Living off the (land)cloud: Scattered Spider and the cloud

Thank you for making it for this session. So today I'll be doing a deep dive on scatter spider based attacks and present a solution for detection. Before we get started, I'll just do a quick introduction of myself. My name is Shivakumar Burnahali. I'm the senior director of customer engineering and disruption strategy at Aalia Networks and I've been in cyber security space and deception for a very long time.

Now let's go over today's agenda. The first thing is we'll be starting with the scatter spider. Uh we'll look at the attack cycles. We'll do the TTPs. We will do the identity exploits in the cloud and then we'll delve into the why cloud control plane is a important target. Then I'll talk about thread detection challenges in the cloud and finally last session I will talk about detection and counter um counter measures. Now there are a lot of things to cover because scatter spider is touches everything. Well, in this ever evolving world of cyber threats, there's never been a dull moment. There's always an attack. There's always something happening. There's a new malware. There's a new

ransomware. There's a new attack. There's a new thread group. There's a new TTP. So, it it's it's very hard to keep up with all of these things. And um we we need to as security practitioners we really need to stay ahead in the game. We need to prevent stop these guys from disrupting our lives. It's all our lives. I'm telling you in some one way or the other. Now a bit of background about uh scatter spider. So how many of you guys really heard about scatter spider or know anything about scatter spider? Good. Excellent. That means uh okay, they go by uh different names. Aka, UNC 3944, Scatterswine, all the other stuff. A bit of background. So these were a bunch of

college kids. They started gaming basically Roblox, Minecraft. They got bored of that. they kind of kind of started doing crypto stealing and then they got bored of that or trying to do as part of trying to do cryptoscaling they wanted to hack the identities to aid crypto stealing now once they did that then they said hey it's so simple if we can do it for crypto if I can do it for games why not enterprise they shifted focus and started going attacking enterprises and that's when uh probably uh around 2022 they become a big threat and in addition they became affiliate of a ransomware group called as Alpha Blacket which provides ransomware as a service. So these guys open the doors,

they penetrate into the enterprise and they bring in at the very end they bring in the affiliate who goes and then deploys this ransomware and then boom they take take over the actual or take down the whole enterprise. Now if you look at the verticals they have touched they have pretty much across every vertical the list is like insurance hotel resale casinos in and then uh financial airlines. So they have pretty much touched everything that's why a nasty group. So they have exactly disrupted all our lives financial loss everything. Now let let's spend some time and then take a look at each of the attack cycle. This is the most important one. The very first attack as they started

they first get the initial access. To get the initial access all they do is they call the help desk they impersonate an employee. These days getting information about an employee from LinkedIn is so simple or not just social media LinkedIn everywhere. Once you get that information this is not like a high ranking employee. This is just a low non-privileged or standard simple user working for maybe probably an IT admin group or something like that. So they get the information they call the help desk they say hey I need to get a password reset for this particular account and they convince the thing is they convince using social engineering they have mastered the technique because they did the same thing for crypto they

convince they get a password reset so they bypass all the MFA there are a lot of they do SIM uh and then all kinds of things voice fishing and they bypass MFA and get a master uh password reset once they get the password reset boom they are inside the enterprise. Now they became an insider. Okay, this is the important aspect. They became an insider. This is not an external threat anymore. The next phase is once they on the inside, what do you do? You go reconnaissance. You do lateral movement. Once you're inside, you're trying to learn about the networks. You're trying to understand what are the critical crown jewels, what are the critical data, where is the wiki pages. Every

enterprise has all the data presented in like Jira, wikip pages, confluences, documents, product docs, financial in uh documents, everything is there. SharePoints, right? You have all that information. So they go they do reconnaissance to capture all of this information and that gives them the idea of the enterprise. And once you have the actual information, the next thing is they figure out what are the so what are the security groups they need to go and target who are the administrators. So once they get this information they repeat the same thing they go attack one particular or they choose one particular individual gather all the information again go call make the help desk call saying that hey I need a password reset.

