What You Will Learn
Traditional defensive controls are failing us. The time it takes for an attacker to go from initial compromise to lateral movement is rapidly decreasing while the time it takes to detect and effectively respond to breaches is measured in weeks or even months. Making the situation worse, studies such as the 2020 Ponemon Institute Cost of a Data Breach Report show a direct correlation between the time it takes to detect and respond to a breach and the cost of that breach to an organization; the longer it takes, the more a breach costs. To reduce risk, defenders need better ways to quickly detect adversary activity while also collecting information to facilitate faster and more effective response. Cyber deception is the solution for reducing this response time and minimizing cost.
The majority of detective controls in use today focus on looking for evil while attackers do a great job at appearing harmless or even invisible. Technologies such as anti-virus, application whitelisting, DLP, and firewalls can be circumvented with relative ease. A common solution is to change the detective strategy from looking for evil to looking for abnormal, however, attempting to normalize even fairly small computing environments can be both challenging and time consuming. Fortunately, there are alternatives.
Instead of attempting to normalize a production environment, what if we placed resources in that environment that have no production value or use? These resources could be user accounts, credentials, services, open ports, computers, or even complete networks. Because these resources are not part of normal production operations, normal can be defined as no interaction or no use. Because there is no reason for legitimate interaction with these deceptive resources, any interaction is abnormal and there are very few false positive alerts, creating a high fidelity, low noise detection solution. Furthermore, because the deceptive resources can be monitored and/or configured to generate logs, defenders can collect significant amounts of actionable threat intelligence and attack attribution information facilitating faster and more effective response. Better yet, this all occurs while the attacker is busy attempting to hack deceptive systems, distracting them from actual production resources.
SEC550: Cyber Deception - Attack Detection, Disruption and Active Defense will give you an understanding of the core principles of cyber deception allowing you to plan and implement cyber deception campaigns to fit virtually any environment. During this hands-on class, you will not only learn deception theory and concepts, you will play an active role working with deception technology through over 15 hours of guided exercises. By the end of the class, you will not only understand the value of cyber deception, you will have practical experience you can immediately implement in your own computing environment.
You Will Learn:
- Why cyber deception completely changes the information security game
- How to use cyber deception to detect attackers on your network as much as 90% faster than traditional detection technologies
- How to collect actionable threat intelligence and attack attribution information through the use of deception
- How to create an environment where attackers need to be perfect to avoid detection, while you need to be right only once to catch them
- How to actively engage attackers in real time
- How to thwart attacks before attackers send a single packet towards your network
- How to take back the advantage from attackers
Syllabus (36 CPEs)Download PDF
During the first section of class, we will focus on understanding the core problems associated with attack detection and response and how deception technology can solve those problems. We will look at how common attacker tactics and techniques can evade traditional protective and detective controls. We will understand how even badly implemented deception provides benefits and what an ideal deception program looks like.
- Offensive techniques and tactics
- Evaluating obvious deception
- Deception done right
Understanding the Problem
- Problems with traditional protective and detective controls
- Why failures in detection significantly increase risk
Describing the Solution
- Understanding the OODA loop and how can it help your security program
- Introducing cyber deception; key benefits, elements and components
Offensive Techniques and Controls Evasion
- See how attacker circumvent traditional security controls
- Introducing attack mapping frameworks; Lockheed Martin Cyber Kill Chain, Unified Kill Chain, and MITRE ATT&CK
- Learn how attackers can discover deception
- Understand what attackers can do if deception is discovered
Deception Done Right
- Effective deception plan overview
- Current state and future of cyber deception
- Developing an IT asset inventory to facilitate deception planning
- Data classification and business impact analysis to identify deception priorities
- Identifying and locating sensitive data using regular expressions
- Vulnerability identification
- Creating a user and group inventory
Identifying technology usage patterns
Know Your Enemy
- Discover methods to understand attacker tactics and techniques
- How training in offensive tactics can improve your deception planning
- Using incident response and forensic skills to create better deception
- Using the Lockheed Martin Intrusion Kill Chain, the Unified Kill Chain and MITRE ATT&CK to learn about attacker activities
Deception Goals and Components
- Understanding common deception goals
- Using MITRE Shield to clarify deception and active defense objectives
- Preview deception components/elements
Deception and Virtualization
- Understand how virtualization can be used in deceptive environments
- Differences between full and container virtualization solutions
- The importance of DNS
- Attacks involving DNS
- DNS deception tactics and techniques
