SlideShare uma empresa Scribd logo

Deception ey

Transferir como PPTX, PDF
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

Deception

Dados e análise
1 de 8
Symantec Deception Brief
Six deception Brief Usecases Description on Deception Process Termination Deceptor Fake Process termination deceptor launches a process using Metasploit scripts and MS wscript.exe that is disguised as a security application commonly targeted for termination. Use the command taskkill to terminate the process , the force switch (/F) is required to to terminate not to request a termination!, remember the Deceptor will only trigger if it’s a termination. Network Discovery Deceptor Network discovery deceptor adds an entry to the most recently used (MRU) list for fake remote desktop connections. By modifying registry values. RDP ot ICMP trigger DNS Lookup Deceptor Network lookup deceptor inserts a fake entry into the fake DNS cache through the host file and registry changes - IPS triggers on the ICMP request ! The Lookup process doesn’t trigger the Deceptor (example: nslookup fake.company.com) , you need to have a connection opened with mapped IP addresses of the fake FQDN to trigger. Its gerenate Encrypted Resgry entires File Share Deceptor Network traversal deceptor creates what appears to be an off-box file share to a remote server with fake files. Credential theft deceptor Credential theft deceptor launches a process as a fake user. It then monitors the Windows. Its create fake regsitry and run multiple startup script to dump passwords and user names File traversal File traversal deceptor delivers fake files into a hidden directory. Fake files in user machines and create encryted Registry values, host file edit and , fake folder creations creations
Deception Coverage Use cases Workstations Servers Windows Mac Windows RHEL File Server Decoy VM Process Termination Deceptor Yes NA No NA Not required* Yes Network Discovery Deceptor Yes NA No NA Not required* Yes DNS Lookup Deceptor Yes NA No NA Not required* Yes File Share Deceptor Yes NA No NA Not required* Yes Credential theft deceptor NA - Symantec Working NA No NA Not required* NA - Symantec Working File traversal NA - Symantec Working NA No NA Not required* NA - Symantec Working
Easy to detect by hacker ? • Same fake details in all machines are created as Files and RDP connections • Symatnec IPS and ADC logs are in SIEM already available • Fake and encrypted Registry entries created • Easley traceable by hacker as all registry values are in one Symantec path • File share resolve to loopback ip address • Each boot time and 1 hrs its validate those scripts and registry present in SEP clients
Impact on Threat Hunting Service • Deceptions called many programs via scripts which is noisy and will make negative impact on EDR / Forensic analysis • Fake and encrypted Registry entries created • using net use commands in scripts and run many time • Each boot time and 1 hrs its validate those scripts and registry present in SEP clients Use cases Workstations Servers Other Controls Windows Mac Windo ws RHE L File Server Decoy VM Can CB / SIEM Cover ? Deceptor Hampering CB TH Activity Process Termination Deceptor Yes NA No NA Not required* Yes SIEM can cover through Windows log Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity Network Discovery Deceptor Yes NA No NA Not required* Yes SIEM | CB cannot detect what does not exist but Connections to such node will be recorded n CB Yes, difficult to distinguish activity between deceptor and bad actor's DNS Lookup Deceptor Yes NA No NA Not required* Yes SIEM (DNS Log) | CB can alert on successful connections Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity File Share Deceptor Yes NA No NA Not required* Yes Need to Check| file executions can be monitored through names No Credential theft deceptor NA - Symantec Working NA No NA Not required* NA - Symantec Working SIEM| CB can cover partially Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity File traversal NA - Symantec Working NA No NA Not required* NA - Symantec Working Need to Check Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity
Possible Impact on End-users • Fake remote desktop connections make at end-users • Fake file shares will be created on network share files
Thanks & QA

Recomendados

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9thaidn
 
Dos threats and countermeasures
Dos threats and countermeasuresDos threats and countermeasures
Dos threats and countermeasuresn|u - The Open Security Community
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Dan Kaminsky
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hackingnayakslideshare
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 

Recomendados

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9thaidn
 
Dos threats and countermeasures
Dos threats and countermeasuresDos threats and countermeasures
Dos threats and countermeasuresn|u - The Open Security Community
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Dan Kaminsky
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hackingnayakslideshare
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018African Cyber Security Summit
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksKhajornchol Puwarang
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022lior mazor
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Secure Communications with Jabber
Secure Communications with JabberSecure Communications with Jabber
Secure Communications with Jabberstpeter
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Priyanka Aash
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Web security 101
Web security 101Web security 101
Web security 101Kristaps Kūlis
 
Websec
WebsecWebsec
WebsecKristaps Kūlis
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?Deploy360 Programme (Internet Society)
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHackingAve Nawsh
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Webamiable_indian
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Webroyans
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 

Mais conteúdo relacionado

Semelhante a Deception ey

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksKhajornchol Puwarang
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022lior mazor
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Secure Communications with Jabber
Secure Communications with JabberSecure Communications with Jabber
Secure Communications with Jabberstpeter
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Priyanka Aash
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHackingAve Nawsh
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Webamiable_indian
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Webroyans
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 

Semelhante a Deception ey (20)

Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandre
 
Secure Communications with Jabber
Secure Communications with JabberSecure Communications with Jabber
Secure Communications with Jabber
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 

Mais de Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

Mais de Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS (9)

Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0
 
Threathunting v0.1
Threathunting v0.1Threathunting v0.1
Threathunting v0.1
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 
Network & security startup
Network & security startupNetwork & security startup
Network & security startup
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
 
Data lake protection ft 3119 -ver1.0
Data lake protection ft 3119 -ver1.0Data lake protection ft 3119 -ver1.0
Data lake protection ft 3119 -ver1.0
 