So once they get access to this boom now they are have a privileged access into the or they got a privileged credential access in the enterprise which is the most dangerous thing they wanted to do. Okay. Now they got privileged access. Now what do they do? They target the v center. The v center is the control plane. The vsenter is the actual manage management plane. So they log on to the v center. Visent has access to all of the ESXi host in the enterprise. So once they get access to that so they now they can really go do other things which is the next phase of attack uh which is like going to be they go enable SSH. So

as security practices we would have disabled all SSH for all the SEX IOS. They go enable all of them they reset the passwords. So they kind of take the control of the whole enterprise and once they are there on the vsenter sxi host the next thing they do is typically in any of the enterprise the domain is hosted when I say domain I mean active directory DC servers they're hosted on these virtualized servers which is nothing but esxi host so they go target these domain controllers power down one of them detach the disk attach to another VM Now once they get access to that particular VM they go copy the file which is NT do NTDS.dit. This is nothing

but this file or this file system has all of your credentials kerburous tickets everything stored on this particular file system. So they get access to this they capture this data and the next phase is nothing but xfiltration. They excfiltrate all of this data. Okay. So basically the enterprise is compromised. They excfiltrate all of this data and in the last phase they bring in the actual ransomware. They deploy the ransomware for all of the SXI hosts. What does it that do? It goes and then kind of encrypts every data store everything that's available every VM every data store every sharepoint it's going to go and encrypt. Boom. The whole uh enterprise has been compromised and it has kind of shut down.

Now what is unique about this cyber group? There are so many other cyber groups. What is unique about this? The first thing is they're not using any specialized malware. They just they're just excelled in social engineering. All they have done is they got access to the no fishing. There's no fishing. There's no malware. So think about the detection. There's nothing happening. And suppose if I impersonate one of you or one of the employee, how does any of them detect, oh this is the employee, he's doing something illegal. No, it's very hard because it people go do all of these things every day. They take care of all of the VMware servers. They do management. They do all kinds of things.

So everything is like super hard to disrupt or even detect. Now the other part is they weaponized identity. Identity is the parimeter these days because with the cloud there's no there's no parimeter. Identity is the parimeter. So they have weaponized identity as attack vector and the whole attack starting from penetrating to the actual detection. The whole cycle happens in like few hours. It's its own. It's not like days few hours because they have perfected the whole thing. It's not like oh they need to they taking doing slowly. No these are bunch of kids. They don't have patience. They're like Tik Tok. Yeah. Essentially. And um so they have history and also like these kids they have a history of

trying to attack on prem as well as the cloud. They have adopted themselves. Now uh they target the cloud plane. That's why I'm going to talk about each of them. There are various things to be to talk about to really understand the actual the depthness of this particular situation. In terms of data harvesting, let's just take a look. They have they have access to the Office 365. They have harvested data from teams, sharepoints, exchanges, usernames accounts domains security groups. They have all the ent. The whole it is gone. Vsenter access and also they do perform code stealing. They go to the CDCI CD pipeline. They do the code. Basically, they're not leaving anything. They don't want to leave back anything.

Grab whatever is possible within the two hours and it's it's not that they're doing they have scripts, they have automation. It just goes and does all of the things for them. They don't even probably they don't even know what they're doing and they are associated with the highest ransomware demands. Okay, switching gears. Let's touch upon a couple of things. What is the rise of the cloud conscious adversary? So like as technology is evolving they are kind of evolving too they're they're aware of the cloud for example it's AWS Google whatever is the cloud deployed in a particular environment they're already aware of it and they're targeting all the cloud specific assets and native workloads. Now in terms of the cloud exploits, I'll

