Gartner Security & Risk Management Summit

Summit 2017
12 – 15 June 2017 / National Harbor, MD

Applying Deception for Threat Detection

and Response
Augusto Barros

CONFIDENTIAL AND PROPRIETARY

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain
information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Deception? What Exactly Are We Talking About?

1 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

The Old "Honeypot" Idea
DMZ

Real Servers Honeypot Security Monitoring

Attacker
Firewall

2 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Corporate Network
So, a Better Analogy Would Be ...

3 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

 But What Is
Different Now?

4 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Deception Technologies (and Techniques) Have Evolved

 Focus on the corporate

network and lateral
movement Decoys
Real
Assets

 Network AND data

deceptions Lures and
Breadcrumbs
Threat
Actor
 Virtualization to
the rescue Honeytokens

Traditional Threat Detection

Monitoring Tools and Response
(SIEM, IDS, Etc.)

5 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Distributed Deception Platforms
Distributed Deception Platform

Deception
Management
Server

Decoys

Lures

Decoy
Server

Endpoints
(Workstations
and Servers)
SIEM

6 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Decoys

Low-Interaction Decoys High-Interaction Decoys

(Emulation) (Real Systems)
Risk of Real Compromise of the
Deception Environment

Resource Requirements

Level of Deception Credibility

Ability to Monitor and Register

Attacker Actions, TTPs and IOCs

7 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Lures and Breadcrumbs

Credentials User certificates

Cached credentials (such as Kerberos tickets) Installed applications
Application shortcuts Local database files and databases
Browser favorites Connection strings to databases
Browser history Office suite documents (such as .doc and .xls files)
Browser cookies and credentials Network connections
Data files Network drive maps (SMB/CIFS)
Document/Fax scans Telnet and FTP shortcuts
Event logs SSH shortcuts and keys
Installed or running services Registry entries

8 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Additional Features

 Learning Environment
Characteristics
 Lures and Breadcrumbs
Management and
Deployment

Source: TopSpin Security

Source: Cymmetria
9 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Other Deception Options

 Honeytokens
 Free/Open Source
– Honeyd
– Modern Honey Network (MHN)
– Conpot
– HoneyDrive
– MazeRunner Community Edition
– Domain Controller Enticing Password Tripwire (DCEPT)

10 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Deception in Other Tools

 LogRhythm
 Microsoft
 Rapid7
 GuardiCore
 vArmour
Source: Microsoft

 ...

Source: Rapid7
11 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
 But still ... why?
Isn't it just another "nice to have"?

12 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Reasons to Implement Deception

 Low friction:
– Usually lower implementation effort when compared
to other threat detection technologies (e.g., UEBA, NTA)
 Technical or economic limitations for other
detection methods:
– Internet of Things (IoT) assets, SCADA, medical devices, nontraditional
vulnerable devices
– Wide, distributed networks
– Networks with encrypted traffic

 Additional detection capabilities on top of traditional approaches

13 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Deception Use Cases

 Enabling frictionless threat detection with low false positives

 Detecting threats to assets that cannot provide their own telemetry
 Detecting threats moving inside the network
 Targeting detection of APT-grade actors
 Catching malware not detected by other tools
 Using a decoy network as a sandbox
 Providing an additional layer of detection control
 Using honey credentials to trace attack sources
 Learning more about the attacker tools and tactics
 Delaying and deterring the attacker

14 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Is There Anyone Doing It?

 Different Organizations:
– Financial Institutions: First Midwest Bancorp (TopSpin Security), Chicago
Trading Company (TopSpin Security)
– Manufacturers: Marvell (Attivo Networks)
– Retail: Home Depot
– Healthcare and Insurance: Aflac (Attivo Networks), John Muir Health (TrapX
Security), Delta Dental (Javelin)
– Governments: Israel National Cyber Security Authority Includes Deception in
Their Overall Cybersecurity Strategy

15 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

 OK, I will do it.
Now what?

16 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Building a Deception Business Case

Business Case Business Benefits

Improved threat detection Detect threats faster to reduce incident cost

Higher-quality alerts Reduce the cost of triaging alerts

Threat detection for purpose-built systems Improve detection of advanced threats

Lower-cost detection Reduce the overall cost of detection

Auxiliary detection Improve overall detection efficiency

Threat detection with less friction or less risk of issues Reduce overall detection cost

Diversity of detection approaches Improve overall detection effectiveness

17 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Types of Threats to Detect

Regular Threats Advanced Threats

Making detection of regular threats Making detection of advanced
easier and less resource-intensive threats possible
(that is, detecting threats better) (that is, detecting "better" threats)
More detection for small effort/cost Requires effort, but may find threats
everything else missed

Different needs, different approaches too!

