Bringing Intelligence into Cyber Deception with MITRE ATT&CK

good morning looks like we have the early birds here today that's great thank you for joining us so we're going to start off today with um for those of you already been at the 8 30 sessions this morning that's great uh but today i'm going to welcome to the stage adam pennington who is the attack lead at mitre so adam leads attack at the mitre corporation and collected much of the intelligence leveraged in creating attacks initial techniques he has spent much of those 13 years with mitre studying and preaching the use of deception for intelligence gathering prior to join mitra mitre adam was a research at carnegie mellon's parallel data lab and earned his bs and ms degrees in computer

science and electrical and computer engineering as well as the 2017 alumni service award from carnegie mellon university adam has presented and is published in a number of venues including first cti eusynix security defcon and acm transactions on information and system security so please welcome adam to the stage with bringing intelligence into cyber deception with mitre attack

thank you and good morning cayman so as jane just said in my lovely introduction my name is adam pennington i'm going to be talking about something a little bit different this morning i'm going to be talking about cyber deception and i'm going to be talking about using a framework called mitre attack to do a lot of the planning around it if you haven't heard of mitre we're a united states not-for-profit working in the public interest been around about 60 years and everything i'm going to be talking about today is free and open source so some of this was just in my introduction so i'm not going to belabor it i run the miter attack framework that

i'll be getting into in a little bit i've been with mitre for quite a while at this point with a focus on threat intelligence and deception so today this talk is bringing two of my favorite topics together i've been in the trenches in the past i wasn't always managing a you know sort of database of adversary activities i've been in security operations centers as well as a threat intelligence analysis and i've been involved with the attack framework itself since it was first created as an excel spreadsheet so my excitement in seeing b-sides cayman islands come to pass is that i'm also a scuba diver i've been coming down to cayman for 16 years to dive i have over 400 hours of bottom

time in the cayman islands so i the journey that i'm planning to take through the rest of this talk i'm going to talk about classical deception so what we've known how to do now for thousands of years in warfare and intelligence planning how we can bring that into cyber security i'm going to show how we can use attack to start building up the intelligence we need to be able to do some of this planning work through a methodology for doing deception planning in cyber security and then leave you with some takeaways so just to get us all on the same page i want to start with the dictionary definition of deception deception is the act of causing somebody

to accept as true or valid what is false or invalid in short it's lying to somebody with the intent on them believing it and so we're going to try to use lying for good in for the purposes of cyber security deception is not a new concept and i promise despite on the slide i have no sun tzu quotes in my talk but uh deception's been a in warfare for a very long time written about by sun tzu thousands of years ago it truly came into its own during world war ii with things like the british double cross system uh events like the man who never was where the brits floated a dead body ashore off of spain

uh or people watch netflix operation mints meet during the cold war a lot of practices around deception became codified and we learned how to do this a bit better and so people like barton whaley talked about different mechanisms for doing it it's not that new in cyber security either so in 1989 a book was published called the cuckoo's egg where cliff stole talked about the actions of a russian hacker as they work their way through different computers mostly united states and one of the things that he did during the courses was to put the hacker in a fake environment to see what they did incidentally mitre has a role in the story we are one of the companies hacked

the honey knit project started in 1999 and they've done a lot of terrific work putting out open source tools putting out instructions and tales on things that can be done with honey potting and in the deception space and it's become a product space too so people are starting to make money on this as well i'm not going to be talking about any products today but you know it's become an area such that even gartner is you know looking comparing and stacking different deception solutions so you know we don't usually talk about deception i think i'm the first person to mention the word at b-sides at least so why use it in cyber security well it

lets us do some things that we can't do with normal defensive mechanisms so for one we can increase ambiguity for an adversary we can cause somebody who has successfully broken into an environment has access to the crown jewels you know all the data to ask themselves is this information real to doubt that the material that they've stolen is even what they wanted then you can get them to ask things like am i on the right network and am i where i intended to actually hack today now my focus and where a lot of my planning is going to be talking about today is on gathering data on an adversary so trying to put an adversary in a fake

