Deception Technology... A Maturing Threat Intelligence Solution That Adds Real Value - TrapX

that's better there you go hello listen I'm Shaun Lord I work for a firm called tropics an israeli-american deception technology company and I thought I would dispense with any sort of product placement or any promotion of my firm and talk about deception technology so that's the purpose of this talk today to be able to give you a better understanding of what deception tech actually does what it means and what its implications are so one starts with the premise that deception is being applied certainly in warfare from thousands of years ago and the idea that to deceive one's enemy in order to be able to win a battle without fighting the battle is the ultimate definition of war success

was founded by since you in the art of war of course we used it this is an illustration of how the British and the Americans just before d-day were able to establish fake armies of course Patton was believed to be mounting an attack I believe on share book and by the use of fake assets which is an illustrate this is what this is trying to do by the use of fake assets they convinced German reconnaissance that that that their intended target would they misled them on what the intended target was okay so let's get into it I scraped quite a bit of information from what Gartner have been saying Garneau have decided that this particular sector is of keen interest to

them they've released four separate reports in 2019 and I take a lot of their definitions is a definition up on the screen I always work on the principle that any person presenting that reads from the screen is not doing the audience any favors so if I can I'm just going to summarize that briefly what deception technology really means so deception technology is when an entity the legitimate entity establishes a shadow network on which fake assets are placed with there being no legitimate reason for those of fake assets to be touched hacker comes into the network or is already there and then performs a scanning ie a lateral movement and it is that through the lateral movement that

they will touch one of these fake emulations which leads to an alert actually what it leads to is a very high fidelity alert so the premises is that by establishing fake legitimate or rather highly authentic fake assets on a network if said asset is touched there's no legitimate reason to do that and that considerably helps the sock teams in order to be able to identify which alerts that they should look for so I have another slide later and I'm getting ahead of myself but what it really is is what garner described it as is a low friction high fidelity alert system and that's really what deception is all about so I'm going to now look into some

more detail about what a multi-layered deception strategy or deployment strategy might look like this is generic it's not explicit to us at all okay so here in a nutshell is what an architecture looks like when one is deploying a deception network and you see that there are inherently four component parts of a deception strategy at the top you'll see in fact a pointer Vega at the top you will see that there is a management console this could be a virtual or it could be hardware based particularly relevant for example when one has we have a number of one of our largest customers is Unilever and they have the 300 factories globally so if you need to be able to protect a

particular location you can either centralize it in the cloud environment or you can place a hardware management console on-site in order to be able to aggregate the data secondly you'll see these different types are sensitive assets so we'll start with deception tokens Wilshire I'm gonna show you in a few moments how these are deployed and what they use for emulated traps which is the foundation so that the spine of deception is the creation of traps and so there's probably quite a few people in this room that are reflecting on what is the difference between deception tech and honey pots and the fundamental difference is the degree of sophistication of the trap itself and that's what we're looking

towards when we look at an emulated trap so these emulated traps could be and these different use cases could be for example an intellectual property lawyer has particular assets written and other patents and other that it wants to protect that could be one of the individual traps deployed manufacturing firm could have particularly scarred or related emulations that they wish to create and a hospital could have for example MRI scanners that or IOT devices that they want to create so it really is customer dependent what type of trap you create and to the more mature the vendor the wider the range of individual dip or air trap deployment options that you have and lastly in the the highest

degree of sophistication is to be able to provide a full operating system trap so it will literally work with it will respond back to queries from the hacker and in order to be able to maintain its supposedly Dismas II and this is another advantage of deception in as much as traditionally when you are on a network and you are protecting the network you see malicious activity you want to keep them off as soon as possible you can't afford to wait you can't afford to linger you have to get rid of them as soon as possible but on a deception a fake network or shadow network you can let them linger because it's not actually touching any of your critical

assets and the advantage of that is is that you learn more about their mo about that particular what is what their particular objectives are and and as such you can build you can one acquire better threat intelligence and two you can make it a more effective response so as a generic architecture these are the component parts of what a deception technology solution would look like you'll see how they communicate via proxy to the full OS and the deception tokens are essentially breadcrumbs and they lure a particular malicious actor into to touch the trap okay so let's have a look at what what that actually means this is the the workflow of a malicious activity and you see obviously

that this is the the reconnaissance stage this is quite interesting we had I don't mean this to be some sort of product placement or push but it's quite interesting how certain firms have been able to see for example large manufacturing company said they were able to identify a ransomware attack using deception at the reconnaissance stage which was literally one week before the actual attack took place so they described it as they were able to identify a malicious actor one week before the actual attack took place so the fundamental premise with deception is that it really it it relies upon or /it it uses a cat performing lateral movement across a network and in that lateral movement they will interact

with a trap and the last one is the hacker will see that they have the ability they will have an object if they will look for high-value targets and I've given these illustrations of intellectual property as scarred relate it could be mission-critical from an apt or malicious nation-state perspective they will have particular targets in mind that they will be aiming for and then one goes into this idea about how long can deploy a deception strategy so you could for example you could ring-fence the crown jewels with deceptive traps in order to be able to protect the crown jewels that could be one so there are many ways that you can actually respond according to this workflow so

