{"id":2207,"date":"2018-04-02T17:17:32","date_gmt":"2018-04-03T00:17:32","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=2207"},"modified":"2018-04-02T17:17:32","modified_gmt":"2018-04-03T00:17:32","slug":"detection-of-prevalent-threats-by-distributed-deception","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2018\/04\/02\/detection-of-prevalent-threats-by-distributed-deception\/","title":{"rendered":"Detection of Prevalent Threats by Distributed Deception"},"content":{"rendered":"

Todayb\u0000\u0019s breaches are overwhelmingly carried out in a series of sophisticated, multi-stage attacks. <\/span>The stages of such attacks can best be described by a b\u0000\u001cCyber Kill Chain,b\u0000\u001d which as per MITRE ATT&CK Adversary Tactic Model [1] breaks down cyber intrusions into the steps shown in figure 1.0.<\/span>
\n 
\n\"\"<\/p>\n

B B B <\/span>B B B B B B Figure 1.0 MITRE ATT&CK Adversary Tactic Model<\/b><\/p>\n

In the table 1.0, I have discussed six critical multi-stage attacks. I have precisely listed the breadcrumbs and lures that are required at the endpoint and deceptions on the network to detect and divert these threats. The table further lists the conditions which when triggered will raise the alarm for breach and the stage where the threat will get discovered. This stage is as per the ATT&CK Matrix for Enterprise[1].<\/span> B Based on the nature of the threat, once an alert for a breach is raised it can trigger appropriate automated responses. Examples of responses include: isolation of the infected endpoint, B SOC Alert for remediation, etc. <\/span>
\n The six threat families considered in this blog are::<\/span><\/p>\n

    \n
  1. Ransomware[5]<\/span><\/li>\n
  2. Crypto Miner[2]<\/span><\/li>\n
  3. Breaches leveraging Web Servers for entry [4]<\/span><\/li>\n
  4. Destructive malware (such as Shamoon[3] and Petya[6])<\/span><\/li>\n
  5. Information stealers<\/span><\/li>\n
  6. Password stealers <\/span><\/li>\n<\/ol>\n

    In our blogs listed in references, we have discussed the exploitation steps of these threats. These threats also have been covered extensively within the research community.<\/span>
    \n\"\"
    \nBy using a distributed deception platform, two of these threat families (ransomware and password stealers) is detected in the execution phase. The other four are identified during the lateral movement phase when the attacker is attempting to spread to other machines.<\/span>
    \nBased on the analysis shown in the table following is the takeaway:<\/span><\/p>\n