environment to ask yourself how does an adversary look when they think that they've hacked us and finally it can even be used for things like discrediting the adversary so in 2016 the russians hacked the usdnc political campaigns and leaked a lot of information related to the 2016 campaign the french saw this and in 2017 the macron campaign inserted a bunch of fake emails into their own email spools and so when russians then hacked and leaked a bunch of the emails from the campaign the campaign was able to point out see a lot of this is fake it's it's sort of obviously fake you know why can you trust any of this and it worked and so to this day you don't really know

which of those materials were true and which were plants at some biters doing other work in deception space i wanted to give a shout out to some of my colleagues with another free tool that's out there that was released in final couple months ago called miter engage so this gets into a broader set of options than i'm going to be really covering today but just wanted to show some of the scope of work in this space the way engage is organized is that it starts with what you're trying to do to the adversary are you trying to find out they're on a network expose them are you trying to change how they operate and affect them are you trying to gather

intelligence about them or elicit information it gets into the broad deception categories that you're going to use to actually do that and then specific techniques that you can put against the adversary and again they put out a bunch of free resources at their website a number of them actually work hand in hand with some of the processes i'm going to be working on today and these came out just a couple months ago

that's that's some of the tooling that's out there some of the things to gather information on options and deception but what are some of the terms you might have already heard in this space so most of the work today is not focused on you know disinformation trying to discredit the adversary most today is focused on either trying to expose the adversary which i often call deception for detection so trying to find an adversary is actually on your network as they trip over something and so this could be something like honey pots many of you probably familiar with the term already honey tokens so placing fake information around your network and hoping that it gets touched

i also have a long history you know back to the cuckoo's egg of deception for intelligence gathering what engage calls elicitation and so these are things like honey pots honey nuts we're building up bigger systems a lot of people don't like the term honeypot so we've started to see deception environments but it's really all the same thing it's a lot of options here lots of tools which of these is is appropriate for you i'm an intelligence person and a common answer for any intelligence analyst is it depends some types of engagements some of these types of systems require a lot more adversary understanding than others you might need to know you know who it is that's coming after

you what they've seen in the past how they tend to operate and it's important not to put some of these options in the way of doing basic hygiene you know if you don't already have things like multi-factor authentication patching maybe it's not time yet to start diving down deception so these are also much more accessible and lower risk than others scattering fake data around your network and watching to see if it gets touched is not very risky there's some risk that somebody accidentally stumbles over it thinks that they've you know found some information they shouldn't have you might have false positives but there isn't much risk in it in getting out doing a full-blown honey pot and putting

an adversary in it intentionally trying to get them to operate for weeks or months at a time can have some risk if you haven't taken proper precautions everything from government agencies thinking that you've been hacked to the press finding out and announcing that you've had a recent breach but if done correctly the reward can be high you can gather tons of intelligence about what adversaries are doing in the wild

so we've been doing this for a while but we actually still see some fairly common problems in how both products and open source tooling are being used in deception primary two that i see are first mismatched visibility the capabilities are not where the adversaries are looking so if i have an adversary that it only targets active directory to find other systems the way they get in is they dump the entire ldap out of active directory look for systems in there and i've just bought a product that the only way an adversary can find it is by port scanning well the adversary is not deceived because they can't even find it and this this actually happens fairly

commonly the other area we see is mismatched expectations so the capabilities don't look like what an adversary expects to find in that type of environment so say our capability just has a single local account because we're spinning up a virtual machine or a system right before we're running an adversary in it and the password was changed five minutes ago as we built out the virtual machine well if we have an adversary that looks for a lot of well-established accounts they expect accounts to have been around for weeks or months then we might be in trouble trying to actually convince them of anything so we know how to do deception we've been doing it you know since the

bc era we've been doing it in the cyberspace for this many years and so what's still going wrong a lot of it comes down to mirror imaging mirror imaging is a cognitive bias that is common in intelligence analysis that mirror imaging is the idea that we are naturally wired to assume that our adversary thinks like we do and so in some spaces the process of saying well if i was an adversary what i would do is actually can be really helpful for sort of expanding the options uh getting into it but it can be dangerous in intelligence analysis so quoting from richard's here mirror imaging leads to dangerous assumptions because people in other cultures do not think the way we do