let's have a look about how you match activity against a deployment strategy so at the reconnaissance stage you will in attempt to be able to entice them in again using these lures as bait in order to be able to entice them in I come back to this point because interestingly it's been highlighted that within this space essentially there are some lures that can be identified and but the basic principle is is that if you can identify a form of deception it ain't deception anymore it relies upon natural movements can lead to early breach detection this comes back to this idea of high fidelity alert it's sometimes it's almost too high fidelity in as much as we had one

very large manufacturing firm called up our CEO and said you are the only firm that is generating an alert none of our other solutions are generating alert why is that is this a false positive because Mac has checked and says no it's a legitimate it's a legitimate alert and it turned out that a pen tester had briefly less than a second touched one of the individual traps and then left the whole network and none of the other solutions actually picked this up except deception tech so deception has its role but explicitly when the the buying organization can extract the value I'll go into that and maybe that's a commercial statement but it's as ever with security solutions is the

extraction of value that leads to an organization getting the most out of it and being able to secure the budget and the ability to be able to actively engage for example with a ransomware attack my vendor but also multiple and doesn't have the ability to be able to offer up assets for encryption which itself will the ransomware will consume those assets delaying moving on to legitimate giving the sock team's time in order to be able to respond to the ransomware attack so you'll see here as I've previously mentioned we have what to use so at the reconnaissance stage we're using bait squeeze in breadcrumbs at the lateral movement stages we're using these traps and at the identification

the value target we're actively engaging them for example with the real OS here which leads to the ability to be able to as mentioned generate high fidelity alerts so what is effective what does deception tech mean to be effective well first of all it has to be non intrusive in as much as the idea for example it's it's best used therefore when it's protecting assets that you can't touch as we mentioned Scott advices medical devices another it should have from the trap perspective he should be able to support a variety of both virtual and physical devices and and to be able to be deployed at scale you see here we've gone through it is particularly

interesting and useful from an OT IOT perspective highly realistic to be able to avoid fingerprinting we'll come back to that and the ability to be able to actively engage with the malicious act or in order to be able to generate as much information as possible here's how it looks this is my only slide dimensions how we're brilliant but you'll see it's a repetition of what we already mentioned has nothing to do with my nerves that I'm going from one particular point to another nothing at all and you'll see here on the side so we've got again its basic principle the idea is essentially that deception technology is fundamentally non complex and personally as a person that's been

promoting cyber products for quite a few years I am delighted that it is non complex that people can grasp it very quickly so we have all of these different traps and if one's evaluating a deception vendor one should look at the range of different traps emulations tools that are available for example my thumb has the ability offers the customer the ability to be able to build your own trap which is particularly significant if for example you're in oil and gas and you're saying to me I have a custom workflow that touches scarda related infrastructure that nobody else is using and I need you to emulate to copy that we can do it so the ability to be able

to customize and create your own traps is a definite asset but takes a relative degree of security maturity I'll come to that in a moment actually here's how it looks so you'll see at the reconnaissance stage we're using endpoint tokens active directory tokens and such these laws all come down into the ability for example to be able to again this these would be emulations to be able to touch VoIP or printers or those particular assets that you would recognize run the network but are vulnerable together with medical devices scarred a point of sale and other here we have again the ability to be able to identify high-value targets using these particular assets it's quite interesting

for example that one lure might be an Active Directory server that has administration credentials from an individual that is no longer with the company but the credentials is still live so that would be a law to bring in a malicious actor in order to be able to activate a trap so this is an illustration of generic malware as it were so using an SMB token we are it's able to be able to attack to lure in and to be identified as an alert as malicious activity depending again upon one's deployment strategy there's no commercial difference certainly within my firm and I think generically there's no commercial difference between deploying 20 traps and 400 and you you are

therefore as an architect free to be able to deploy as many as you see fit as you see is appropriate in order to be able to protect your assets so this is exactly what you do using proxy have the ability to be able to again protect the high value target and going further from an ad from an advanced persistent threat perspective again this is where deception technology comes into play we as an organization we're on these sort of geopolitical fault lines between certain nation-states where quite frankly the weaker one wants a degree of protection against the stronger four for example it's critical infrastructure assets and we're doing this so at a number of different flash points

globally we are deployed by the weaker nation states to protect their critical infrastructure because this is a cost-effective resource effective solution so I'll just come to that Procter & Gamble another one of our customers talked about what the explicit value they gain from deploying deception and they mentioned two things the first thing is is that they mentioned the fact that because it's a high fidelity alert the amount of analyst time required in order to be able to go from a situation where you believe that there is an alert to you have analyzed it and you responded is dramatically shortened because you know it to be high fidelity and there are a few of them so you're

not getting this seam flood few alerts of high fidelity the second thing is and this might appeal to individuals that are working in socks and such is that they went from a 12-hour day where there had to be constantly physically monitoring to an eight-hour day because they literally gained sufficient confidence in what these alerts were providing them sufficient that they could just literally respond to set alerts so the explicit values of deploying deception are that you can literally produce the amount of analytical time required by a sock team and you can therefore reduce the number of working hours in a day for this team hopefully leading to more efficient retention of staff so can't have a number of individual

