Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Lateral Movement Threat
Detection to Enhance Security
Consolidation
Illusive Networks and Microsoft 365 E5 Integration
What If You Could Operate in a ‘000’ World?
Zero
Privileged accounts
accessible to attackers
Zero
False positive alerts to
distract defenders
Zero
Wasted investigation
time to slow responders
Illusive Can Help Build a ‘000’ World
Create the Illusion
of an Expanded
Attack Surface
100% Agentless
Shrink the True
Attack Surface
Deliver Analytics
and Actionable
Insights
Cloud ‘A’ Cloud ‘Z’
Data Center
Cloud movementAcross/within clouds
Vertical movementTo/from cloud
Lateral movementAcross endpoints, datacenters,
networks
The Goal: Stop Attacker Lateral Movement
Credentials and Host-to-Host Connections Are
the Attacker’s “Fuel”
• Enable attack movement no matter where attacker lands
• Allow for evasion of other tools
• Disguise attackers in a veil of normalcy or false positive alerts
Excess credentials and connections:
Shrink the True Attack Surface
Attack Surface Manager• View the attack surface through the lens
of the attacker
• Identify and remove errant credentials,
connections and attack pathways
Verizon reports 80% of attacks use stolen credentials
Illusive has assessed ~500K endpoints and found:
• 19% contained accessible privileged credentials
• Many environments were much worse
Attack Detection System• Deploy agentless, highly authentic data, device, and decoy
deceptions
• Across Data Center, IIoT/IoT, Cloud
• Force attackers to reveal themselves without generating false
positives
• Undefeated vs. 110+ red teams (Mandiant, Cisco, Microsoft, DOD)
Create the Illusion of an Expanded Attack
Surface
“Organizations seeking to enhance their security
posture with highly realistic, efficient, easy-to-
deploy deception technology should take a close
look at Illusive’s real-time, automated platform.”
Enterprise Strategy Group
Attack Intelligence System• Cut research time with on-detection and on-
demand source forensics
• Build threat intelligence with rich
interactive target forensics
Analytics and Actionable Insights Speed Response
Customers report 60-90% reduction
of SOC analyst investigation time,
increasing SOC capacity at least 2X
Illusive Is Critical for an Enterprise Abiding by MITRE Shield ‘Active Defense’
MITRE Shield is a security knowledge base designed to capture and
organize what they are learning about “active defense” and
adversary engagement, and of great importance to security
customers
“Active defense ranges from basic cyber defensive capabilities to
cyber deception and adversary engagement operations”
MITRE sees Deception as a must have in the modern security stack
Shield includes 8 active defense tactics and 33 defensive techniques
Channel Collect Contain Detect Disrupt Facilitate Legitimize Test
Admin Access API Monitoring Admin Access API Monitoring Admin Access Admin Access Application Diversity Admin Access
API Monitoring Application Diversity Baseline Application Diversity Application Diversity Application Diversity Burn-In API Monitoring
Application Diversity Backup and Recovery Decoy Account Behavioral Analytics Backup and Recovery Behavioral Analytics Decoy Account Application Diversity
Decoy Account Decoy Account Decoy Network Decoy Account Baseline Burn-In Decoy Content Backup and Recovery
Decoy Content Decoy Content Detonate Malware Decoy Content Behavioral Analytics Decoy Account Decoy Credentials Decoy Account
Decoy Credentials Decoy Credentials Hardware Manipulation Decoy Credentials Decoy Content Decoy Content Decoy Diversity Decoy Content
Decoy Network Decoy Network Isolation Decoy Network Decoy Credentials Decoy Credentials Decoy Network Decoy Credentials
Decoy Persona Decoy System Migrate Attack Vector Decoy System Decoy Network Decoy Diversity Decoy Persona Decoy Diversity
Decoy Process Detonate Malware Network Manipulation Email Manipulation Email Manipulation Decoy Persona Decoy Process Decoy Network
Decoy System Email Manipulation Security Controls Hunting Hardware Manipulation Decoy System Decoy System Decoy Persona
Detonate Malware Network Diversity Software Manipulation Isolation Isolation Network Diversity Network Diversity Decoy System
Migrate Attack Vector Network Monitoring Network Manipulation Network Manipulation Network Manipulation Pocket Litter Detonate Malware
Network Diversity PCAP Collection Network Monitoring Security Controls Peripheral Management Migrate Attack Vector
Network Manipulation Peripheral Management PCAP CollectionStandard Operating
ProcedurePocket Litter Network Diversity
Peripheral Management Protocol Decoder Pocket Litter User Training Security Controls Network Manipulation
Pocket Litter Security Controls Protocol Decoder Software Manipulation Software Manipulation Peripheral Management
Security ControlsSystem Activity
Monitoring
Standard Operating
ProcedurePocket Litter
Software Manipulation Software ManipulationSystem Activity
MonitoringSecurity Controls
User Training Software Manipulation
Software Manipulation
Illusive and MITRE Shield: Enabling ‘Active Defense’ – Deception Is Essential
shield.mitre.org/matrix
Microsoft 365 E5 and Illusive
Why Target Additional Security for the Consolidating Enterprise?