just touch upon this. I have a lot of other things to cover. Um the infrastructure as a service as well as the SAS as a service. So they are they are kind of disrupting both. They are touching both of them trying to disrupt the whole thing. Now just let's take a look the same attack cycle the same attack cycle for cloud. It's the same process. It's the same uh flow. They get they call the same employee. So once they are inside the enterprise now they go after cloud assets probably it's a separate team that's what I believe it's a separate team which goes like they are specialized in cloud so these some people are specialized in enterprise so

they go they do parallel and they get access to the Azure admin once you get access to the Azure admin then the next thing is they do recon within Azure space or within the Azure cloud we want to see what what kind of assets are running is it like EC2 is it the containers is it the uh data stores they go look at all of them they gather all of this data now once they have this data they are actually doing all of this reconnaissance or all of this intelligence gathering all from just Azure CLI so how hard is it to detect just think about it everybody does because every developer every DevOps person every person working in the cloud

in the enterprise they all be doing this so it's very hard to detect and boom they got access they get the same privileged access and once they get access they are in the cloud. Now this slide it's combining everything together the enterprise attack as well as the cloud attack. So so from user account they're able to get the passwords they're in the next thing is they're doing persistence and they're able to access the cloud. Next, based on credentials, they're able to dump credentials on the endpoint from the hashes or from the keraros tickets, they're able to even gather that information and then finally deploy ransomware. So ransomware if it is ESXi host, they have a set of set or separate

set of scripts. If it is Azure, they have a separate set of scripts. Means it's it's all automated. There's nothing there's nothing trying. They have mastered it. Now let's look at the detection challenges. So since they are not using any malware, there's absolutely nothing to detect. There's no fishing, there's no malware and identitycentric, it's very hard. How do you how did you how do you figure out that a person working person like a DevOps person doing his work normal job for his day whether is really the person doing it or is it a threat actor? How do you identify because they have owned that particular u credential and this is like for two hours or three hours done

this it's not like oh for days no they're not doing that just for like two three hours even before the other guy realizes oh I'm I've been locked out of my account these guys are done and they have they're just living of the land and living of the cloud in terms of the tools they're not bringing any new tools they don't need any new toolkit but in the last phase before they deploy ransomware they bring in lot of things for data excfiltration But other than that they are not doing anything different from an actual employee and they use all of the modern things like for example data Azure factory to excfiltrate data. So in terms of the

thing identitycentric API based native features nothing new outcome is fast semi-automated and uh it's similar to DevOps just like any other job. Now um this in this slide I'm going to map all of these different techniques to MITER. So this is the most important thing because for every malware or every crime group we try to see what are the different techniques what are the different um techniques they are trying to use and then this is the mapping. So if you look at this it's the same initial access persistence physical escalation defense uh evasions no nobody can detect this credential access and of course data collection and exfiltration. So pretty much they're touching all all different uh tactics and under the

different techniques and if one doesn't work they have another thing another technique working so they just deploy that. Okay. Uh now let's again uh switch gears and then focus on the cloud. So let's look at the cloud challenges. So in in terms of the cloud it's it's very dynamic and the loads are the workloads are ephemereral like for example it's elastic okay there's a load there's a new job to be done a particular VM gets uh spuned off and then the whole load is start means the whole job is going or service is going to run and as soon as it's done it's kind of turned off gone so that is gone so things are very very

dynamic it's not like static servers like in like 10 years before or in the enterprise it's all it's all very very dynamic loads and al also the loads the workloads these days they can move from the enterprise to the cloud wherever is cheaper it can just move run there and then be back into the enterprise and there's multiple path of identity so I'm going to talk about that and the volume of think about the volume of locks you have to look or to analyze to even figure out hey something is happening and there are variety of lock sources and there are tons of services now the next topic is about the cloud attack surface where there is a data