comments to make about this this was I've just scraped this from a slide that an analyst gave her to her Gartner SEC USA Maryland I believe just last week what the analyst was attempting to be able to do is to illustrate that deception can be deployed on varying degrees of different firms depending upon what your particular need is and we in our organization I have active customers that are varying degrees of team size for example on this particular side I have a group of team they run they run 160 they manage and run 160 ship's globally and they have one centralized security team but it's more like an IT team than a cert than a sock

and they rely upon deception technology around their particular infrastructure explicitly to give them a legitimate alert so they don't have a shock they trust the alerts they respond to the alerts there is where everyone takes the alert there has to be a degree of analysis and by implication there has to be a degree of security maturity in order to be able to extract the most value from the solution so this leads actually to the next four he described it as the lean forward Enterprise which in my mind is just progressive rear to be proactive rather than reactive it sounds like a a new phrase against it but so we have organizations that have globally follow-the-sun centralized

socks that have deception feeding into them through to one individual sock limited number of staff limited number of man hours in the day to organizations that don't even have a sock gained a particular so I think what Gartner actually trying to say in in and paraphrase is that the the sector has matured to the point of which it should be seriously considered by organizations and that's certainly what we're seeing for example there have been since the Bangladeshi bank Swift hack there have been first of all Swift as a an organization have encouraged banks to be able to think out of the box and secondly a number of these institutions have literally deployed Swift emulations on their networks so we just deployed

one we're actively going through it now actually for a European bank that is explicitly deploying Swift emulations so they see again this is the the wide range of individual types of traps that you can deploy that is a value how'd you get the budget so I've got two slides basically to be able to illustrate use cases that security professionals can quote in their budgetary requests hmm so I mean in fact I'm just gonna put these two slides up rather than go into great detail because I appreciate one you can read it and to use cases how interesting are they but it's an illustration of again how mature this comes explicitly from a specific Gartner report if you

would like the full range of use cases just give me a shout my emails at the end and I'm happy to share them with you an obligatory scary use case security presentation without one with it ok so there's an article in The Washington Post that basically stated about how malware was infected on to an MRI scan sufficient that cancerous nodes were either placed on to a patient's records or removed from a patient's records and the radiographers the cardiology team were unable to differentiate between malware displayed by cancerous nodes and legitimate then the Washington Post article went a step further and it suggested that if there was a presidential election in XYZ country and said presidential nominee received a

stage four cancer diagnosis from his trusted medical adviser that individual may not participate in the presidential election they may back off think he was there final days figure homeless in a rocking chair the challenge is is that the radiography team could not identify malware infused imagery so definitely MRI scanning medical devices are open to both fake news and very significant impact against individuals so here's an illustration as it relates to a medical environment this is explicitly as it relates to an MRI scanner so there's the network we actually did quite a bit of research there's it's a free to download off our site a report that it's called the measure report that basically illustrates we set up a network a

complete network effect of fake hospital with this network to see what type of malware would attempt to be able to penetrate it to be able to see exactly how what their MOS were in the search so it was injected within the MRI system an old operating system you'll see here that it explicitly targeted the PAC system this is significant from a from a medical infrastructure perspective because that is the the the point where both the information coming in and the ability to react upon it are combined and as you can imagine their particular Romo wistar target older software in order to be able to make the most impact least likely to be patched etc etc so

this basically follows the same tenants that one is either seeing in our own hospitals and globally was we're seeing this pretty much continuously wear devices MRI IOT another are being explicitly targeted I've given earlier an illustration about how that could be malicious but of course the individual ransomware attacks that were impacting the NHS are another illustration of that so this is quite interesting so Gartner gonnigan I keep talking about them but one of the things they did they did this test of all of the different vendors and they asked us to do a particular number of network admin related exposes and we asked why and they said well because when we went through the same task with

other vendors we were literally able to identify the laws on the network which is quite interesting because if you can identify a law if you can identify a deception it ain't deception no more so this is the tool that they used and this is the comment they made in true sales fashion of course my firm did not suffer from this particular discrepancy but what does that mean I think that means that gives us a six-month window but you'll see that the tools on either side are developing and one is attempting to go further ahead but it is certainly still significant as it relates to the deception cool on time how about that

just to let you know we have a stand out in the foyer if you'd like some further information and if some people have been asking career advice another please grab my email and welcome to share later any questions at this point all yes sir

so I would answer by saying that there should be no legitimate reason to be able to trip the network so for example if it's a shadow network then legitimate patcher of MRI scans would be only working on the legitimate network and not on the shadow network yes no in as much as one can also deploy dynamic with the trap deployment which means that that individual list is constantly changing so yes yes no I think that you would just open that up and allow that illegitimate patch here to be able to interact with the traps in such a way that you would recognize that an alert generated there you would examine it but at the same time you would allow it you

would know you wouldn't wipe the stip because of course that could be another route in for example cool I'll get off the stage thank you very much