Deception in action.

How to detect APT and break the

killchain

Alex Lozikoff, CISSP

BDM, Softprom
2018 Statistics
• New CVEs 14 760

• High score CVEs 3 782 (23%)

• Average cost of a single breach 4 860 000 USD

• 24 000 Malicious apps are blocked every day

81% of victims
• IoT attacks grows rate 600%
had no detective
• Ransomware grows rate 350%
controls in place
• Average TTD (dwell time) in EMEA 109 days

• 230 000 New malware samples are produced every day

•
Detection problems
Traditional NIDS
• High false positives
• Hight false negatives
• Resource intensive
• Unable to handle
encrypted traffic
• Relies on timely updates
HIDS
• Relies on timely updates
• Can be disabled
• Limited usability in non PC
environments
SIEM/UEBA
• Complex, expensive
• High false positives
• Data overload
TrapX Deception Grid
Deception based IDS - minimize TTD (dwell time) up to
minutes.

- Rapid detection of threats no matter which vulnerabilities/exploits

are used
- Slowing down attacks using low interaction deception elements
(tokens)
- Automatic mitigation using integration with other IS stuff
(NAC/FW/EDR)
TrapX Security Overview
Founded in 2012 Backed up by Intel, BRM, Opus. Branches in US,
Liberty and Strategic Cyber Mexico, UK and Israel
Ventures

Best APT Solution

TRUSTED BY OVER 300 CUSTOMERS AND PARTNERS GLOBALLY

 Discover
Automatically collect
information
on the network

Deploy a Shadow
Network In Minutes
Deploy Traps Deploy Baits
Automatically deploy Automatically deploy bait
traps camouflaged to to lure attackers from real
match real assets assets to traps
Trigger Mitigation

Visibility Analysis Mitigate

TrapX Deception Grid Multi Tier
Architecture
Agentless, Injected Central distribution,
credentials, SMB Shares, SCCM, GPO…
Deceptive Files…

Windows, Linux, MAC, FTP, SMB, SSH, HTTP,

SWIFT…
Scada, Network Devices, VoiP, MSSQL, RDP, Broadcast
Printers, PoS, ATM, Cameras,
Medical devices…

Gold image and any application AWS, ESX, Hyper-V, KVM, IS

Hardware, MSSP
DeceptionGrid highly credible Deception
TrapX Deception Grid
Advantages
• Active way of defense
• Vulnerability agnostic, no signatures
• Ability to detect 0-day attacks
• Small data sets – “right data” vs “big•
data”
• Visibility of “horizontal” traffic
• Near “zero” false positive
• Software solution, fast and low
friction deployment
• No network changes needed
No agent = no risk for availability
• SCADA/IoT/non-PC ready
• TrapX + partner ecosystem (McAfee,
Palo Alto, Cisco, CheckPoint, CB,
Portnox, etc) = deception based IPS
What Gartner says?

• Security and risk management leaders …should include deception tools in

their stack. These tools are enterprise-ready and fully capable of delivering
on five key use cases:
• Basic threat detection
• Detection and response
• Production of local IoC and MRTI
• Integrated proactive threat hunting
• Active attacker engagement

• By 2022, 25% of all threat detection products will embed deception

features and functionality (Gartner, 2019)
Deception Adoption

• Ponemon institute survey in USA, November 2018. 17 000 CISO

involved, 45% are going to use deception in next 12 month (Ponemon)

• “The FMI should seek to continuously explore new technologies and

techniques inhibiting lateral movement (e.g. deception mechanisms)
which trigger alerts and inform the FMI of potential malicious activity
when accessed...”
(Cyber resilience oversight expectations for financial market
infrastructures, by European Central Bank, 2018)
Trap creation
Dashboard
Event information - infection
Event information - intrusion
Event information – RDP bruteforce
SWIFT Web Platform attack
Attack map
Thank You
Alex Lozikoff
itsecurity@softprom.com