![Page 1: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/1.jpg)
Sahir Hidayatullah CEO - Smokescreen @sahirh
THREAT HUNTING WITH Deception
![Page 2: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/2.jpg)
“The more you know about the past, the better prepared you are for the future.”
Theodore Roosevelt
![Page 3: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/3.jpg)
“Gauge your opponent’s mind and send it in different directions. Make him think various things, and wonder if you will be slow or quick.”
Miyamoto Musashi The Book of Five Rings
![Page 4: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/4.jpg)
![Page 5: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/5.jpg)
There are 3 reasons why companies get hacked…
![Page 6: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/6.jpg)
Low visibility
INITIAL INTRUSION
HACKERS UNDETECTED
DATA BREACH
1
![Page 7: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/7.jpg)
Ever changing threat landscape2
![Page 8: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/8.jpg)
Too many false positives3
13,72655,19872,61489,45296,825
=• Event fatigue • Data paralysis • Missed alerts • Game Over
![Page 9: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/9.jpg)
Why does deception work?
![Page 10: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/10.jpg)
![Page 11: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/11.jpg)
LEVEL 2 Threat Hunting
![Page 12: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/12.jpg)
?!?!#@!
LEVEL 3 Deception
![Page 13: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/13.jpg)
Next-gen firewall
Sandboxing
Two-factor authentication
DAST / SAST
Network analytics
Endpoint detection and response
Thinking in lists v/s Thinking in graphs
![Page 14: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/14.jpg)
Blue Team Red Team
Differences in colour…
![Page 15: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/15.jpg)
Are apparent through differences in language…
Talks about SQL injection
Password cracking
Phishing Port-scanning
Patch management
Talks About Squiblydoo
AS-REP roasting Hot potato attacks SPN enumeration
LocalAccountTokenFilterPolicy Unquoted service paths
Process hollowing OLE embedded phishing
LLMNR poisoning
Bloodhound / user hunting DLL side loading
GPP exploitation Time-stomping
![Page 16: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/16.jpg)
Observe
OrientDecide
Act
The adversary’s OODA loop
![Page 17: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/17.jpg)
Source: David J. Bianco, personal blog
The Pyramid of Pain
![Page 18: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/18.jpg)
Who should implement deception?
![Page 19: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/19.jpg)
The 3 V’s
VISIBLE
VALUABLEVULNERABLE
![Page 20: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/20.jpg)
Good deception blankets the kill chain
Internet Assets
Active Directory Objects
Application Credentials
Files
Network Traffic
Endpoints
People
Servers
Applications
RECONNAISSANCE
DATA EXFILTRATION
PRIVILEGE ESCALATION
EXPLOITATION
LATERAL MOVEMENT
![Page 21: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/21.jpg)
![Page 22: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/22.jpg)
“We’ll do it live!”Bill O’Reilly
![Page 23: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/23.jpg)
Chronology of an Attack - “The Double Cycle Pattern”
Breach Complete Compromise targets and effect impact
Privilege escalation #1 Escalated to local administrator
Privilege escalation #2 Escalate to domain administrator
Initial Intrusion Low privilege normal user
Lateral Movement Hunt domain administrators
C2 and persist Establish remote control channel
![Page 24: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/24.jpg)
“That was possibly the most frustrating experience in twelve years of pen-testing.”
![Page 25: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/25.jpg)
HUNT MISSION #1 Hunt initiation with Periscope Events
![Page 26: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/26.jpg)
HUNT MISSION #2 Hunting During Incident Response
![Page 27: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/27.jpg)
Deception Strategy 101
• Threat model -> Deception stories
• Placement and density. Is less more?
• Blend-in v/s Stand-out
• Testing = Blind + Full-knowledge
• Intelligence-driven deception
• Response and negative signalling
![Page 28: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/28.jpg)
The Golden Rules of Deception
The Observer Effect in Deception
The Half-life Of Deception
Kerckhoffs’ Principle in Deception
![Page 29: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/29.jpg)
The Analysis Trifecta
INCIDENT HANDLING
What happened on the decoy?
How did it happen on the endpoint?
Where else did it happen
in the network
Deception alerts Decoy telemetry
DFIR / triage Malware analysis
Netflow / EP telemetry Threat Hunting
SIEM correlation
![Page 30: SACON - Deception Technology (Sahir Hidayatullah)](https://reader033.vdocuments.site/reader033/viewer/2022061307/5a64827c7f8b9a27568b559f/html5/thumbnails/30.jpg)
Continuous Response v/s Incident Response
When alerts are:
• Real-time
• Low-false positive
• Deterministic
Response should be:
• Orchestrated
• Automated
• Continuous