The Art Of Cyber Deception

brilliant right afternoon everyone thank you so much for coming along my name is Joshua Wardle I am a graduate consultant at a company called logic up in Bristol and that's with a Q for some reason uh and I'm here today to give you a Whistle Stop tour of something called cyber deception now before I say what that is we've got to take a step back for a minute so let's start by looking at cyber attacks okay over the years we've had lots of models that describe how these supposedly play out the locky Martin one is is the most famous it suggests your adversaries will do some reconnaissance they'll come up with an exploit they'll send it to your systems

and get it to be executed somehow they'll get persistance they'll get they'll call home to command and control server and using that capability they'll try and action their objectives whether that be to exfiltrate data or to just cause denal service we typically tend to engage with our adversaries so that that is we detect their presence and we try and stop them usually on the right hand ins side of this red line and that's because a lot of really traditional security toing is all around trying to stop some kind of infection or some kind of intrusion so for example you can imagine how an antivirus software kicks in hopefully at the point of exploitation but that does beg the

question can we engage a little bit earlier on the left hand side of the line and with some traditional tooling yes sometimes okay you can detect Network reconnaissance with network intrusion detection systems but not all types of reconnaissance are detectable with traditional tooling so for example our Insider threats so our Rogue employees doing some in-person social engineering that's going to fall outside the purview of traditional tools so there's a real impetus therefore to try and engage a little bit earlier than we normally do especially given you we're always seeing rapidly evolving tactics techniques and procedures being used in the wild so this is kind of where cyber deception can come in the long and short

of it is that cyber deception is all around trying to trick your adversaries by the introduction of fabricated assets into your network so this could be a fake laptop a fake server virtualized equivalents of those fake documents or even entirely fake copies of production systems all of those are valid strategies to implement cyber deception the presence of deception changes how your adversaries make decisions as they go through that kill chain research has shown that properly designed deception campaigns can trigger cognitive and emotional responses in your adversaries that change their ability to execute their objectives now that doesn't mean they curl up into a ball and start crying in the corner but what it typically means is one of two

things mental overload and mental tunneling overload is perhaps The Stranger concept to understand when you consider that behind most adversaries there is a human as humans we can only really handle so much at once our heads so when you consider there's a lot of social economic and political factors behind cyber attacks someone trying to perform a Cyber attack now has to not only avoid triggering alarms they've got to try and make money or meet some kind of political objective now they've got to avoid falling for deception and that can be a lot to take in on the other hand some adversaries might think something is deceptive and then get totally sidetracked by that they might

begin to Tunnel so they might see a deceptive exile spreadsheet and spent ages trying to write these formulas to figure out if it's deceptive and lose track of their actual objectives the effect depends on person's personality it's supposed so the benefits of those should be quite clear mental overload can stall attackers if they're distracted by deception it takes longer for them to reach your real assets however if you've got a bunch of fake assets if you put some monitoring on them you can generate what we call realtime threat intelligence so so if you analyze tactics techniques and procedures if you analyze the indicators of compromise you can generate fret intelligence to tell you exactly what

you should do in your organization to mitigate an identical threat that's why it's realtime threat intelligence as opposed to the traditional frat intelligence feed you might see in Sentinel or something the benefit there is it really reduces the cost of triage for future incidents but of course mental overload and tunneling can also disrupt attacks if an adversary is overloaded there's a greater chance they might make the wrong decision while trying to do their attack they might dismiss a real asset as fake or they might forget for instance to turn down their end map settings and so they might trigger an alarm so there's some real benefit of cyber deception across the kill chain and that's kind of the value

proposition that businesses are sort of starting to realize now deception isn't new deception has been around for quite a while in a cyber context has anyone here used honeypots before or at least heard of them compl BL solid see it honey pots are a very classical form of cyber deception these are decoy assets that you put near Network boundaries normally so in this example I'm going to put a honey pot in between the internet and this internal Network The demit Zone in other words and these are fine okay if you see that someone's accessed them it typically tends to be the case you can detect attackers and this comes from actually a book in the '90s hence why

