Fidelis Cybersecurity 2016 and 2017 program Room filled to the brim 2-hour training program “This helped me to think outside the box” “Computer security is more fun than I thought” “I wish my teacher did that in school!” Grace Hopper Conference - CTF training 10
  • 11. © Fidelis Cybersecurity CTF Teaches Critical Thinking Skills Most SOC analysts or threat hunters require these skills • Spot signs • Understand scenarios and intentions • Quickly decide on a course of action • Respond to changes 11
  • 12. © Fidelis Cybersecurity CTF Competitions Practice attack and defense techniques Live sandboxed safe environment with ground rules and prizes for winners Discovery and exploitation of vulnerabilities Points to secure and defend systems Various security challenges for extra points Teams with seasoned and new players in an open safe and social environment Develop communication, time management and problem solving skills within teams Professional development and an invaluable experience 12
  • 13. © Fidelis Cybersecurity Cyber Warfare Exercises Locked Shields – NATO Cooperative Cyber Defense Center of Excellenceractice attack and defense techniques Largest live-fire cyber defense exercise in the world Over 550 people representing 26 nations 20 Blue Teams and NATO CIRC, many joint teams Maintain networks and services of fictional country Berylia Over 1700 possible attacks with over 1500 virtualized systems Incidents, forensic challenges, legal, media and scenario injects Servers, online services and industrial control systems 13
  • 15. © Fidelis Cybersecurity Opportunity for Cyber Deception Knowing what attackers desire creates an opportunity for an active defense; to lure, detect, and defend. Global Average Dwell Time 99 Days Preventive Defenses Deception Bait & Decoys Attack Lures 15
  • 18. © Fidelis Cybersecurity End Goals for Deception Research Security Intelligence Zero-Day Capture Malware & Tools Attribution/Mitigation Increase Attack Surface Detect & Defend Post-Breach Visibility Few False Positives Automation/Scale Enterprise-Wide Use Low Risk/Friction Highly Skilled Security Researchers Cyber Stakeout Tier-1 Security Analysts Accurate Alarm System 18
  • 19. © Fidelis Cybersecurity CTF Real Network Real-world network complete with assets, users, services and data. • 29 Users • 1,491 Documents • 5,532 Emails • 31 Applications installed • 3 Full browser profiles (Chrome, IE, FF) • 2 Corporate web applications • 2 Databases • 1 Domain Controller (DC) • 1 DNS Server • 1 Private cloud service 19
  • 20. © Fidelis Cybersecurity CTF Deception Layer The decoys were defined with a variation of interactive capabilities. • Some decoy services appeared only as open ports, while others were full-blown services, appearing to run real applications. • Among the services made available were TCP, UDP, SMB, HTTP, ICMP, RDP, FTP, MYSQL, SMTP and SSH. • 10 decoys • 7 Workstations (user and development machines running Windows 7) • 2 Windows Servers (running Windows 2012 and Windows 2008) • 1 Ubuntu Linux server • 95 decoy services Breadcrumbs or traps include: • 61 files • 39 beacon traps • 27 emails • 26 credentials • 12 applications • 10 IoT devices • 2 network traps Breadcrumbs make deception deterministic by leading attackers to decoys, versus static honeypots waiting to be found. 20
  • 21. © Fidelis Cybersecurity Example Traps Email Trap (unstructured data) Chrome Browser Trap (structured data) 21
  • 22. © Fidelis Cybersecurity CTF Deception Challenge • CTF challenge to find 5 file hashes for information spread across assets • Participants provided access to one asset via RAT (Remote Access Trojan) • The first file hash containing key information resides on this infected asset • Each subsequent file hash was technically harder to find requiring more expertise • Each attacker or team worked solo on a fresh instance of the environment • Tasks include gathering intelligence, collecting information, and moving laterally • Public invitation to: • Red teams • Pen-testers • Security researchers • Best applicants selected • Written mission brief & goals • Challenge ran for 1+ month • 52 participants w/global profile • 6-7 hours of time/participant • Dozen+ malware types also tested in parallel 22
  • 23. © Fidelis Cybersecurity The Knowledge Gap • Mission brief provided key intel on first challenge • Read the brief, averaged ~100 commands • Did not read, used spray and pray efforts • Knowledge before and during phases reduces knowledge gap/commands • Over time hackers become quieter and harder to detect • Early detection is critical • Deception layers need to be automatically kept current and dynamic 23
  • 24. © Fidelis Cybersecurity Trap Consumption (61)(27)(12) (26)(10) (2)(39) Attacker Profiles • 52 Humans • 12 Malware 24
  • 25. © Fidelis Cybersecurity Traps: Man vs Machine (61)(27)(12) (26)(10) (2)(39) • Average human triggered 10.5 traps • Humans target files, email & unstructured data • Malware targets apps and structured data • Passwords/credentials: • Found 2 on average • Utilized 2.5 times/avg • Max reuse: 11 times in 11 places • Password traps near decoys are very effective • Trap variety is important to cover attack types 25
  • 26. © Fidelis Cybersecurity Decoy Access • On average, each attacker interacted with nearly 10 decoy services • No decoy had more than 47% activity, signaling variety is important • Sloppy attacks used scanners with pings and SYNs, non-interactive noise, easy for decoys to detect • Sophisticated attacks were focused on specific decoys with high interaction • Decoy variety is important with live services to engage attackers 26
  • 27. © Fidelis Cybersecurity CTF Deception Summary Sophisticated attacks are more targeted and highly interactive than careless and noisy low interaction scanning Deception needs to be diverse to be effective against malware and human attackers Deception layers should as realistic as possible, kept current, and dynamic to increase the knowledge gap against attackers Augment deception layers with network and traffic analysis for increased visibility and accuracy Deception lures, detects and consumes attacker time, thus diverting and slowing attacks 27
  • 28. © Fidelis Cybersecurity Questions & Next Steps In-depth Research White Paper www.fidelissecurity.com/resources/applying- deception-mechanisms-detecting-cyber-attacks Case Study www.fidelissecurity.com/case-study-first-midwest- bank Schedule a Demonstration www.fidelissecurity.com/schedule-demo 28