T1 07 Detecting and Deceiving the Unknown with Illicium, Andreas Ntakas - Emmanouil Gavriil

Hello everyone, we would like to thank you for coming and also we would like to thank besides Athens the team to have a presentation effective as well. Today we are going to some scenarios and some techniques related to deception. So we are talking about deception. My name is Manu Gavrin, I am the head of Cyberspace Museum in Moussas and today with me is Andreas Dacas. This is a senior InfoSec analyst and head of IT operations. Now, it's 2017 and yet cybersecurity is at its worst. We heard about the NSAIDs, the zero-day exploits, the WannaCry ransomware. We believe that attackers will find ways of actually giving by using out attacks. Of course, we have the insiders, so we

believe that we need smarter ways to defend and we also deception is a strong security layer and a defensive mechanism. Now we will give you some ideas, techniques and scenarios and of course we will have a platform which is called "Lithium". Deception. So the art of pleasing is the art of deceiving. What attackers want actually is to give them what they want, cells. Why? Because we need to, first of all, to detect them. And it's also useful to misdirect them, to fake traps and honeycombs and data that to waste their time. And finally to monitor them in order to find out what they are actually able to do. To be able to defend ourselves. Now some problems

about honey bots. Of course high interaction with honey bots reduce risk. No interaction with honey bots or no interaction with honey bots are giving false alarms. There are also smart tools that can detect honey bots. There is complexity, and of course it's costly, especially when you have high international funds. So we have a case where William is the man in black. He's just walked into our network and he's going to further attack. Now from the other side we have the defender, Dolores, who will try to stop William. How? By using deception in the cycle he takes. By driving, this is a concept that Lulossop introduced and it's actually a simulated advantage. And finally using some offensive deception to

find out who is the attacker. Now deception is a cyber-gift chain. We use honeycoots, honeycups, garbage data along with... And finally some smart entry points in order for him to get into the deception dig maze. Now dig maze is the isolated simulator environment. Everything there is fake. It's a honey pit. When an attacker finally gets in, actually he's already been detected, the owner is already alerted, And there are some realistic scenarios where an attacker, William, made most driven decisions by Dolores and wasted his time. And finally Dolores will mourn the actions of William. In the offensive deception now, we let him capture a lot of free data, we let him steal some juicy programs, but

everything he's going to use might gonna be against him. Finally, there is an option of attacking back, but this is illegal as far as I know. But there is some speculation that in this case, there are some cases that maybe the defender can attack back. And finally, the doxing. So let's see some attacking scenarios. We have the classic case of being attacked by a backer. So we send a spear phasing detail to our organization. Maybe he has a master in piramid. So we get the reverse DPSL back. Now let's suppose that he is good enough to get the system. Maybe it's even easier because the user there is a local admin. So by having the system, he will

try, maybe he can do many things, but one of the attacks can be to get some credentials from the machine. So he will use like 2 line miniguns to dump credentials. So we can see that he gets the hash, he gets the clear text password, But what happened? Actually here there is an agent inside the machine. What he will do is a natural contract. He will create a process by using things within a function which gets some parameters like username, password, domain and some flags. By using the logo on the traditional flag he can actually create a new logo session within LSA which is you can use whatever username and this is very safe because everything is fake. Then he can

use this cremate cell as an event to work, to do this fake cremate cell to a machine that is actually mechanical and in both cases there will be an alert for them. Especially in the second case, likely to happen, there is an entry point inside the base and we will see later on inside this simulation environment. Let's suppose that a new machine has another node, he tries to create or to scan a range of our servers. so maybe he's smart or he's lucky enough to miss his own timecode so there's no other way. Then he decides to attack the production machine, the server. He has already made a code scan so he finds that code which is running in caps version. A

target search on the internet he finds there is an exploit there. A mode code execution. So it's vulnerable. There is a major thing there that this work even touched by the attacker there would be an alert but this is now the important thing that this agent actually gives a sale aside from the deep maze. The Q-mailing thing is going to the simulated environment. So this port is not on this machine but in another machine in the simulated environment. Now the current status is that the attacker still believes that everything is going well the defender is already alerted, she starts to monitor, she is entering into the deep maze, which is a simulated environment, which is there for

