{"id":3187,"date":"2018-06-01T16:43:07","date_gmt":"2018-06-01T23:43:07","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=3187"},"modified":"2018-06-01T16:43:07","modified_gmt":"2018-06-01T23:43:07","slug":"deception-deployment-strategies-threat-agnostic-vs-service-agnostic","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2018\/06\/01\/deception-deployment-strategies-threat-agnostic-vs-service-agnostic\/","title":{"rendered":"Deception Deployment Strategies : Threat Agnostic vs. Service Agnostic"},"content":{"rendered":"<p><span style=\"font-weight: 400\"> B In our previous blogs[1][2], we have shared details of detection of breach campaigns and worms by using Deception. A B Distributed Deception Platform (DDP) consists of the breadcrumbs and lures at the endpoint pointing to the honey services in the network. The DDP can be deployed in the network can be done in a variety of ways. In this blog, I will share some of the techniques by which the honey services can be projected in the network. <\/span><br \/>\n<b><i>Threat Agnostic Deployment:<\/i><\/b><span style=\"font-weight: 400\"> In a b\u0000\u001cThreat Agnosticb\u0000\u001d approach of deploying breadcrumbs, a network is enumerated to identify the existing services such as SMB, databases in the network. Static Breadcrumbs and Lures are added to the endpoint\/web servers pointing to these deception services.<\/span>B  B In this manner of deploying the honey services in the network, the honey services closely mimic the services in the network. There is a probability that the real services can be accessed by the threat actor, however by increasing the density of the honey services, breadcrumbs &amp; lures, B one can ensure that the chances of real services getting accessed by a treat actor in the network remain low.<br \/>\n<i><span style=\"font-weight: 400\">If there are b\u0000\u001cmb\u0000\u001d legitimate services and b\u0000\u001cnb\u0000\u001d honey services, then if B { [ m \/ (n + m) ] &lt;= 0.001}, it will ensure the probability of accessing legitimate services remains less than equal to 0.1 %.<\/span><\/i><br \/>\n<span style=\"font-weight: 400\"> B Since threat agnostic approach of projecting deceptions is dependent upon existing services in the network, it will work well if the primary aim of using deception is to protect the existing services in the network from a threat actor. <\/span><br \/>\n<span style=\"font-weight: 400\">Giving an example, in the blog b\u0000\u001c<\/span><a href=\"https:\/\/www.acalvio.com\/deception-centric-architecture-to-prevent-breaches-involving-webserver\/\"><span style=\"font-weight: 400\">Deception Centric Architecture to Prevent Breaches involving Web Server<\/span><\/a>,b\u0000\u001d the main aim of the threat actor is to compromise the databases. In such a scenario, it is recommended to deploy the deception services in a threat agnostic manner. This manner will ensure that in the case of a breach, the probability of accessing the honey databases is high leading to the detection of the breach. For further details on detection of the breach, I would encourage the readers to refer to our blog<a href=\"https:\/\/www.acalvio.com\/deception-centric-architecture-to-prevent-breaches-involving-webserver\/\"><span style=\"font-weight: 400\">.<\/span><\/a><br \/>\n<b>B <\/b><b><i>Services Agnostic Deployment:<\/i><\/b><span style=\"font-weight: 400\"> In this model of deployment, the deception on the network, breadcrumbs, &amp; lures on the endpoint are spawned or deployed based upon the events from the endpoint or across the endpoints. The events which will lead to the invocation of deceptions for deployment will be referred as trigger events (Also discussed in our previous blog [3]). B <\/span><span style=\"font-weight: 400\">Some of the conditions which can be used to identify the trigger events are as follows:<\/span><br \/>\n<span style=\"font-weight: 400\"> B * Probability of the occurrence of a trigger event should be more in the malicious files as compared to the clean files. If E denotes the event which is captured during the execution of a file, then it should be ensured { 50% &lt; Probability [E in malicious files] &lt; 100% }. <\/span><br \/>\n<span style=\"font-weight: 400\">* The trigger events may fall under the category of Initial Access, Execution, Persistence, Privilege Escalation, Defensive Evasion phases as defined in the MITRE ATT&amp;CK MODEL.