Using Deception Tools To Protect Your Enterprise

The presentation is titled "Using Free and Open Source Deception Technologies and Tools to Monitor Your Enterprise." Before I begin, I have a question for you. Please, before you answer, think carefully. Who has ever used deception in their organization before as a detection tool? Raise your hand. If anyone ever uses deception in their organization, rule number one: never tell anybody about it. Keep it a secret. My name is Abdulrahman Al-Nimari. I have been in IT and information security for more than 25 years. I started back in 1984 on a Commodore 64 and have played different roles ever since, from programming to system and network administration, and finally cyber security across the last 15 years. You can find me almost every day on LinkedIn and Twitter, my two favorite social networks.

This will be the agenda of our talk today. We will talk about deception history, what deception is, why do we use it, deception tools and types, cyber kill chain mapping, implementation best practices, sample decoys/breadcrumbs, resources, and Q&A. Deception in history. Who knows this guy? Raise your hand. Have you ever read the book "The Art of War"? I recommend that everyone working in cyber security read this book by Sun Tzu. This well-known Chinese military strategist - everything he wrote in his "Art of War" book is applicable to cyber security today. He is well known for saying, "All warfare is based on deception." This is a fake tank built by the Allies in World War 1. This is a fake tank.

And this is a dummy airbase with mock aircraft, also used during the World War. What do we mean when we say deception in cyber security? Here is a very simple definition. Deception is the process of generating traps or decoys that mimic and blend in with legitimate technology assets throughout the infrastructure. These decoys can run on virtual or real operating system environments and are designed to trick the cyber criminals into thinking they have discovered a way in. Why do we use deception? What is the purpose of it? Improving detection capabilities, decreasing dwell time - improving MTTD and MTTR - decreasing false positives, learning adversaries' TTPs, delaying and misleading attackers, detecting zero-day vulnerabilities, and enriching CTI. Looking at the biggest data breaches of the 21st century - Yahoo, Marriott, Equifax, Adobe, RSA - they have all been hacked and data was exfiltrated outside their parameter.

This the Verizon Data Breach Investigation report of 2018. 87% of attacks needed seconds or minutes to finish. On the other hand, 68% of enterprises needed months to detect these attacks. Protection is ideal, but detection is a must. If you happen to be compromised, detect it early. If you're not detecting, you're not doing anything. Open-source deception tools categorized between low interaction versus high interaction, static vs dynamic, internal vs external, and server vs client deception tools. Sample implementation breadcrumbs - attractive files in a folder on a website. Robots.txt where you tell search bots to never index a certain "secret" folder. Then, use Windows rules so anyone that opens a file in that folder triggers a log entry/alert.

Detecting PTH attacks - pass the hash attack. There are many tools - Mimikatz, Responder, etc. You can detect PTH very easily using deception. Empire on GitHub is a great open-source tool for this. DejaVu is an open-source deception framework. It is a complete framework that helps create virtual machines, fake servers, and hosts inside your enterprise. Cyber kill chain mapping. Any adversary takes seven steps to compromise you, from reconnaissance to weaponization, to delivery, exploit, installation, and commanding and control. In every stage, we can map deception tools to thwart the attacker. In reconnaissance, for example, we can use fake social media profiles to deceive and track the attacker. Implementation best practices: have visibility of your enterprise, have a security program in place, build objectives, map the kill chain, keep it a secret, make it look real, and log, alert, and respond.

Some open-source deception solutions. Full OS: ADHD, DejaVu, T-POT. Breadcrumbs: HoneyPy, Cowrie, Honeybits. Client: Thug.