- Web deception tactics and techniques
- Web deception tools and honeypots
Port and Service Deception
- Differences between high interaction and low interaction honeypots
- Port and service deception tools, utilities and honeypots
- Port and service deception advantages and disadvantages
High Interaction Honeypots
- High interaction honeypot overview
- Configuration and instrumentation of high interaction honeypots
- Honeypot monitoring solutions
File and Folder Deception
- File and folder deception overview
- File system instrumentation and alerting
- How to generate credible deceptive data
In this section we will continue looking at deception program components. You will learn how to design, implement and use:
- Deceptive accounts and credentials
- Wireless and network deception
- Email and IoT deception
- Honeynets and honeypot distribution
- Creating deceptive accounts in Linux, Wordpress, Active Directory and in memory
- Responder, router, wireless deception plus TCP Tarpit with port redirection
- Conpot ICS honeypot use, testing, and customization
- Active attack response
Deceptive Accounts and Credentials
- Understanding attacks against accounts and credentials
- Deceptive countermeasures to credential attacks
- Deceptive persona creation, management, and use
- Understanding wireless attacks
- Wireless infrastructure deception
- Wireless client deception
- Wireless deception tools and utilities
- Generating and using deceptive network traffic
- Deceptive network devices
- Attacks involving email; phishing, spear phishing, and SPAM
- Anti-phishing deception strategies
- Anti-spam deception strategies
- IoT/OT/ICS Deception tools and utilities
- Honeynet overview
- Honeynet advantages and disadvantages
- Honeynet control and instrumentation
- Active Defense Harbinger Distribution (ADHD)
- BlackArch Linux
In this section of the class, you will learn fundamental concepts of deception with a focus on how to create a deception story that effectively influences attacker behavior. You will learn deception maxims, core concepts, and foundational ideas. You will then use everything learned throughout the class to develop a comprehensive deception plan. Next, you will learn methods to evaluate the effectiveness of your deception program. Lastly, you will gain an understanding of the legality of deception, how incident response differs in deceptive environments, along with a brief overview of commercial deception solutions.
Capture the Flag challenge that draws on what you have learned over the previous five sections of the course.
- Capstone Exercise
Know Your Self
- Identifying host information
- Identifying vulnerabities
- Investigating network traffic
- Identifying users and credentials
Know Your Enemy and Your Goals
- Reviewing MITRE ATT&CK
- Applying MITRE Shield
- Solve deception challenges
- Basic understanding of Windows and Linux
- Basic understanding of network protocols and network traffic analysis
- Basic understanding of offensive hacker techniques
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
- Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
- Windows Credential Guard must be DISABLED (if running Windows as your host OS)
- Apple computers with the M1 processor (Apple Silicon) are NOT supported for use in class. Apple does not provide support for x86-based virtual machines under its Rosetta 2 x86 translation capability. Apple computers that use Intel processors are not affected by this issue and are still supported for use in-class.
- 64-bit Intel i5/i7 2.0+ GHz processor
- Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
- Enabled "Intel-VT"
- Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.
- 8 GB RAM (or more) is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
Hard Drive Free Space
- 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install VMware virtualization software and meet the additional software requirements as described below.
VMware Player Install
- VMware Workstation Player 15.5+, VMware Workstation Pro 15.5.+, or VMware Fusion 11.5+.
- If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation Pro. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
- You must have administrator access to the host OS and to all installed security software.
- You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any drive encryption or other security software installed)
Your course media will be delivered via download. The media files for class can be large, some in the 20 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads when you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using electronic workbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
"When I first started exploring the world of cyber deception I was confused, to say the least. I did not really understand what the fuss was all about. I viewed cyber deception to be something akin to a next-gen honeypot. Honeypots? Really? Then one day, it clicked. As I was looking at different ways honeypots could be deployed I had a thought. What if I was trying to conduct a penetration test against an environment using these techniques? What would that be like? My short answer was it would be terrible and with that realization, I finally understood. Unfortunately, that understanding generated more confusion for me. As I began to see how effective cyber deception could be I began to have doubts. It cannot be this good! There has to be something I am missing. After months of continued research, experimentation, and discussions with other deception practitioners I finally realized that I had found what has been missing from the security industry. I had finally found a way that defenders can finally take back the advantage! I have been passionate about the topic ever since. I also came to realize that each and every person that truly understood cyber deception was every bit as passionate as I was and that I needed to share this with everyone." - Kevin Fiscus