it's not very new uh called the Cookoo egg by Cliff stroll he tries to this hacker from West Germany by deploying fake systems which is classically what we know honey pots to be so as I said these are an okay detection capability although we have gotten better in recent years at using them but in the past few years we've seen the growth of deception platforms which are like everything backed by the cloud there's two key benefits here a lot of these have better support for automations which is making it easier to get frat intelligence from deceptive assets but when you combine that with the economies of scale of Cloud infrastructure we're seeing the ability to actually engage adversaries

by orchestrating lots of deceptive machines in parallel and changing them in response to adversaries Behavior so that's kind of been the trend over time so what next well if I want to make a deception campaign there's a few key building blocks that I need to put together and the first are breadcrumbs breadcrumbs are that initial lure that kind of gets your adversary's attention and this can literally be any bit of data could credentials bits of code um honey tokens these are quite handy CU they're documents that usually send an alert to like a sock te so you can obviously see the benefit of that or even a USB stick that you just kind of surreptitiously leave on the ground in

in the car park all of those are valid types of breadcrumbs but the key thing is where you put them where you put these breadcrumbs depends entirely on the kind of fret actors you're trying to draw out if you're looking to draw out inside of Frets you might put these on a Network share or a SharePoint site but if you're looking to draw out external threat actors you might put these on Pace bin or even if you're feeling very spicy on the dark web it entirely depends some deception platforms do support that actually so it's quite exciting breadcrumbs Point towards deceptive assets and this is actually just the underlying infrastructure so your laptop your VM whatever of course

deploying a Windows VM and doing nothing to it is not deception no one's going to fall for that so then you have to put services on those assets to make them seem real this is what generates your interaction with your adversary it's what stalls them and it's what gives you your real-time threat intelligence the key thing is these have got to mimic production systems so if you use engine X and MySQL you should put engine X and MySQL on deceptive assets underpinning all of this is telemetry you've got to get your real time frat intelligence okay you've got to get your indicators of compromise such as network activity file activity Etc how you do that is the same as in on

normal devices the only difference is you've just got to hide the fact you're doing this from adversaries so the agent which collects this information is normally hidden on deceptive assets usually with a root kit or other kind of simple process hiding technique breadcrumbs assets Services they are the key things you need but of course how do I put these together is the even more important question there's a lot of methodologies for doing deception but a really simple one which I'm going to go over today is something called see think do what an adversary sees makes them think in a certain way therefore they makes them do something that that should be obvious the problem is if you follow

it in that order your campaigns won't be very effective because you've started by thinking about what they see and not what you want them to do and therefore they're probably going to do things you're not expecting and therefore you won't gain the intelligence you're looking for so instead you do it in reverse so you start by thinking about what you want your adversary to do is it compromise a service exultate some data just dwell for a bit even that's a valid objective knowing that knowing what the end objective is you can use things like attack trees to formulate a path for your adversary to follow through the campaign this path is really important because you've got to manipulate what an

area is thinking so that the next step that we want them to take is actually what they believe is their next logical step so that's when you've got to make sure that the attack trees you're using are credible and realistic that therefore means you've just got to put the right kind of Assets in the right place for example if you're on some kind of power plant don't B don't put a bunch of printers on your deceptive environment because that's just silly they wouldn't be expecting that so let's go over an example to put this into context let's say that we are a small business and we do a lot of legal bid work and we're silly enough to keep this

all on a nice internal web app for legal reasons I guess we want an external adversary to get that data and exfiltrate it that is our objective so knowing that's what our end goal is our deception campaign must end with some kind of deceptive database where this data is being stored okay so server running my SQL we've then got to think okay what's the next logical step to get to that database what's the step before so in this case it's probably going to be accessing it through the web app so what comes before is a web app server running engine X on that server we'll put some fake bid data we'll make these honey tokens so we get alerts because that's