and in cyber security it gets beyond that too our adversaries may have different constraints than us they may have rules that are given to them by supervisors that a red team or a pen tester doesn't have they may have tools that are easily accessible to them they may or may not have things that are easy for them to do and so we need to be careful about how we make our assumptions and this is something we've known how to do again for quite a while we've done formal deception planning in other intelligence areas for decades in order to get around things like our mirror imaging bias and so up front before we do deception in the normal non-cyberspace

we always research the adversary we want to understand to the best of our ability our adversary's preconceptions expectations and reactions what do they think they're going to find when they break into a network what is it they're going to do if they find specific things and all that comes before we start getting into designing a deception so there's this tendency to want to put the technology first and then figure out what to do with it but that can be really dangerous in the space where you need to actually match your adversary rather than the other way around so you know you get into designing your deception where you're building out a cover story you know what it is that you're supposed

to look like to an adversary determine what it is you need to hide from them to be successful what it is you need to actually create and show them develop your full plan so figure out what you need to do in terms of denial and deception i'll be getting into each of these steps deploy it and then finally monitoring control get it out there so that first step is understanding the adversary building up a profile of what it is our adversary expects how they're going to react and so traditional deception planning is a very intelligence driven process so we can apply a similar process to cyber deception but as defenders we're likely not going to know

preconceptions and expectations directly we don't get to walk up to the ransomware group that's trying to break into us and say hey when you hack me next week what do you think you're going to find five minutes into the operation it'd be super nice but it's just not how the world works and so we can infer infer a lot of this based on how they behave and how they behaved in other systems so we need to build up this intelligence picture and so that's what i'm going to be using attack for today and incidentally taking off of west bay in 2019 teaching a a crab underwater about attack so i'm going to get into a couple

minutes just running down a attack 101 if you haven't used it before before i start using it in my talk what is attack at its core it's a knowledge base of adversary behaviors it's like an encyclopedia of things that adversaries have done in the real world so it's focused on these real world observations things that have been done in real intrusions rather than things that have just been seen from pen testers or red teams and we think there's some value in the focus that brings into specific behaviors it's free open and globally accessible you can use it you can fork it you can put it in commercial products it's all okay by us it's a common language so a lot of

governments and companies these days are putting out the reporting leveraging attack it's everything run from the us government uk government new zealand australia the russian fsb uses attack in some of their reporting so it's become a common language over time it's community driven most the material we add to attack comes from people sending us emails saying hey you missed this thing over here and we add it and it becomes part of the knowledge base for everyone else to use if you've seen attack before this is sort of the view that most people are used to it's what we call the matrix so it's it's going to be a little bit too small so i'm just showing the shape here really

across the top we have what we call tactics these are the adversaries technical goals at a high level so things like initial access adversaries trying to get into my network or exfiltration the adversary sending data out of my network underneath each of these we have the cells that we call techniques the techniques are how the goals are achieved so instead of something broad like initial axis we might have a technique like fishing this view hides another layer of techniques called sub techniques so underneath a lot of these we have things like instead of fishing we have spear phishing attachment so an adversary sent a malicious email with a malicious attachment attached to it and finally inside each of these

techniques we have procedures so if you're used to tactics techniques and procedures it matches and so procedures are specific ways that adversaries have accomplished a technique so instead of spearfishing attachment we have apt 12 that sent emails of malicious office documents with pdfs attached beyond each technique and each sub-technique there's an english language description getting into from an adversary point of view how the technique is actually accomplished technical details about it some of the varieties have it been seen in the past there's metadata this technique id is what a lot of people use when i refer to that common language that that t-156601 as well as other information for centering the technique and it also

includes a bunch of defensive information on how to detect or mitigate the technique which is not the material i'm using today some pieces i am using today though are attack tracks a number of threat groups in public and so over 100 different threat groups we've tracked open source published intelligence about them and information about the behaviors they've done so again we have a description of the group various metadata about them something i know a lot of people use attack for which is associated group descriptions so different companies have different visibility over overlapping activity and naturally use different names to describe it so one person's oil rig is another person's cobalt gypsy there's another person's helix kitten is

mandiance apt-24 and all of the these have citations back to where the linkage is for that group name keep track of the techniques used by each of these and the software that each of these groups is using and some of the same reporting and the techniques that those pieces of software using and finally we back it all up with references we show our work we have over 3000 references in attack so that if you don't you don't trust us you can go in actually see the same reports and see if you agree with how we brought them in