plane and a control plane. So I'm just trying to build a um complexities and in the final stage I'll put all of them together. So the data plane what is a data plane? So the data plane is nothing but it handles all of the data processing service storage workloads. Basically essentially workloads are services. It basically it involves VMs, containers, DBs and storage services. These are all targeted by adversaries because exploiting is very easy. You exploit the workload. There are some vulnerabilities with a particular service. You exploit it. You got access to a particular VM, a particular container. Uh this is I'm I'm saying from external as a web as a external threat. you go you compromise

one of the web services hosted and that's nothing but you are actually touching the data plane and or there can be cloud misconfigurations there can be and once once they get into any of these misconfigurations they kind of escalate privileges by doing credential dumping or lateral movement and everything is exploited using APIs and workloads um and data xfiltration using outbounds it's It's again another act. So if you look at the impact at the end of the day, the summary is or the key takeaway is that if you look at the impact, it's just confined to one particular VM, one particular service, one particular data, one particular customer. Okay, it's bad but it's confined. Now I will talk about

the control plane and then let's contrast the actual uh severity. So what is a control plane? Control plane is nothing but the core layer managing all cloud resources. Okay, I highlighted the word all. Any cloud resources you can think of. Okay, be it Azure, be it any cloud, doesn't matter. Everything is managed from that control plane. So once you get access to the control plane, basically you have you you're an insider. You are like the actual DevOps person doing it including governance, orchestration, everything. Um and then this is targeted because once they get access they uh how do you get access to this particular control plane? By exploits again exploits they get uh uh stolen API

credentials or basically again identities. Now let's look at the scale and impact. Think about you're giving away all of your co crown jewel which is nothing but the access the control plane or the access to the control plane for any Azure cloud or even for enterprise to the attacker and then it's impacting everything. Think about it. So the the actual attacker now he has he can create his own accounts. you can spin VMs. I have heard instances where the attackers they go create crypto they just create cryptos uh for crypto harvesting and uh in one of the cases the actual cost of running this particular VM was equal equivalent to the whole enterprise cost for one month.

So they are trying doing all nasty things. So the severe is impact or the um next is what makes the control plane a target. It's a I'll say it's a soft target. Once you're on the inside it's it's a soft target. It provides a level of access. So we need to understand see when we talk about networking network access or that was completely I'll say uh that's a uh completely benign in comparison or in comparison with this attack because when you get access to network you still have to go through firewalls you get you need to get access through all of them you don't have access to credentials see network access doesn't give you any credentials you're

just trying to do recons which can be blocked which can be detected those things are simple That's why I say uh it's it's pretty low severity attack. Now in comparison you are trying to look at um the actual send control plane. So essentially you're giving away the keys to the kingdom. That's what we call them the keys to the kingdom. Now what can they do? They can um spin up new VMs exfiltrate large volumes of data. They encrypt all the data and excfiltrate. The best part they go about disabling all monitoring locks. delete all their traces, cover up all of their uh traces and um no control plane or all any of these attacks cannot be detected by any

of the EDRs because it's you the actual identity is you and it can uh in one of the like so let's say there's a cloud provider like for example Salesforce if they get impacted snowflakes data bricks if they get impacted in the cloud cloud that means he can get access to multiple customers. I'll just leave it there. Now let's look at what are the u detection and defensive counter measures that can be employed to prevent or even first detect and then prevent such attacks. So before we jump in this um the three things I want you to really remember is one is identity has been weaponized. The second aspect is this is similar to insider threat

uh disgruntled employee suppose a disgruntled employee goes about doing all kinds of things it's it's very hard to detect. And the third one is the targeting the control plane which gives them complete access to the whole enterprise. So what is the solution? The solution is what we call as honeys and honey tokens. So I I'll I'll let's let's jump into that. So what are honey tokens? What are honey accounts? Basically honey accounts are nothing but deceptive accounts created specifically to target the adversary. See if if adversaries can just walk in the network without any rules mean this is a joke I tell everyone for the employee there are so many rules. Hey don't do that do this take this