honey, more than anything, it's a honey trap. Also, it is possible to bring in the initial inside the deep maze. There, there can be different scenarios where you can have remote exploitation, you can have pre-match escalation, pass the hash, pass the reuse, ingest the data, Now the last part of the offensive decision Dolores can enable massive grabs where Axel tries to give him some fire to take with him maybe offline maybe later on maybe safe somewhere and by using them he works who comes to hit his real LBR. Maybe he will be very careful, so we'll never find out. But let's suppose that he's working for someone else and he just doesn't matter. This XF file, I don't want to see what is inside. I'm sending it to you

and someone is opening it and there is a trap there that is going to hold back to our web server. Pretty much this is about the French deception. So we hope that finally someone can get him. So, Andreas Dacas can continue.

So, of the challenges that we can see that the decision has some benefits. The first benefit, the greatest of them is that we can identify unknown attacks such as real days and we can calculate the attacking trends by the methods they attack. The paths they follow and the targets they attack. It also helps us design our defensive measures, security architecture and of course, We introduce the detection time because we know the attack at the time it's happening. If we know when the attack is happening, we can respond. Deception also has drawbacks. First of all, the risk of high interaction. If we implement high interaction handouts in our network, then The attacker, if he gets something interesting when he attacks

the machine, then maybe he gets some data he can use in a real environment. This process is very easy. It requires full and continuous monitoring. A mistake in our deployment can compromise our network. And these are the reasons, the actual reasons, why deception needs separation from our actual network. But then, if we separate deception from our actual network, then how will the attacker reach our deception traps? And also, if the attacker finds out that deception is our network, he may change his strategy, change his method, and approach us more carefully. And that's something that we do not want. So, does the EQ overcomes these drawbacks? Yes, it does. First of all, with deception and isolation,

it actually leads all the deception we implement. Then, it blends this environment with our... Now, isolation and blending might seem contradicting, but we will see later on how this can... Now, deception can be implemented, is implemented in players. First of all, we have deception in the network player. Some fake packets or some fake network devices that the attacker may explore. Then we have endpoint deception, which means we make a fake system that the attacker identifies as a real system. Then we have application deception, for example, in a SQL database that the attacker will connect and interact with it and it will respond with actual SQL responses. And then we have data deception, in which case we

introduce some hashes in the memory we add some data in our actual files, in our real data that are not real, but if the attacker uses them or touches them in some way, the problem in this chain, in this deception chain, is that as we get upper in the chain, it gets harder and harder to implement deception. It's a little bit loud. Now better? Much better, yeah. Okay. So, now that we've talked about how the categories actually of deception they tell you some things about Illium. What is Illium? Illium actually is a platform that anything that is deception related plus full environment simulation it simulates your environment the reason is to help you implement some

traps and isolate the attacker of course it has some enterprise features So, Illithium is built around three core concepts. First of all, it has some agents, some very lightweight agents, that you need to deploy in your network in order to have a deception ability to your network. Then there are the baits, which are the actual traps by using the Illithium platform. And then there's the simulated environment, inside which is the deep maze. The deep maze is actually predefined scenarios we want the attacker to follow and the simulated environment we can isolate and make him follow these scenarios. Of course, this is regarding only the attacker that doesn't mean that concept apply in malicious software such

as malware and so on. So, I think that this diagram may solve questions how a catcher loop works. Now you can see in the right the lithium appliance. Inside the lithium appliance we have the lithium, which is internal, and then we have the simulated emitter. Now at this side we have the attacker, and for example here is a handbot, a handbot system. The agent, the lithium agent runs in the everything that the attacker can do in that system is routed through the lithium agent inside simulate the environment inside. With Illiquium you can do much more than just an external handling. You can also add traps inside your legit services on a legit server. So you can create some fake ports which

present to the attacker some fake services which actually don't look fake because they are fully-interaction antipodes. And also there are some traps in the NAD, such as decoding files, monitoring API goals, actually anything that can be monitored on a system level. These things are monitored from the unit. When something happens, all the actions of the attacker are linked to the simulated environment. So, how do we add deception in our network? First of all, we have to do a risk assessment, the DAPR. Then we can identify the systems that are linked to this data, the systems that store or transmit this data, make a bundle of those, the devices, the processing devices, such as servers, workstations, mobile devices,