i think i just jumped like three ahead

really does not like that slide can you advance it thank you um yeah it's probably because the slide's too large but so i'm going to be covering deception the rest of this talk this is not the way that attack is normally used the way we see most people use it is for organizing their detections what sorts of behaviors they're able to see on their own systems we commonly see it used in threat intelligence looking at different adversaries what sorts of activities they're going to be doing that i am going to be using today people do a lot of work with assessment and engineering figuring out their overall scope what they can see and the reason we created attack in the

first place was actually for adversary emulation building up for a red team a profile of what an adversary looks like so that the red team can operate in a similar fashion okay we've got our pieces we've got classic deception we've got attack that i'm going to use for building up the intelligence let's get into actually doing some cyber deception planning so i have a intelligence driven cyber deception planning process that is based closely on the classic deception process i showed you earlier so this starts out with a step zero that we don't have in classic deception planning which is determining who your priority adversaries are so this is a space where cyber's a bit different

in classical deception planning we tend to know who it is we want to deceive right off the bat so if we're at war with somebody it's whoever we're at war with you know we might know what what specific foreign countries we often don't know who's hacking us or we might have a lot of people hacking us that we need to think about at the same time so it's a little bit of added work that we have in the cyberspace we're going to build an adversary profile based on cyber threat intelligence what do we know about an adversary what do we know about how they operate we're going to develop a cover story we're going to determine what

information needs to be hidden from the adversary and what false information needs to be revealed to them to match this cover story we're going to design and build the technical capability deploy it gather intelligence and then back to step zero to start all over again so step zero determine who your priority adversaries are this is actually something important way beyond just doing something like deception planning if you're looking at intelligence about your adversaries you need to decide where to start or you're just going to have paralysis there are a lot of ways to do this though some ideas that you might take away from maybe you want to focus on a adversary who targets you regularly you know maybe

there's somebody who spearfishes you on the first tuesday of every month and you'd really like to know why maybe it's an adversary who's targeted other people like you so i see fosters here maybe you've got an adversary that targets kirk or other supermarkets on the island and you're really curious you know what it is you might be missing here maybe it's the adversary that keeps you up at night you know who is it that you're really afraid of you think they're going to overwhelm your existing defenses or maybe it's just who you've got an intelligence gap about you know you're really curious about a particular adversary there's sort of no wrong answer here needs to be based on your own priorities

i'm going to use for the rest of this talk though adversary keeps you up at night so i'm going to be using for my examples uh turla tarla is a claim to be russian actor that has been active a long long time since at least the 90s and has is often one of the first users of really advanced technical techniques so you're going to build up an adversary profile based on cyber threat intelligence and again there was some different ways to do this i'm going to follow uh just going through information that attack has released and i'm going to do this for building up a profile but building up attack techniques for a specific adversary

and so we've given a lot of information that you can use to do this for free if you go to attacks group pages where we've built up profiles for over 100 adversaries based on mapping open source public threat intelligence reports that we've already analyzed but you can also do your own there's a lot of open source intelligence reports out there there's no way we get to all of them you can use the intelligence that you've paid for a lot of you probably have commercial cti providers you know that are going to be information that you can't just get out on the open network put that to use you actually add that into your intelligence picture

if you have your own threat intelligence if you have previous encounters with an adversary absolutely use it we we a lot of times see people using just the information from attack or just free information not using the information they already know which is probably better it's it's what you have that you know about your own space so i'm talking about mapping from these public threat intelligence reports this is the process i'm talking about this is an example report from 2018 done by the ncc group on apt-15 so just getting in it's all pros it's not written in any sort of structured language and what we're doing behind the scenes and what you can do with your own threat

intelligence reporting we're going through we're identifying behaviors in here the highlights in yellow and then we're figuring out what attack techniques map to them so creating batch scripts is windows command shell t105903 uh creating windows run keys is register run key startup folder t157401 and we can go through and do this now it isn't going to be something that you can just do off the top of your head uh you're just going to sit down and go i know it's t 1059.003 but there's structure processes for doing this we've put out training online for free it's been out for a couple of years through both youtube and cybury it's free either way and we worked with department of

