O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Using Deception to Detect and Profile Hidden Threats

100 visualizações

Publicada em

How do we detect and profile the adversaries who have already infiltrated and hiding in the network?

Publicada em: Dados e análise
  • Seja o primeiro a comentar

Using Deception to Detect and Profile Hidden Threats

  1. 1. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Detecting and Profiling Hidden Threats using Deception and Splunk Satnam Singh Chief Data Scientist, Acalvio Technologies Oct 2, 2018
  2. 2. © 2018 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved. Forward-Looking Statements
  3. 3. © 2018 SPLUNK INC. Agenda ▶ Hidden threats ▶ Introduction to deception and use cases ▶ Triage of deceptive alerts with security events in Splunk ▶ Profiling threats: Demo
  4. 4. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Hidden Threats ▶ Adversaries move within the network to find valuable or vulnerable assets ▶ Perimeter-based controls can’t detect the threats that have already infiltrated and are hiding within the enterprise network ▶ Adversaries are using “living off the land” tactics makes it difficult for Endpoint detection tools to detect them
  5. 5. © 2018 SPLUNK INC. How to Defend? 1. Slowdown the Attacker 2. Speed up the Defender
  6. 6. © 2018 SPLUNK INC. Deception ▶ Deception needs to blend with the environment ▶ Multiple types of Deception ▶ Deception needs to dynamic, morph and adapt over time
  7. 7. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Deceptive Security - Use Cases ▶ Detect Lateral Movement in the Corporate Network ▶ Detect Network Scans, Ransomware ▶ Detect advanced threats that are targeting specific verticals e.g., SWIFT, ICS
  8. 8. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Deceptive Security - Use Cases ▶ Get visibility of threats in unmanaged networks, encrypted traffic, IOT devices ▶ Generate actionable threat intelligence with high fidelity alerts ▶ Need only a few resources to deploy another security layer
  9. 9. © 2018 SPLUNK INC. Deception Types LURES DECOYS BREADCRUMBS
  10. 10. © 2018 SPLUNK INC. ▶ Interaction Types - Low, Medium, High ▶ Services - SSH, Telnet, SMB, FTP, … ▶ Workstations ▶ Databases ▶ Servers ▶ Routers, Switches ▶ … Decoys
  11. 11. © 2018 SPLUNK INC. Extends deception to production devices ▶ Credentials - Shares, Servers ▶ In-Memory hashes ▶ Files ▶ Registry entries ▶ Browser Cookies ▶ … Breadcrumbs
  12. 12. © 2018 SPLUNK INC. Makes deceptions more attractive ▶ Vulnerable Shares ▶ Network Printer ▶ Vulnerable Webserver ▶ PACS DICOM Server ▶ Contents of breadcrumbs and decoys (ex: files, user account, share, database, address book) ▶ …. Lures & Baits
  13. 13. © 2018 SPLUNK INC. Deception Farms Threat Analysis Engine AI Engines Sensor Sensor Enterprise Network On-premises SERVER SOFTWARE TUNNELS Network 1 VPC 1 Projections Projections SERVER SDN Fabric Cloud VPC Acalvio Deception Farm VPC 1 Network 1 SERVER SERVER
  14. 14. © 2018 SPLUNK INC. Fluid Deception A3 HI A4 A5 A6 LI SDN Fabric A1 A2 Sensor A3 Low Interaction Deceptions High Interaction Deceptions ATTACK B4 A4 A5 A6 Acalvio Deception Farm B1 B2 B3 SOFTWARE TUNNEL Enterprise Network On-premises Projected Deceptions
  15. 15. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Threat Profiling 3. Triage with Deception Alerts 1. Customise Deception - Customise decoys to blend - Determine Deception Strategy Splunk App 2. Deception Platform Deploy Deceptions
  16. 16. © 2018 SPLUNK INC. Demo Threat Profiling
  17. 17. © 2018 SPLUNK INC. 1. Deception provides an ability to detect hidden threats 2. Deception needs to be customized and dynamic 3. Triage deception alerts with network, endpoint logs in Splunk to generate actionable internal threat intelligence Key Takeaways