<\/span><br \/>\n<span style=\"font-weight: 400\"> B B Once these trigger events are reported, specialized decoys that are manufactured based on an understanding of the attacks and breaches need to be deployed.<\/span><br \/>\n<span style=\"font-weight: 400\">I will explain the above concept by taking ransomware as an example. B Ransomware deletes shadow backup by making a call to b\u0000\u001c<\/span><i><span style=\"font-weight: 400\">vssadmin delete shadows \/all \/quiet<\/span><\/i><span style=\"font-weight: 400\">b\u0000\u001d and drops an executable copy of itself in %APPDATA% folder. B The probability of these two events occurring in malicious files is more as compared to the clean files. So if these two events occur, the DDP will raise an alert to project honey mapped drive at the end host and project SMB deceptions on the network. If these honey mapped drive or the SMB deception are touched then alerts will get validated by proprietary algorithms or by an analyst for the possibility of the breach.<\/span><br \/>\n<span style=\"font-weight: 400\">Service Agnostic manner of projecting deceptions is in real time and is based upon the trigger events. It provides an inherent advantage that it is independent of the services in the network and is more focused on the threats. So assuming that there is a breach which infects mapped drives and in the environment, and if there are no mapped drives, the DDP will spawn mapped drives and the breach will get detected. Projecting deceptions in real-time however doB require a detailed understanding of the past breaches and attacks. This understanding of the breaches and attacks will aid to identify the trigger events for projecting the appropriate deceptions on the network and on end host.<\/span><br \/>\n<b>Conclusion:<\/b><br \/>\n<span style=\"font-weight: 400\">Deception is a compelling technology that is capable of preventing breaches and spread of worms. In this blog, we have shared two model of deploying deceptions on the network. Threat agnostic deployment provides the inherent advantage that the since deceptions that are deployed mimic the services of the assets that are being protected, and it is independent of the threats. Service agnostic deployment provides the inherent advantage that since deceptions are spawned independent of the services, it is capable of detecting threats irrespective of the services in the network. <\/span><br \/>\n<b>References:<\/b><br \/>\n<span style=\"font-weight: 400\">[1] Detection of Breach Campaign using Deception based architecture, B <\/span><a href=\"https:\/\/www.acalvio.com\/detection-of-breach-campaigns-by-using-distributed-deception\/\"><span style=\"font-weight: 400\">https:\/\/www.acalvio.com\/detection-of-breach-campaigns-by-using-distributed-deception\/<\/span><\/a><br \/>\n<span style=\"font-weight: 400\">[2] Detection of prevalent threats by using Distributed Deception,<\/span><br \/>\n<a href=\"https:\/\/www.acalvio.com\/detection-of-prevalent-threats-by-distributed-deception\/\"><span style=\"font-weight: 400\">https:\/\/www.acalvio.com\/detection-of-prevalent-threats-by-distributed-deception\/<\/span><\/a><br \/>\n<span style=\"font-weight: 400\">[3] Donb\u0000\u0019t be sitting duck, Make your BreadCrumbs B &amp; Lures Dynamic.<\/span><br \/>\n<a href=\"https:\/\/www.acalvio.com\/dont-be-a-sitting-duck-make-your-breadcrumbs-lures-dynamic\/\"><span style=\"font-weight: 400\">https:\/\/www.acalvio.com\/dont-be-a-sitting-duck-make-your-breadcrumbs-lures-dynamic\/<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>B In our previous blogs[1][2], we have shared details of detection of breach campaigns and worms by using Deception. A B Distributed Deception Platform (DDP) consists of the breadcrumbs and lures at the endpoint pointing to the honey services in the network. The DDP can be deployed in the network can be done in a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4524,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/3187"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=3187"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/3187\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media\/4524"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=3187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=3187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=3187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}