GartnerSEC 2017 - The Art of Deception and Its Benefits For Lean-Forward Security Programs

Gartner Security & Risk Management Summit
Summit 2017
12 – 15 June 2017 / National Harbor, MD
The Art of Deception and Its Benefits for

Lean-Forward Security Programs
Lawrence Pingree
CONFIDENTIAL AND PROPRIETARY

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain
information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
1 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues
1. Why is deception an important strategy to use in security?

2. How can security products evolve to leverage deception?
3. What deception solutions are available today, and how can
they be used?

Key Issues

they be used?

Deception Defined
 Simple Definition of DECEPTION:

– The act of making someone believe something that is not true: The act of
deceiving someone
– An act or statement intended to make people believe something that is not true

Why Is Deception an Important Strategy to Use in Security?
Defender: Attacker:
– The defender generally knows An attacker must "trust" what they
their own environment better see and encounter, until they figure
than the attacker. out they are being deceived.

How Attackers Use Deception to Evade Detection …
Malware Examples: Network and Web Attack Examples:

– File packers – IP address spoofing
– Built-in passwords – Tor/I2P network traffic rerouting
and exit node IP addressing
– Two-stage attacks with "droppers"
– Open proxies
– Slight binary or metadata
modifications – Use bot to attack instead of
"real" source
– Fake-user agent strings
– Use bot as proxy
– Phishing
– Protocol obfuscations
– Typosquatting
(DNS, UDP, SSL over HTTP, etc.)
– Etc, etc, etc.
Deception Is Also Used to "Take Down" Bot Networks
Common Take-Down Techniques:
 Use port redirection to establish new
command and control of bots
 Use of DNS redirection and sinkholing
 Take over botnet console and
use self-destruction technique
 Antiphishing testing solutions
Example December 2016 Take-Down:

Article: "'Avalanche' Int'l Cybercrime Takedown Op — What to Do If You're a Victim"
• Over 800,000 domains seized, sinkholed or blocked.

Key Issues

they be used?

Deception Is Part of a Comprehensive Adaptive
Security Architecture

The Deceptive-Response Kill Chain Disrupts the Attacker's
Process and Progress
Source: Gartner (July 2015)

A Simple Deception Example
Which of these examples is the real login screen?

Deception and Its "Believability" Are Crucial to Deceive
the Attacker
 The best deception is "Believable"!
 Deception can be performed at any layer in the stack.

Did You Know?
Much of the basic threat telemetry provided by security providers is
based on feeds from honeypots and other deceptions.
DShield
Example providers known to use

Example telemetry collected:
their own honeypots and deceptions:
 Deutsche Telekom  Symantec  Attacker IP/hosts
 McAfee  SPAM IP/hosts

 Webroot
 Trustwave  Phishing URLs/sources
 ZeroFOX
(SpiderLabs)  Malicious URLs
 Trend Micro  Malicious binaries
How Can "Traditional" Security Products
Leverage Deception?
 Integrate with distributed deception platforms as
a "response" capability
 Shared attack telemetry (machine readable threat intelligence)
 Deceptions built into their own products:

– I.e., botnet redirect, protocol proxy, C&C tampering, etc.
 Enhance detection by monitoring faked documents or stolen

credentials (honeytokens)

Products That Are Well-Positioned to Integrate or Leverage
Deception Techniques
Network Endpoint
Web Application
Firewalls/IPS Monitoring Protection
Firewalls
and Forensics Software
Use-Case Examples:
 Redirect to Traffic to Deception Environments (aka: A Hall of Mirrors)
 Enhance Overall Security Program's Detection Capabilities
 Thwart Malware at the Endpoint
 Move Attacker Away From Sensitive Web Applications

Key Issues

they be used?

What Is a Distributed Deception Platform (DDP)?