tablets, mobile teams, whatever, and then the applications that use this data. Finally, we deploy the YouTube maintenance, an easy process, without its interfaces, to all the assets that are involved in handling that data. Our network is deceptional. We cannot deceptive our network. First of all, we create a simulation of our environment of all of these environments that we know in age and so on. The simulated environment is composed of two kinds of systems: simulators and phantoms. Simulators are actually full interaction animals. And phantoms are systems that look like real but they are not. They will be, they will be governed. Then we add Bates. What kind of Bates can we add? Anything that we know as deception. Such

as honeypots for no interaction with interaction honeypots. Decoid files, files that can interact, can be tracked. Decoid data, fake hashes as in the example that Manos described earlier. Information trackers, information inside documents inside our value data that can help us later on identify who was the one that took all that information outside of the component and can call it which means that a compromised system can become a highly-mode itself. Now, in implementing Bates we have a fundamental problem of the unknown attack and what is that? That the attack is unknown. And when the attacks are known, we don't know what to do in order to design something that will catch the attacker. But there is a solution. We know that at some point the attacker will interact

with our assets. Either at the beginning of his attack, at the middle or at the end. There will be that the attacker will interact with our assets. So our objective is to make him interact with something that is fake, something that we created for him, and make that thing look really really real. So, how do we deploy the page that we design after this? First of all, we have automatic deployment inside the Lithium platform. So, Lithium proposes some page that you can install on your network based on the layout you can identify. But then there is the page deployment guide

the base that you see fit for your network. There is of course a service for Neurosoft that we can help you design and develop. There is a big fee that is a service that is based in all security knowledge base of Neurosoft. We design based on attacks that we know based on techniques and then you can decide if you want to add

And of course you have the ability to create, in which case we propose that you talk for a general scenario strategy because we said earlier that we don't know what strategies in the attacker we follow. We might always have this in mind when designing traps. So Illidium has some distinct features. Some functionality features and some architectural features. Its functionality features include full stack deception, not as earlier, We can analyze the attack, fully analyze the steps of the attacker. We can track the attacker, we can delay him, we can detect attacks with very high confidence because if someone touches something that is fake, it's 99% sure that this someone is an attacker or is some kind of threat to our element. And then there are some

architectural features. For example, baits are fully integrated to real systems. The whole architecture allows it to be live, it does not operate in architecture. Though it uses agents, they're so live that you won't know that they're there. And there is full simulation, it does not emulate systems, it simulates systems, which means that there is no actual difference from the side of the attacker between the simulated system, the fake system and a real one. If he attacks an Oracle database for example, each Oracle database he attacks he will get responses using the Oracle protocols and he will get valid Oracle data. There is isolation, the ability to isolate the attacker in that fake environment. Of course the ability to create our

own custom page which is actually pretty good because maybe you have in mind something that we haven't thought of and you would like to deception in a group so there are also some features through its user interface which I would like to point out the rules we can create rules to detect attacks rules for emergency response rules that do things in our network in order to

cutting out of our network and are learning reporting statistics so on these are the enterprise features i put in my area and i would like to point out the API which allows you to integrate the product with your own products and integrate the functionality of the product to your own products and of course connectivity with CM so that you still have one console to see your CM and not 2, 3, 4 consoles with you of your security So, that's all about how can we get it The truth is that it's still under development Its current status is fatal We have really low functionality and we've tested it We are still working on some usability features, more frankly. We

accept the first public release to be at the end of this year. It will be available through a perpetual license and software. There will be also some services around the product, such as the POC service, so you can try the product internet work and see if it works for you. There is also the design deployment service, the tutorial, the beta feed. Of course if there is monitoring and deployment that is a service that we are there for you. We deploy new tracks, new pages every time we see it. So that's all. Any questions? Yes, there is an option. If you already have some handbooks in your network, yes, you can integrate with these handbooks. You can make it

manage these handbooks too. Actually, it has the ability to add your own scripts and your own code in the product. So you can make it do whatever you wish. Thank you very much.