homeland security cisa to put out a guide that actually also walks through the process of doing this so back to that matrix view i'm taking all the techniques that we have out there in public on the groups page for turla so this is the picture we have again not to focus on the specific techniques it's small i'll zoom in on some portions in a little bit but just to show you the shape of it so some things we can gather just by looking at the the field of blue here we can see there's blue under a lot of different tactics so maybe we've got an intel picture that's giving us an idea of what an

adversary is doing on multiple parts of an intrusion that's probably good and you can see that we've got some breath as well under a lot of the different tactics here we know a lot of the different ways they're doing you see a lot under discovery which is absolutely critical for doing deception and so i'll dive into some of those tactics in just a second so i said we wanted preconceptions and expectations but that's behaviors how are we getting from one to another we can do a lot of inference here now there's danger in doing that we're inserting our own opinions we're inserting a new risk of bias here but again we're unlikely to have that direct

intelligence we can't ask the adversary what do you think so say for example we see that terla does browser bookmark discovery that means that they're going in and dumping a local web browser's bookmarks stealing them taking them back home what can we infer from that let's start with the obvious they assume that there's a browser at least on some of the systems that they're hacking the adversary assumes that there's a browser that has bookmarks okay you know that's that's pretty obvious but it's told us something but something maybe a little bit deeper the adversary probably expects an interactive user you don't have browser bookmarks on many servers you don't have people sitting down and doing that kind of activity so you

know maybe they assume a active interactive user something we consider as we build for them another technique is that the adversary uses virtualization sandbox evasion basically if they see the presence of a virtual machine they bug out what does that tell us well they probably expect not to be in a virtual machine if they're in the place they want to be and this this can actually be hard for honey potting because the natural thing is to build up a lot of virtual machines and obviously it also tells us that they have some belief that a virtual machine might be bad it's probably because they've gotten caught in the sandbox before and in a lot of cases they're actually

looking specifically for virtualbox so you see some of the evidence of a past sandbox interaction so we can do that across the different techniques we've seen but it's time to start developing a cover story a cover story is what the target of the deception should perceive and believe it's not something we get to tell the adversary we don't say hey so you've broken in today our cover story is no it's what your deception is built in line with that you're trying to get them to believe on their own on top of that generally the most convincing cover stories are based on what the opponent already believes and wants to believe so the closer your cover story is to

what the adversary thinks that they're getting themselves into the more likely you are for success and that's just basic human psychology so how do we know what the adversary expects well we're going to leverage the intelligence we've been building the other thing we are probably doing with a cover story is dealing with limitations in what we can do so you might want to build a deception environment that is the same size as your real it network with as many fake users as you have on your real setup if you have the same budget as your it organization and the same budget to pay for all the people to sit there and type into your system that's great

i i want to come work for you but i don't have that budget and nobody else does either and so we need to account for why there might not be as many systems so i'm going to look a little bit more at some of the techniques they've used as i develop my cover story what what i might need to fit into so if we look again at terla and how they do initial access how they initially try to get into a network we see they're doing things like drive by compromise they're infecting websites they're setting them up so that if i visit them with a browser they're getting into our system they're doing things like spear phishing

attachment and they're just using valid accounts they're logging in from the outside so from a few of these i can infer that turley might be assuming that we have an email system again fairly obvious but it gives us information on how to build out and that they're seeing end user system something you need for drive by compromise or spare phishing attachment to actually succeed i can go back to those discovery techniques and i can see what sorts of things that they're actually digging for on the environment so i see it they're they're looking at files that's basically true of everything you're looking at processes looking at the registry i see that they're doing remote system

discovery and net system network connection discovery so remote system discovery means they're looking for other computers on the network that they've landed on system network connection discovery they're looking for connections out to other computers on that network from where they've landed so we can probably infer from that that turle is expecting multiple systems they're doing a lot of digging to try to see what other computers are there so let's start to build an example cover story and again you know i'm only looking at little pieces of this uh example covers a real cover story is going to be much more fleshed out than this so you know we maybe we built the acme corp it's a small subsidiary of an existing