compliance test but the actual attacker is walking around freeing the network right there's nothing to stop them no nothing to detect. Now we are going to turn the tables around. Okay, what we going to do is we are going to go create honey accounts. For example, in the cloud, I'm going to create AM accounts, roles, services, API keys, everything deceptive. When I say disruptive, it's all fake. It's not for any user. I'm going to create all of them. And the key is I create them in such a way that it look realistic. It's juicy. It's active. So for an attacker, attacker is smart. He's not just going to pick any credential and then start working it with. But these kids are

different. They are, as I said, their Tik Tok. They don't have time. They just grab anything and then keep going. But more stealth attackers, they wait. They want to make sure that this account is really valid. They do lot more reconnaissance before they start using an attack. So in all of those scenarios what we do is we go we try to make it as realistic as possible and create all of these fake accounts sprinkle them everywhere. Now once this account is created now let's go to the next one which is the honey tokens. So accounts are created all of these accounts are associated with the actual secrets. For example it's there's an IM account. IM account

has secrets and keys. So we create all of these fake accounts, fake keys and then this goes hand in hand. All of these fake keys are pointing to the fake Honey accounts. Okay, they're all hand in hand. Now we add this to the cloud workloads. We distribute them. We add it to the cloud workloads. examples like how do we where do we add how do we embed them? Okay, so there are we embed all of these honey tokens across all cloud assets. For example, if you think of a compute instance, we have the instance metadata because these this is like we thinking like an attacker or a hacker where all he's going to look where is all the data it's all in the

for example in the compute instance it's in the u actual metadata it can be in the bash history if you log in to an EC EC2 instance it can be in the bash history it can be in the environment variables it can be in so many places this was one of the nightmare like before security all of these things like people used to put passwords all kinds of credentials everywhere distribute them across everywhere this is a nightmare so we have there are tons and tons of best practices hey don't do that hey don't do this just follow this because because of these reasons so we we go we put in all of those locations or it can be in the secret manager we

can even put it in the vault vault is another crown jewel if you get access to the vault gone done again, right? So, we go we create all kinds of fake assets within the vault and we can do it in the Kubernetes cluster third party vendors. It can be also in the CI/CD pipeline. This is very very powerful because within the code we can commit all kinds of code with the honey tokens. Honey tokens are nothing but it's like cookies means just just high level cookies, right? So, we can commit to the code. For example, let's say there's a DB configuration. As part of that, there can be a readme file saying that hey, this is some password. This is the

administrative account. You can put all kinds of information there. Attacker is going to read them. He's behind that. I'm telling you. And also um they also other thing they steal is the actual code signing certificates. If you sign if you get a code signing certificate for example from Microsoft or any of this them again boom all the executables are signed by them. Everything is valid. So they even go steal those. So we can also create around them. Then the next thing we do is once we all the accounts are once all of these tokens has been created how do we distribute them? We need to distribute we we kind of distribute all of these tokens across all of the enterprise.

Now let's say let's look at the scenario right. So we have all these fake assets. Only the person who has deployed these assets or the fake assets or deceptive assets is aware of them. But the actual external user absolutely none. And I'm just scratching the surface. I'm I'm not diving deep into this. But I'm just telling you on the surface there are lot more things done can be done to make it a very live environment. Now as the attacker comes in, as he does his reconnaissance, as it uh gathers or harvests the data from various locations, various sources, he gets all of this data. Now let's say he picks any of them, he touches any of them. They're

like mines. Mines deployed everywhere. It goes off. It gives alert. You don't have to do anything. No processing to be done. It just goes off. Mines, it gives you alert. That detection is the key because once you have the detection the enterprise is ready to handle the whole uh triage and all the remediation everything you need detection and early detection is the key. I'm telling you early detection is the key. Okay. Now let's look at the scenario where let's say we have an we have an environment where the honey token has been deployed. So you you have seen how they were able to piler the actual environment when there's nothing preventing stopping them. Now on the