Obviously good and so that establishes a relationship between those two things it makes clear that you can get from the web app to the database we do this whole process again how do I reach the web app well given that it's an internal app it's probably going to be through an on- premisis device so I've gone for a developer's laptop because someone's got to maintain this hopefully there's two sets of breadcrumbs here the credentials to the web app should be quite clear it establishes that relationship the codes Snippets and secrets would otherwise potentially expose the presence of the database directly and that exists as a plan B just in case does something we're not expecting you can kind of pull them back

on track so that they do stuff we're still expecting of course someone needs an entry point into this environment so given that this developer is unfortunately running Windows they've got office installed some RDP credentials okay because it's an external adversary that's going on pay spin okay and that's it for this campaign that's all you would need if we assume there is a a vulnerability in the web app for example we've got a clear path to the end and we' we' got plenty of potential for Telemetry because we can look at for instance file discovery on this laptop we can look at application Level logs in the database and the web app and of course General

network monitoring that's it for this campaign there's a some people really like to kind of Flesh things out by putting extra stuff to make it seem more real but that's not needed because there's a law of diminishing returns with deception design if it's not relevant to your objective don't bother because you run the risk of not only revealing the presence of deception to your adversaries if there's like a gap in your kind of masquerade but also it's not going to generate intelligence you need it's going to be a waste of money if it's like a cloud the end so in effect the see think do methodology when done backwards encourages you to start from the right

and work your way back to the left rather than the other way around so if that was decently interesting first off yay but second of all what now there's two really important prerequisites for cyber deception the first is that you've just got to be good at cyber security generally that might seem really obvious and it is and that's because deception doesn't replace traditional tolling it complements it so I would expect that you've got good defense in depth you've got good auditing all the typical bollocks that cyber analysts look for but the key it it's basically it'd be like if the kid in Home Alone put all those traps around the house to get the robbers attention but then left the

front door unlocked and the windows open defeats the point but but a more specific prerequisite I want to hone in on is threat intelligence maturity if you can't really handle threat intelligence very well if your organization doesn't have those processes in place you're not going to be able to make best value of the real-time threat intelligence deception can provide and therefore it kind of regresses into a very expensive and complicated detection capability of which there are cheaper alternatives like the ncsc's early warning service so what does that mean maturity at a basic level an organization might have a sem and they might be doing some automated analysis on some tactical intelligence but if an organization's a

bit better at this well they might be creating and ingesting lots of type of intelligence they might have clear objectives for their threat intelligence campaign hence why we start by thinking about the end objective when we design deception campaigns and they'll be always improving all that kind of stuff and that's because there's an issue of proportionality here a small charity this is out the question small charity is going to be something like cyber Essentials but if you're a large organization good security posture robust threat intelligence practices this is up your R potentially and with that we're right on time that has been my sort of very Whistle Stop tour of how you do cyber deception just some stuff on the side

miter engage and M Caldera they're all about adversary engagement u m card is quite funny if you can spin that up on a couple VMS joint publication 33.4 is where C think do came from from in the military context at the bottom there's some bullet points of some open source and um commercial projects that might be of interest other than that that's it I hope you enjoyed and thank you so much for having me thank

you I think we're good for a few questions want to raise their hand Mr enthusiastic over there hey yeah um if the goal is to deceive an attacker into thinking really have hacked you then how do you then mitigate the potential reputational risk of um publicizing the fact that you've been hacked um so in that case so there's an interesting debate in the community there's been a lot of research in some of the criminological Spheres about whether or not you advertise the presence of deception to an adversary some people think that you shouldn't some people think that you should in that scenario scario I was an organization turn around and say nope this was a deceptive environment end of

because usually what of organizations do is they might put on these VMS proudly partnered with say countercraft not necessarily saying that something is deceptive but indicating it might be and that kind of puts that doubt in their mind so normally you would just go out and say yeah you fell for it but obviously you would need to generate a new campaign then so one

more I just wondered if you thought about the legal risks of attackers going into a deceptive Network taking deceptive data and then leaking that out and how you would apply that into your cyber deception strategy because that's obviously quite a uh real risk if an attacker gets in takes the data out publishes on the dark web you've then got a whole incident it's not really an incident um so the key thing for deception is you would never put real data on it in a military context you might mix some real data with fake data in like fake spreadsheets but that's sort of out of the context for this if it's entirely fake data and it's published again it's

kind of like the previous question you would just say or you just even ignore it um to make sure that um deception environments don't end up mixing in a bit of real data you normally have the business process around that so you make sure that cyber deception environments are uh very much defense in depth complet separate a in the cloud say completely separate AWS tenant different processes making sure the people that access your sensitive data are not necessarily responsible for your deception design um the risk to mitigate the risk there is just to make sure that you separate things as much as possible thank you again thank you thank you guys