18 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Selecting a Deception Approach

Network Endpoint Application Data

Lower
Lower Deceit Difficulty Higher
Higher

Basic Threat Type Advanced

19 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Designing and Customizing Deception

Deception Type Use Case

Generic decoy with no customization Detect basic activity such as network scanning
Low-interaction decoy customized to match Early detection of common threats
software, versions used on existing systems
High-interaction decoy using the same OS image, Focus on more advanced attackers and
services and applications as real systems intelligence gathering
High-interaction decoy using the same OS image, Focus on advanced, targeted attackers and
services and applications and data from intelligence gathering
real systems
Generic endpoint lures Detect malware and other basic threats,
ransomware
Customized endpoint lures, honeytokens Focus on detecting advanced attackers (humans)

20 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Where to Deploy Deception
Location Deception Type Examples Motivation
Next to assets that cannot Network decoy A VLAN with medical Detecting threats against
be monitored or protected devices, SCADA assets or assets where other monitoring
by other technologies IoT assets is difficult or impossible
Mixed in with critical assets Network decoy A VLAN with CRM or other Build an additional layer of
(such as finance, HR and critical systems detection control focused on
sensitive intellectual critical assets
property assets)
In remote locations Network decoy A tunnel decoy that Detect the attacker in locations
channels the attacker to a where few detection controls
decoy server are deployed
On more-threatened Lures that point A file-share CRM resource Detect when the attacker is
production systems to decoy services that leads to a decoy touching a critical system
On all production systems Lures that point A client PC or a server with Cast a wide net of traps to
to decoy services injected administrator direct attackers to decoy
credentials or with decoy services
system locations
21 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Selecting Deception Products

1. Perform requirement analysis based on the use cases.

2. Review the vendors that match the requirements and available resources.
3. Develop testing plans based on the use cases and desired capabilities.
4. Conduct a 30-day POC deployment, preferably on production network, of up to
three products:
– Use threat simulation tools, if available or provided by a deception vendor.
– Utilize a red team to check how effective the products are at detecting threats, and at delaying
and confusing "the attacker."
5. Review POC findings, but do not make a purchase based on one impressive
detection (the "POC Gem").
6. If necessary, purchase a product and conduct an extended production
pilot deployment.
22 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Operating Deception — Monitoring

 Alerts from the deception tool should be included in the standard alert
response process:
– Some organizations skip standard alert triage and go straight into incident
response mode due to the "high confidence" profile of the alerts
 If insider threats from security operations teams are a concern:
– Obfuscate the alert source
– Limit the visibility of the deception deployment to a "need to know" basis

23 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Operating Deception — Response

 Review incidents for any clues that the attackers were aware of
decoys. Use that information to improve and tune the deployment.
 If high-interaction decoys are being used:
– Use your deception system as an internal threat intelligence source.
– Integrate it to a process to sweep all the production systems for the same
indicators (such as by using EDR tools).

24 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Operating Deception — Maintenance

 Creating and maintaining honeytoken documents or fake custom web

applications, for example, will require some human effort.
– Organizations planning to deploy those types of deception must factor in that
work as part of their operations.
 Use your threat assessment results to create lures that are both
desirable and believable to your attacker.
– Be careful with excessively interesting fake data — it may leak and cause
trouble for the business (e.g., fake M&A info.)
 When using honeytokens or manually created lures, ensure SIEM, IDS
content is always up-to-date and aligned to existing deceptions.
25 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Summary

 Deception is a viable option to improve threat detection and

response capabilities:
– Can be a different approach to put on top of other detection methods
– Can be the only viable option when there are technology and
economic constraints
 Simple network deception and generic endpoint lures can detect simple
threats, such as rogue employee behavior and regular malware. More
elaborate deception can detect advanced threats, but it also requires
more effort to create, deploy and maintain.

26 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.

Recommendations

 Use deception as a low friction detection option for lateral movement

within the network:
– If you are looking for additional detection tools for threats within the network,
such as UEBA and NTA, consider deception as another alternative
 Use customized deception to improve the chances of detecting
advanced threats
 Use deception technologies on environments that cannot use other
security controls, such as medical devices and OT systems
 Test the effectiveness of deception tools by running a POC or a pilot
on a production environment, leveraging threat simulation tools or red
team exercises
27 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research

 Applying Deception Technologies and Techniques to Improve

Threat Detection and Response
Augusto Barros and Anton Chuvakin (G00314562)
 Competitive Landscape: Distributed Deception Platforms, 2016
Lawrence Pingree (G00310123)

The above research is from the Gartner for Technical Professionals Research Library. For more information,
please visit the Gartner Research Zone or visit http://www.gartner.com/technology/research/technical-professionals.jsp
28 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.