contrary let's look at the scenario where we have deployed the honey accounts in such an environment and then how it stops or how does how how does it benefit in detection. Okay the first thing is again the attacker compromises user account. Now this is the stain uh standard operas morren and once they do that they perform enumeration to identify admin roles they're looking for something they're looking for admin roles the next thing is they do a deep reconnaissance to gather the role policies because they want to know which particular user can or where there's a vulnerability or which particular user can be exploited and they want to do an assume role to that particular access or admin

permission to escalate privileges. Again, this is in the cloud. So, let's say step one, they compromise a particular user and using that user, they're trying to enumerate all the IM accounts specific to the cloud. So, let's say there's a particular RDS uh admin role. They found that okay, excellent. Now they went and looked at the actual policy for each for this particular admin role. They they see that it says hello and um the resource is RDS. So that means they can do all enumeration all activity on the RDS database. So they got this policy. Excellent. Now once they get this policy they can start uh means they would have gone and done things. But in this case I'm going to

bring up two scenarios where we can catch them. The moment they let's say the particular assumed role that we have they have picked up one of the credentials or the fake deceptive credentials that we have deployed which has this assumed role. We have implanted the actual vulnerability. Let's say they want to exploit. The moment they go on or they try to exploit that boom we got an attack. We got an alert. Right? This is like when they're trying to escalate privileges. Now there's another possibility that in the very first stage in the very first stage where they got or they trying to take over a particular individual user account even at that stage let's say they picked

up a deceptive account boom you got right there you are able to detect this particular activity right at the beginning of the whole attack and then what you can do is you can go block you can do all the uh response you can just watch monitor and the best part is if you have an early detection you can take this particular signature or your particular instance and you can go through threat hunting you want to see hey I found this is it possible that there are some similar attacks happening from the same source you can you can do all the analysis you can do all the uh analysis and then you can correlate across your enterprise and

then you can go find do threat hunting and then block all of those attacks or have you seen in the prior there might have like for example in the previous day they might have tried they might have uh they might have tried lot more attacks we never know so all of those things you can uncur so it just this is the IM role now let's go to the next one which is the actual honey token we So in the enterprise we have deployed both both assets we have created honey accounts in the IM roles which are all fake deceptive accounts in addition to that all of these tokens tokens are nothing but cookies it can be secrets it can be

keys which are pointing to all of these assets which can be SS keys there's a big list all of these keys or you can even for example carbohosting tickets you can you can name it you can put all of that information there you can create your own cookies cookies. You can have your own session cookies, right? You can all of this information you can embed and now it's it's it's I'll say it's a nightmare for the attacker. I'm I'm going to uh talk about that. Okay. Now, let's say we have this honey tokens. Using the honey tokens, let's say the first scenario is the attacker the same thing. He finds a SSH key on a publicly

exposed bucket, which is pretty common. Okay. So this this SSH key which got exposed because of a public bucket, it can be non-intentional or it can be intentional. Right? So this is where we bring in there are a lot of things that can be done. Let's say he got access to our keys. Now once he gets it, he logs in using that key into the SSH server. He scans the host and then looks for again AWS credentials and that can be accessed mean basically he's doing all of his data harvesting. So the more data he tries to harvest he gets it we give him the data and then he logs in to the actual AWS

CLI and then boom. So uh this is the flow. Now let's look at this flow. The same thing how does it work with the honey tokens deployed. So the attacker finds the SSH keys and then um so attacker knows he found some keys, some credentials, some tokens but he doesn't know whether it is real or it's deceptive. Even the employees don't know. the only person who deploys this. He's the only person who's aware of which is what is real and what is not real. So we we kind of merge the real world and the fake world. We create we are create overlap. Let's say uh he found the keys. He's trying to log in. Let's say these keys

