Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 MITRE Team Kristin Heckman Benjamin Scott (Schmoker) Frank Stech Alex Tsow Mitigating Intrusions with Deception Lie To Me
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Influence perception Benefit from decisions Deception Goals
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Deception Benefits ▪Flexible – Can be applied in multiple places – Integrates into diverse software ▪Effective – Tripwire for intruders on your network – Detect intrusions early
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 ▪Disrupt your opponent's perception of environment ▪Tactics – Conceal facts – Prevent accurate interpretation of facts – Present false information What is Deception? Opponent Environment Defender
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Reconnaissance Control Persist Weaponization Exploit Mission Execution Delivery Applying Deception to "Cyber Kill Chain" Monitor fake mailboxes Deploy honeypot Sinkhole and re-route traffic Gather data on tools and methods Create fake accounts Attacker Defender Reveal false system configuration Create false sense of success
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Source: Adapted from Bennett & Waltz (2007) Deception Denial Facts Reveal Facts Show real system configuration Conceal Facts Deny access to systems Fictions Reveal Fictions Create fake systems Conceal Fictions Hide your deception operation What is Cyber-Deception?
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Case of “Smash and Grab” Intruder ▪Syrian Electronic Army (SEA) – Phish an employee to compromise account – Phish other internal users to escalate privileges – Modify content to insert propaganda ▪Intrusion goals – Prioritize speed over subtlety – Avoid using malware / exploits – No interest in long-term access
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Deception Goals ▪Collect intel on intruders – Prevent from achieving their goals ▪Plan in advance – Build tripwires into live network ▪Integrate with existing security team – Practice responding to honeypot alerts
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Mitigating SEA with Deception Recon Control Deliver Find public-facing employees Phish user credentials Access valuable accounts and resources Collect Intelligence Plan Monitor Defense Offense Create fake email addresses Setup fake accounts and content Alert on honeypot activity
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Train and Setup Plan and Deploy Refine and Report Verify Outcome Overall Strategy
reserved. Approved for Public Release; Distribution Unlimited. 13-0863, 13-2656; 14-2275; 14-3617 Read all about it! • Contents • Deception Chain model • Operational advice • Lifecycle development • Cyber-Deception glossary deceptionbook.com