Deception over the years
• Millions of years in Natural World for survival/aggression
• Millions of years in bacteria and virus to thrive
• 1000s of years in Warfare/Military to attack or defend
2. Brief History of Deception
DeceptionTypes
Under the Hood
Some Use Cases
Touch Points
3. Deception over the years
• Millions of years in Natural World for
survival/aggression
• Millions of years in bacteria and virus to
thrive
• 1000s of years in Warfare/Military to attack
or defend
• Decades in Cyber Warfare
• Attackers use Deception
• Phishing, spoofing, encryption
• Defender should use Deceptions
• Honeypots, Cryptographic Camouflage
• French Election used it recently
Owl Butterfly for Survival
3Copyright AcalvioTechnologies
Transmitter
Passion Fruit Leaf
with spots
5. Breadcrumbs: Extend Deceptions to Production Devices
Many flavors and forms:
1. Registry entries
2. Files & Folders
3. Memory hashes
4. User Profiles
5. Browser cookies
Few Challenges:
1. Need deployment Automation
and Intelligence
2. Avoid Accidental Alerts by
Users
5
DeceptionAnywhere or Everywhere
Copyright AcalvioTechnologies
6. Lures: Another powerful arrow in the quiver
Deliberately placed
1. Vulnerabilities in OS, Application,
Protocols
2. Weak configurations and permissions
3. Powerful fake Service Accounts
4. Shares
5. Interesting Data
6
Make Deceptions more attractive
Copyright AcalvioTechnologies
7. DecoyTypes
Low Interaction Deceptions
• Attacker typically cannot login
• Emulated Hosts, Applications,
Database Servers
High Interaction Deceptions
• Attacker can login – full interaction
• RealVM Hosts, Applications, Database
Servers, Shares
Copyright AcalvioTechnologies 7
8. Low Interaction Deceptions
Deploy OS, Network services orApplications
Lots of deceptions possible.
Low IT cost
Low Risk to Enterprise Networks
Dynamic: easy to morph on-the-fly
Need not be emulations!
× Cannot Engage with theAttacker
× If Emulated then Easy to fingerprint Deceptions
Key Challenge:
Odds of attacker identifying deceptions
Copyright AcalvioTechnologies 8
9. High Interaction Deceptions
Deploy real OS, Services, Applications
Deceptions are not finger-printable.
Possible to Engage with Attacker
× Only Few deceptions
× High Cost of licensing & maintaining
× Need Containment to reduce RISK
× Static: pre-build, unable to morph quickly
× Often used with Breadcrumbs to lead
attacker to Decoys. But then attacker needs
to find breadcrumbs first
Key Challenge:
Odds of Attacker/Malware running into the few deceptions
Copyright AcalvioTechnologies 9
10. Often we need both
Scale and Depth (Believable Deceptions)
Copyright AcalvioTechnologies 10
11. Static vs Dynamic Deceptions
Static Deceptions
• Hardly changes
• Easy to fingerprint & avoid
Dynamic Deceptions
Mimic Octopus:
Mimics upto 15 creatures
ActiveCamouflage:
Counter-illumination by Squids
• Changing always
• Hard to predict or identify
HoneyAnts
Copyright AcalvioTechnologies
11
12. Intelligence Component
Human only
• Expert decides type and number of
deceptions to deploy
• Manually/Automatically configures
traps atTime T0
Key Challenges:
• What happens atTimeT1 orT10 ?
• How many Experts can company
send to front-line for 24x7x365?
Human + AI based = Future
System recommends type, number,
placement, duration of deceptions.
System Responds to
• Events and Incidents
• Adversary Behavior
• When you are sleeping
Copyright AcalvioTechnologies 12
14. Internal Facing vs External Facing
Deceptions
Internal Facing
• Good for Enterprises
• A new layer of Defense
• Acts like a motion detector inside
Enterprises
• Corporate Network
• Data Centers
• Detects attackers who have gone past
the perimeter defenses
• Few, High FidelityAlerts raised
• Can optionally Engage & Respond
External Facing
• Great for security researchers
• Typically deployed on the Internet or
in the DMZ.
• Lots of alerts per hour/day as there
are lots of malicious Attackers and
Bots on the Internet
• Often used to show demo of
DeceptionTechnologies
Copyright AcalvioTechnologies 14
15. Detecting Ransomware: current
approaches
AV and Sandbox approach
• Look for known Signatures
• Look for known C&C
Low False +ve
× High False -ve
Data Science approach
• Look for Anomalous Behavior
• High File I/O
• Lots of different Files accessed
• Lots of crypto
× Anomaly ≠Threat
× High False +ve
15Copyright AcalvioTechnologies
16. Detecting Ransomware using Deceptions
• Leverages Decoys,
Breadcrumbs and Lures
• Set specific traps in specific
locations
• Monitor only activity against
decoys, breadcrumbs & lures
Auto Detects and confirms
Ransomware
Very Efficient and Accurate
16
Always High Fidelity Signals
Zero false +ve
Copyright AcalvioTechnologies
17. Protecting Secrets in
software is hard
Examples
Crypto keys
Passwords
Payment card
numbers
Copyright AcalvioTechnologies 17