are fake keys. Boom. You caught him right there. Right at the entrance. Right at the entrance of the door. you caught him and then you can do all the triage. Let's say it is like real keys or then he goes to the next phase which is basically he's trying to steal the AWS credentials. So as part of the AWS credentials whatever he's already harvested this data so as part of the data he has already got lot of tokens. Let's say he has har see from an enterprise has harvested lot of data. It's not just one one data. So once he gets all of this data he is going to look at it and say which one is more

meaningful which one is more valuable for him to go and then escalate privileges. Let's say we have put in we have given him the right data. We have given him all the privilege data. He's going to take that and then when he tries to do the CLI access uh trying to access any of the Azure resources trying to escalate privileges boom you you got another alert. So this particular uh method or the effectiveness of honey accounts and honey tokens deployed in enterprise is is the key for stopping the attacker. There's a small demo. I'll just play this demo. It's exactly trying to show what happens. So in this demo, let's say the attacker compromises a lowprivileged user.

Now he looks at the user details. He got the information and he lists all the different IM roles to find the role which he's looking. Basically that's a privileged.

Now once he finds that particular role he does a deeper reconnaissance to grab the policy the permissions the actual uh permission associated with that account and then he finds one which is which can give him or which which with he can do the actual um escalate privileges. Now attacker lists that particular thing. Now he retrieves the actual policy for that particular IM role. Now he finds the role that the policy allows for a privilege escalation.

Now the attacker attempts to ensure again like he got access associated with the permissions. Now for that he has to do an assumed role and then he gets denied. That means he has triggered an alert. You have put a mine. He has tri he has touched on the mine. It just gave away. It revealed himself. And of course based on that we have the alert on the console.

Now switching gears, let's look at the strategies for a preemptive cyber defense. How do you use honey tokens for such a u strategy? The very first thing is you have to think like an attacker. What are the locations he's going to look for? What are the different data he's going to harvest? What are the crown jewels in the enterprise? We can we can we can um we can identify because we are on the inside. We can identify all of these things and then we can poison all of them. Poison the data for the attacker. Then it has to be enticing like when you deploy such a thing it has to be enticing for him because it has to have

the right role. If you give too much of fake data then say hey there's something wrong with this environment I'll just walk away. We should not oversaturate it. We should be It should be the best mix. It's like adding sugar to your coffee. It should be the best. You don't want to add too much or too less. And also like the type of placement, the strategy that goes in the type, the placement where you want to place it strategy. The attacker is going to start from the front door and to get to the crown jewel, he has to pass through multiple doors. It's not that you have put your of course in cloud even even in

cloud it's not that everything's open right so you need to strategically think you need to put all the breadrumbs all along the way and you need to lead him you need to take him if he picks at the right at door you got early detection if he got at the next point of course we give him more and then we walk him it it's possible that we can really take him to the the place where we want him to do things. And of course with AI and domain knowledge, it's very easy to kind of kind of build a strategy and then go deploy all of these honey tokens or creating all of these deceptive accounts

assets in the in your in the enterprise.

Now [clears throat] what are the benefits of this honey honey accounts and honey tokens the first thing is early detection actually I will say if there's a detection see it is now assumed that this assume breach the attacker is always on the inside okay it can be internal attacker it can be external attacker internal threat we don't know it's it's a very very hostile environment right we don't know attack care can be lying dormant for years we don't know right so early detection is the key the moment you have a detection it's up to you if you want you can watch hey this particular attacker I'm going to watch what is he going to do is he

going is he does he have a new TTP or tact uh technique where he can infiltrate and then he can kind of take exploit one of our servers I'm going to watch him it's up to you. You can watch him. If you say, "No, I don't want him to be inside," then you can just block him or you can kill him right there. Then there's no data processing. For example, I go back to my world. Previously, before we did this, we were in IP. I was in IPS intrusion prevention. For every signature or for every traffic that is coming in to the web firewall or any of the things, there are tons of signatures we match. Oh, is

