Traditional defensive controls are failing us. The time it takes for an attacker to go from initial compromise to lateral movement is rapidly decreasing while the time it takes to detect and effectively respond to breaches is measured in weeks or even months. Making the situation worse, studies such as the 2020 Cost of a Data Breach Report by the Ponemon Institute show a direct correlation between the time it takes to detect and respond to a breach and the cost of that breach to an organization; the longer it takes, the more a breach costs. To reduce risk, defenders need better ways to quickly detect adversary activity while also collecting information to facilitate faster and more effective response.
Cyber deception is the solution to reduce this response time and minimizing cost. SEC550: Cyber Deception, Active Defense, and Offensive Countermeasures will give you an understanding of the core principles of cyber deception, allowing you to plan and implement cyber deception campaigns to fit virtually any environment.
Most majority detective controls in use today focus on looking for "evil", but attackers do a great job at appearing harmless or even invisible. Technologies such as anti-virus, application whitelisting, DLP, and firewalls can be circumvented with relative ease. A common solution is to change the detective strategy from looking for "evil" to looking for "abnormal." However, attempting to "normalize" even fairly small computing environments can be both challenging and time-consuming.
Fortunately, there are alternatives. Instead of attempting to normalize a production environment, what if we placed resources in that environment that have no production value or use? These resources could be user accounts, credentials, services, open ports, computers, or even complete networks. Because these resources are not part of normal production operations, "normal" can be defined as no interaction or no use. In other words, since there is no reason for legitimate interaction with these deceptive resources, any interaction is abnormal and there are very few "false positive" alerts. This creates a high-fidelity, low-noise detection solution. Furthermore, because the deceptive resources can be monitored and/or configured to generate logs, defenders can collect significant amounts of actionable threat intelligence and attack attribution information, facilitating faster and more effective response. Better yet, this all occurs while attackers are busy attempting to hack deceptive systems, distracting them from actual production resources.
In this hands-on course, you will not only learn cyber deception theory and concepts, you will play an active role working with deception technology during more than 15 hours of guided exercises. By the end of the course, you will understand the value of cyber deception and have practical experience you can immediately draw on to protect your own computing environment.
You Will Learn:
- Why cyber deception completely changes the information security game
- How to use cyber deception to detect attackers on your network as much as 90% faster than through the use of traditional detection technologies
- How to collect actionable threat intelligence and attack attribution information through the use of deception technologies
- How to create an environment where attackers need to be perfect to avoid detection, while you need to be right only once to catch them
- How to actively engage attackers in real time
- How to thwart attacks before attackers send a single packet towards your network
- How to take back the advantage from attackers
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
- Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
- Windows Credential Guard must be DISABLED (if running Windows as your host OS)
- Apple computers with the M1 processor (Apple Silicon) are NOT supported for use in class. Apple does not provide support for x86-based virtual machines under its Rosetta 2 x86 translation capability. Apple computers that use Intel processors are not affected by this issue and are still supported for use in-class.
- 64-bit Intel i5/i7 2.0+ GHz processor
- Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
- Enabled "Intel-VT"
- Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.
- 8 GB RAM (or more) is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
Hard Drive Free Space
- 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install VMware virtualization software and meet the additional software requirements as described below.
VMware Player Install
- VMware Workstation Player 15.5+, VMware Workstation Pro 15.5.+, or VMware Fusion 11.5+.
- If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation Pro. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
- You must have administrator access to the host OS and to all installed security software.
- You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any drive encryption or other security software installed)
Your course media will be delivered via download. The media files for class can be large, some in the 20 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads when you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using electronic workbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
"When I first started exploring the world of cyber deception, I was confused, to say the least. I didnt really understand what the fuss was all about. I viewed cyber deception as something akin to a next-gen honeypot. Honeypots? Really? Then one day it clicked. As I was looking at different ways honeypots could be deployed, I had a thought: What if I was trying to conduct a penetration test against an environment using these techniques? What would that be like? My short answer was that it would be terrible, and with that realization I finally understood. Unfortunately, that understanding generated more confusion for me. As I began to see how effective cyber deception could be, I began to have doubts. It cant be this good, can it? There has to be something Im missing! After months of continued research, experimentation, and discussions with other deception practitioners I finally realized that Id found what has been missing from the security industry: a way for defenders to take back the advantage! Ive been passionate about the topic ever since. I also came to see that each and every person who truly understood cyber deception was every bit as passionate as I was, and that I needed to share this with as many people as I could." - Kevin Fiscus