Sampling of Distributed Deception Platform
Providers (DDPs)
 Acalvio  illusive networks
 Attivo Networks  Javelin Networks
 CounterCraft  Smart Honeypot
 Thinkst (Canary)  Smokescreen
 Cymmetria  TopSpin Security
 CyberTrap  TrapX
 GuardiCore  VisionSpace Technologies

Interesting Emerging Deception Provider
Malware Deception on the Endpoint

 Minerva Labs:
– The Minerva Labs solution goal is to deceive malware itself to avoid breach:
 Lie to the malware!
– Virtual environment
– Certain tools on a host (antivirus engine checks)
– Debugger-enabled (common for malware analysis)
– Injected DLLs present (common for system interaction monitoring)

DDP Market Trends
 Expanding Integrations With Traditional Security Providers
 Expanding Deceptive Elements:
– Emulations/Services/Protocols Supported
 Recent Expansion of Support for IoT/SCADA, Healthcare Devices and POS Systems
by Attivo Networks and TrapX
 SWIFT Systems Now Supported by illusive networks
 Gartner Seeing Vertical Adoption:

– Government, Financial Services, Healthcare, Utilities and Manufacturing
 Providers Leveraging SDN: GuardiCore and vArmour

 On-Endpoint Lures Expanding:
– Some Providers Contemplating Endpoint Deception Agents Like Minerva Labs, Some Have
Them Already.
Open-Source Honeypots Are Still Alive!
Honeypot Management Examples:
 Modern Honey Network (MHN)
Open-Source/Free Honeypot Examples:

 Amun  Honeyd
 Conpot  HoneyDrive
 Dionaea  Kippo
 DCEPT  p0f
 Elastichoney  ShockPot
 Glastopf  Wordpot

Recommendations
Technology Provider Recommendations:

 Leverage deceptive responses vs. just block, reject, log and alert actions
 Integrate with distributed deception platforms (DDPs) to enhance your own
solution's deception capabilities
End-User Recommendations:
 Leverage deception as a detection and response measure
 Deploy distributed deception platforms to enhance your detection on the "Inside"
of your environment
 Leverage cross-product integrations to enhance monitoring, analysis and
forensics activities

Recommended Gartner Research
 Emerging Technology Analysis: Deception Techniques and Technologies Create
Security Technology Business Opportunities
Lawrence Pingree (G00278434)
 Applying Deception Technologies and Techniques to Improve Threat Detection
and Response
Augusto Barros and Anton Chuvakin (G00314562)
 Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update
Lawrence Pingree, Neil MacDonald and Peter Firstbrook (G00296530)
 The Five Characteristics of an Intelligence-Driven Security Operations Center
Oliver Rochford and Neil MacDonald (G00271231)
 Designing an Adaptive Security Architecture for Protection From Advanced Attacks
Neil MacDonald and Peter Firstbrook (G00259490)
For more information, stop by Gartner Research Zone.

GartnerSEC 2017 - The Art of Deception and Its Benefits For Lean-Forward Security Programs

Uploaded by

Copyright:

Available Formats

GartnerSEC 2017 - The Art of Deception and Its Benefits For Lean-Forward Security Programs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GartnerSEC 2017 - The Art of Deception and Its Benefits For Lean-Forward Security Programs

Uploaded by

Copyright:

Available Formats

Gartner Security & Risk Management Summit

The Art of Deception and Its Benefits for

CONFIDENTIAL AND PROPRIETARY

1. Why is deception an important strategy to use in security?

2 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

1. Why is deception an important strategy to use in security?

3 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

 Simple Definition of DECEPTION:

4 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

5 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Malware Examples: Network and Web Attack Examples:

Example December 2016 Take-Down:

7 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

1. Why is deception an important strategy to use in security?

8 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

9 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Source: Gartner (July 2015)

10 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Which of these examples is the real login screen?

11 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

12 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Example providers known to use

 McAfee  SPAM IP/hosts

 Shared attack telemetry (machine readable threat intelligence)

 Deceptions built into their own products:

 Enhance detection by monitoring faked documents or stolen

14 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

15 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

1. Why is deception an important strategy to use in security?

16 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

17 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

18 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Malware Deception on the Endpoint

19 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

 Gartner Seeing Vertical Adoption:

 Providers Leveraging SDN: GuardiCore and vArmour

Open-Source/Free Honeypot Examples:

21 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Technology Provider Recommendations:

22 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

23 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

You might also like