this HTTP header? Oh, is this particular encoding? We do a decouping of the encoding and then match. It's it's a nightmare here. There's no processing to be done. You just sprinkle them. You sprinkle all of this you you kind of strategically create and sprinkle these breadcrumbs everywhere. And best part is the alerts that you're getting from this is high fidelity. For example, there's a particular mine. If nobody's touching it and somebody goes and touches it, doesn't matter it's insider or external, doesn't matter. Boom, you got the alert. And this is really high fidelity. You don't have to correlate 100 things. Probably if if you look at the actual deployment, it'll be quiet. There's been nothing happening. People

will wonder, hey, is it really working? Of course, it's working. When the real attacker when somebody touches it, then it boom, it it blows up. That's when So you might see one alert, right? Or you might see one alert uh in a month or in a week, but that's it. You got the actual so it's a very high fidelity alert and it's very inexpensive in terms of if you look at the technology deployment all of the managing all of those things. It's it's very very uh inexpensive. Now the this part is the most I like this part. Okay, where we induce confusion and hysteria for the attacker. I'm going to talk about this a little

bit. Let's say the attacker who came in, he has no idea about your environment. But that's actually not true. A lot of attackers, they know more about the environment than the actual system administrators. Okay, that's the truth. Whereas let's say the attacker came in and then he he has no idea he's trying to uh especially the kids because they are as I said they're very fast they don't care especially these kids or even the kids who care or the the actual serious guys when they are as they're doing their reconnaissance they gather all of this information they take this information out they have no idea let's say they have no idea what is deployed they're not expecting anything when they

come back they start using all of your credentials boom you caught them right or you or they triggered alerts so they have to be super careful now let's say they are smart uh people because they expecting something to be inside they're seeing oh this data is not consistent yesterday I came I saw this data today I see something different I'm seeing a new project there's a new project coming up uh or a new event coming up I'm not even aware of So we are trying to delay them. That is we're buying time. That's that's super critical. And also like let's say they take all of this data out. They excfiltrate all of this data out. All of

these tokens everything. They're looking at this data. It looks fishy. They don't know which data to trust. Is it real? Is this really administrator? They had to go looked in LinkedIn. We have all the information there. Oh, everything matches. But it's not something is not okay. So we are buying lot of time and he cannot he has to be super careful now because he knows there's mines in the network. He has to be super super careful before he goes and attempts. So this is what we need to kind of build or we kind of go about doing it. So essentially we are kind of completely uh upsiding the game u for for the attacker. And the the last slide

um basically the key takeaway is so uh essentially um the defense always comes in multiple layers. Does it it doesn't matter whether it's cloud enterprise doesn't matter and it's always a combination of prevention and detection. Now cloud detection is always needs a focus strategy and honey tokens I'll say it needs it provides an effective approach for cloud strategy very inexpensive and create this and it augments it's not like you had to throw away all of your things it augments your current security infrastructure yeah that's that's pretty much questions Yeah. [applause]

>> Yeah. Uh yeah.

I guess my

So, how do you isolate or keep it or how do you identify all of these fake assets in comparison with the real? Is that a question? >> Um, not necessarily. So,

Okay. Yeah. So every application including octa It can be world or it can be any of them right. Uh SSO we can we can create something which is very specific to that application and octa is extremely used. SSO is extremely used. So we can create tokens or we can point to the actual octa itself. We can create lot of these cookies which look like real live sessions or use credentials and then deploy them and they can be they need to be refreshed. That's all it is.

>> Yes. Yes. Yes. Yes. Actually, it's it's a full ambiencece. We don't that's why I said we just scratching the surface. It's a full ambiencece. We create decoys which can be EC2 instances, file shares, you name it. That's why I said we kind of create this virtual environment or a shadow environment and then we merge with the actual environment. We overlap it.

>> It It's very easy. It's very easy. Creating, scaling honey tokens, deploying it strategically, very easy. Thank you. Thank you. Thank you.