Virtualization & tipping point
Virtualization & tipping pointVirtualization & tipping point
Virtualization & tipping point
 
Finto InfoSec ExIBM- CISSP ITIL CCSP CCIE JNCIS MCP 8.5 Yrs
Finto InfoSec ExIBM- CISSP ITIL CCSP CCIE JNCIS MCP 8.5 YrsFinto InfoSec ExIBM- CISSP ITIL CCSP CCIE JNCIS MCP 8.5 Yrs
Finto InfoSec ExIBM- CISSP ITIL CCSP CCIE JNCIS MCP 8.5 Yrs
 

Último

RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptxRESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptxronsairoathenadugay
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Klinik kandungan
 
20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdf20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdfkhraisr
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...nirzagarg
 
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...nirzagarg
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...gajnagarg
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteedamy56318795
 
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book nowVadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book nowgargpaaro
 
Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1ranjankumarbehera14
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...Elaine Werffeli
 
Statistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numbersStatistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numberssuginr1
 
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...HyderabadDolls
 
Ranking and Scoring Exercises for Research
Ranking and Scoring Exercises for ResearchRanking and Scoring Exercises for Research
Ranking and Scoring Exercises for ResearchRajesh Mondal
 
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...Bertram Ludäscher
 
7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.pptibrahimabdi22
 
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...nirzagarg
 

Último (20)

RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptxRESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
 
20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdf20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdf
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
 
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
 
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Indore [ 7014168258 ] Call Me For Genuine Models We...
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
 
Abortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get CytotecAbortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get Cytotec
 
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book nowVadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
 
Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
 
Statistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numbersStatistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numbers
 
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
 
Ranking and Scoring Exercises for Research
Ranking and Scoring Exercises for ResearchRanking and Scoring Exercises for Research
Ranking and Scoring Exercises for Research
 
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
 
7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt
 
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
 

Deception ey

  • 2. Six deception Brief Usecases Description on Deception Process Termination Deceptor Fake Process termination deceptor launches a process using Metasploit scripts and MS wscript.exe that is disguised as a security application commonly targeted for termination. Use the command taskkill to terminate the process , the force switch (/F) is required to to terminate not to request a termination!, remember the Deceptor will only trigger if it’s a termination. Network Discovery Deceptor Network discovery deceptor adds an entry to the most recently used (MRU) list for fake remote desktop connections. By modifying registry values. RDP ot ICMP trigger DNS Lookup Deceptor Network lookup deceptor inserts a fake entry into the fake DNS cache through the host file and registry changes - IPS triggers on the ICMP request ! The Lookup process doesn’t trigger the Deceptor (example: nslookup fake.company.com) , you need to have a connection opened with mapped IP addresses of the fake FQDN to trigger. Its gerenate Encrypted Resgry entires File Share Deceptor Network traversal deceptor creates what appears to be an off-box file share to a remote server with fake files. Credential theft deceptor Credential theft deceptor launches a process as a fake user. It then monitors the Windows. Its create fake regsitry and run multiple startup script to dump passwords and user names File traversal File traversal deceptor delivers fake files into a hidden directory. Fake files in user machines and create encryted Registry values, host file edit and , fake folder creations creations
  • 3. Deception Coverage Use cases Workstations Servers Windows Mac Windows RHEL File Server Decoy VM Process Termination Deceptor Yes NA No NA Not required* Yes Network Discovery Deceptor Yes NA No NA Not required* Yes DNS Lookup Deceptor Yes NA No NA Not required* Yes File Share Deceptor Yes NA No NA Not required* Yes Credential theft deceptor NA - Symantec Working NA No NA Not required* NA - Symantec Working File traversal NA - Symantec Working NA No NA Not required* NA - Symantec Working
  • 4. Easy to detect by hacker ? • Same fake details in all machines are created as Files and RDP connections • Symatnec IPS and ADC logs are in SIEM already available • Fake and encrypted Registry entries created • Easley traceable by hacker as all registry values are in one Symantec path • File share resolve to loopback ip address • Each boot time and 1 hrs its validate those scripts and registry present in SEP clients
  • 5. Impact on Threat Hunting Service • Deceptions called many programs via scripts which is noisy and will make negative impact on EDR / Forensic analysis • Fake and encrypted Registry entries created • using net use commands in scripts and run many time • Each boot time and 1 hrs its validate those scripts and registry present in SEP clients Use cases Workstations Servers Other Controls Windows Mac Windo ws RHE L File Server Decoy VM Can CB / SIEM Cover ? Deceptor Hampering CB TH Activity Process Termination Deceptor Yes NA No NA Not required* Yes SIEM can cover through Windows log Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity Network Discovery Deceptor Yes NA No NA Not required* Yes SIEM | CB cannot detect what does not exist but Connections to such node will be recorded n CB Yes, difficult to distinguish activity between deceptor and bad actor's DNS Lookup Deceptor Yes NA No NA Not required* Yes SIEM (DNS Log) | CB can alert on successful connections Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity File Share Deceptor Yes NA No NA Not required* Yes Need to Check| file executions can be monitored through names No Credential theft deceptor NA - Symantec Working NA No NA Not required* NA - Symantec Working SIEM| CB can cover partially Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity File traversal NA - Symantec Working NA No NA Not required* NA - Symantec Working Need to Check Yes, Deceptor's action is similar to Malicious activity and it will be difficult to identify malcious and deceptor activity
  • 6. Possible Impact on End-users • Fake remote desktop connections make at end-users • Fake file shares will be created on network share files
  • 7.