company located in camana bay i will call it dart has a dozen users each with their own windows desktop on a domain has its own email and file servers etc etc etc trying to fit into our picture that we built up from our intelligence at the same time accounting for a limited budget we're a subsidiary we're a smaller project we're just a lab why is it that when adversary targeted the bigger parent they found themselves in the smaller space and so this is our opportunity to explain that away our next step is that we need to determine how to actually sell that cover story to an adversary so a deception environment you can think of like a movie set

adversaries have very limited points of view in how they observe the environment they've landed in all they've got is their command and control channel probably cobalt strike these days but it could be a lot of different pieces of software out there and so it's like a movie set you've got the sets that you can build around where the adversary actually is and environment and they've got their camera angles that they work through and perceive and so they can't tell what's behind it if you've properly built the movie set so i'm going to introduce another concept that's common from classical deception and how to do this and that's a denial and deception methods matrix and again my friends from the engage

team recently put out a worksheet for actually doing uh denial and deception uh methods matrix and so this is broken up into four quadrants we first got deception objects we've got facts so the true things about our company and our environment and we've got fictions the lies that we're telling to an adversary and we can do one of two things we can either do deception or denial deception is where we are revealing and choosing to reveal that fact or fiction to an adversary denial is where we're concealing a fact or fiction from an adversary so some of the types of facts that we might reveal to an adversary maybe we want to use the true network information

about our company so an adversary knows what our domain is they know what our ip range is aaron tells them and so maybe we don't have any reason to conceal that in our environment we just want to show it it adds to the realism helps sell the story maybe we've got some information that we can add to it might already be public that we can put into the system let them steal give them a warm fuzzy about their success without us actually having to lose anything another possible option maybe you want to selectively remediate we want to show them what it would truly look like if we were cleaning them out of a system to

see how they react and then there are the fictions we might want to reveal so maybe we show them fake systems and we build out other computers in the environment to make it look bigger we might give them fake information that fits into our cover story there are facts that we might need to hide like whatever software we have on the end system that's watching them maybe you want to call that something really benign running in the windows processes works for them we can use it too and then conceal fiction's a sort of the usually forgotten corner uh it's things like the optic around the deception hiding that you're doing all this stuff and so then we want to fill this out to

actually work with our cover story and the intelligence we have so again back to our discovery techniques i'm going to start with focusing in on one of the two techniques i pointed out before remote system discovery this is zoomed in to the actual attack technique it's again they're looking for other local systems in the network and so what are some fictions and facts that we can work with on this well we can expose fake systems on the network we can give them remote systems to discover and we also don't want them to remotely discover our logging server you know whatever is is collecting our pcap whatever is collecting our logs we want to hide that from them doing this

behavior so system network connection discovery finding out what local connections already exist on the end system so we want to maybe create connections to a target host let them find information to our fiction and again maybe we want to hide our logging system here we've got a long running connection to our logging system we don't want them to find that when they're doing netstat and so find ways to hide that so we can go back and start adding each of these things we find to our denial and deception method matrix we're building up a bigger and bigger picture that tells us exactly what we need to design now it's finally time to build it so i

talked in the beginning about we often see the cart before the horse and deception people have a technical capability and they then try to backfill into it this is where you get to start to play so you're going to be implementing the denial and deception matrix in line with your cover story you're going to design and build the revealed facts and fictions you're going to build concealment around denied facts and fictions and we're going to go a little bit deeper into how our adversary is operating look at the procedures because we want to even farther match adversary expectations in selling the story to them so one of the two techniques i just used remote system discovery what is terla

actually doing well in most cases we see them actually just doing net view and net view domain so they're looking at what systems have been seen in windows browsing behavior okay you know we we can take that into account now we build our system so i said we wanted to expose fake systems on a network or domain we they appear to expect view and net view domain to show them something and said let's make that happen and that that might sound trivial but it turns out if you build a windows network from scratch you know fresh windows domain you're building your brand new honeypot you know your windows 11 your current version of windows server

nephew might not actually do anything it turns out a lot of the browse functionality that causes that to show information tends to come from croft from a network that was built you know decade or decades ago so you actually have to go back and turn some of that on and win a server manually to start making it look like it's got that aged and feel let's look at another that other technique so uh system network connection discovery what are they actually doing here well they're doing netstat and that in itself is a little bit interesting since most adversaries do netstat a o net use net file net session and they've got their own backdoors that are doing

rpc doing api calls with get tcp table so a lot of different things to be able to see persistent connections that are on the end system so we figured out that we wanted to create connections to the target host but not have them see the connections to our logger and they expect to see some a number of these connect tools to actually work so what can we do so if we're able to create connections to some of our fake systems with net use we can create something that actually be seen by several of these tools it shows up in the net use table it shows up as a persistent tcp connection i maybe want to use something like udp

for logging you get out of having that long term persistent tcp connection off the system finally time to have some fun to deploy the deception so if what you were trying to do here is to detect the adversary it's time to put it out there in the wild put it out there for them to find hopefully trip over and set off an alert for you to respond to and deal with them being in your network if your goal is intelligence gathering it's time to wait for an opportunity in most cases sticking a honey pot just out there facing the internet doesn't usually catch the flies you really want and so a lot of cases it's looking for

the right spear fish the right website that's been infected to go visit and bring them into your space

finally this is all wasted effort or might be wasted effort if we're not actually gathering intelligence on our adversary and that's no matter what type of deception you're trying to do here if you're trying to detect the adversary well the main intelligence you probably want is are they here or not yes or no as well as sort of where they're coming from anything else about them and so you need your detection alerting capability you need this going back to your socks setting off the flashing lights and warning bells not just sitting there you know hoping that something's going to happen and not actually watch it we might be gathering what techniques are used by adversaries hopefully you

share those back with attack we'd really appreciate it but you know doing things like host network monitoring setting up maybe an edr similar to what you have on the rest of your network things like sysmon looking at different processes being run you might be getting into command and control decoding maybe you're able to decrypt the adversary's channels and actually watch over their shoulder as they operate any of these options you might be able to gather a ton of information from an adversary i've been focused completely on behaviors today i haven't said a word about indicators a compromise just been talking about how adversaries act but fresh indicators of compromise can be extremely valuable even if they're

not in attack at all so we use often david bianco's pyramid of pain to discuss the value of different types of indicators everything from how and how power how painful they are for an adversary to change starting with things like hash values where an adversary can have a single bit to a file completely change it you'll never see the same hash again ip addresses where they can just switch to a new host domain names they need to buy something up through behaviors which tend to be locked in over long periods of time if you have the ip address of the command and control server that an adversary is using right now though that can save your bacon

it can be really important even though it is a fairly fragile indicator then finally you know we started off with gathering intelligence figuring out who our pro priority adversary is useless intelligence so you saw them take a left you know go through that door that you didn't plan on having the movie set behind well okay maybe that's where we focus our efforts next time make sure it looks better or maybe make sure that door is closed next time we can use that to build back and actually improve our deception each and every time we do this since the process i've just worked through we're going from figuring out who our adversary is building up intelligence on them figuring out our

cover story we want to tell them figuring out what we're going to lie to the adversary about what truths we're going to show them build it out put them in it and gather our intelligence so some takeaways are hopefully coming away from with this we can take historical deception planning and apply it to cyber processes we can use things that we already knew how to do and do cyber security a little bit better by using them i hopefully convinced you that there's some value to cyber threat intelligence some things we can do by actually knowing our adversaries what sorts of things our adversaries do when they're in environment and so for both cyber deception and our

general defense and you know i'm using attack in a really strange way here compared with you know how a lot of companies are putting attack to use and so hopefully demonstration of some attack uses beyond traditional defensive practices as well that's me that's where i am on social media if anyone wants any stickers for attack i've got them on the corner up here on the front table and i've got a couple minutes for questions i believe

dead silence colada i'll repeat the question for the streaming

the college question was what size organization do we see effectively using this it depends so things like honey tokens really simple deceptive practices like putting fake information in systems we see from all sorts of size companies we do see organizations that really have their act together want to take another step and that that's where they're getting into a lot of the more building out large-scale deception environments anyone can technically do it but the intelligence necessary to maintain that the different types of roles you need to actually be able to monitor and build it do tend to come from larger more more resourced organizations and so one of the reasons why i brought up engage at the beginning is engage

actually has a broad set of options broader than sort of the really deep planning i'm doing today that smaller companies may also be able to bring to bear anyone else

okay well thank you very much came in [Applause]

you