• Ensuring Active Defense as advanced threats continue to evolve
• Massive global shift to working from home creates increase in insider
threat-risk, while existing incumbent anomaly detection tools are
rendered ineffective due to the WFH shift
• Current recession commands for tools that are efficient, effective, and
low overall TCO
• Well-funded nation-state attackers, or insider threats, demand an
advanced, efficient, and high-fidelity response from an innovative tool
with a proven record of being undefeated against red teams
Illusive Brings Critical Security Capabilities to a Customer Consolidating
Security Tools around Microsoft
Use Cases – Illusive Networks and Microsoft 365 E5
Find & Fix Identity Risk Conditions in Microsoft Environments
LOCAL ADMINSFinds hosts with local admin credentials that could be used to execute admin-level actions 3
1USER CREDENTIALSFinds Microsoft Active Directory creds & hosts with stored credentials that could allow attackers
to expand their foothold
2 CROWN JEWELS CONNECTIONSFinds connections to the organization’s critical assets
WINDOWS SHADOW ADMINSFinds high-privilege users & groups that are not members of known groups (domain admins, etc.) 4
5 MICROSOFT AZURE PRIVILEGED IDENTITIESMicrosoft Azure AD configuration and integration
Deception Strategy Based on Microsoft Environment & ToolsLeverage Active Directory Objects, Azure Cloud-to-Cloud
Deceptions, and MS Office Files to Create Authentic-Looking
Deceptions to stop Attacker Movement on-prem and in the
cloud
• Customize the deceptive strategy with a “story” for each endpoint
• Use a gradient of believability to further complicate the problem for the attacker
• Automatically update the deception strategy based on changes in the environment so that the deceptions are continuously relevant
Deceptive Microsoft Office Beacon Files
Detect and stop
malicious insiders
Turn real or
deceptive Word and
Excel files into a
beacon for early
attack detection
Easy, customized
deployment of
deceptions at scale
ILLUSIVE MGMT SERVER
1
OFFICE DECEPTIONS
2
ILLUSIVE CONSOLE
Beaconized
Intel
3
SOC IR
4DECEPTION /
BEACON TRIPPEDREAL-TIME
FORENSICS
MS DECEPTIONS
DEPLOYED
ISOLATE &
CONTAIN
Protect IoT, OT, and Network Devices
Eliminate threat
detection blind spots.
Capture rich forensics
for attacker tactics &
methods
Flood network with
authentic looking,
deceptive OT
infrastructure, IoT
devices, switches,
routers, printers, more…
Frictionless
deployment.
No infrastructure
interruption
ILLUSIVE MGMT SERVER
1
OT EMULATION
2
ILLUSIVE CONSOLE
3
SOC IR
4EMULATION TRIPPED
REAL-TIME
FORENSICS
SELECT & DEPLOY
DEVICE EMULATIONS
ISOLATE &
CONTAIN
Who
What
Where
Illusive Forensics on Demand for Microsoft 365 E5
• Automated forensics collection for any system generated security event - even from other cybersecurity solutions deployed
• Leverage E5 components (like MD ATP) to respond to Illusive alerts
• Agentless retrieval from target system in <1s
• Rich artifact timeline for correlation against other Microsoft security tools (like Microsoft Sentinel or MD ATP)
• Increases SOC efficiency, speeds incident response
Instant forensic intelligence for ANY alert
• Collected automatically› REST API Call
› User request
› Tripping a deception
• Volatile and non-volatile data
• Screenshots
• Powershell and command line history
• Attack Path to domain admins and crown jewels
Who benefits from real-time forensics collection?
• No EDR • EDR • Every Organization
Illusive Forensics on Demand – At a Glance
Democratized Forensic Data Enables Shift Left
Triage Time per Incident With Illusive Precision Forensics
*Times can vary depending on uniqueness of incident, triage path and technical expertise of staff
Empower Tier 1 and 2, free up Tier 3 for what truly matters
Tier 1
Before After
20min 1 to 5min
Avg 20
Incidents
per Day80 to 400
Time Saved: ~5hrs per
day/per analyst
Tier 2
Before After
60min <10min
Avg 6
Incidents
per Day>36
Time Saved: ~5hrs per
day/per analyst
Tier 3
Before After
180min <30min
Avg 2
Incidents
per Day>10
Time Saved: ~5hrs per
day/per analyst
SHIFT LEFT
Illusive and Microsoft 365 E5 Together
Deceptions based on Azure AD, Office and more
Attack surface management in Microsoft environments
Agentless protection ideal for environments beyond
Microsoft
Illusive forensics reduce triage and investigation time
Triple zero within reach – no exposed connections, false positives or wasted investigation time
THANK YOU
www.illusivenetworks.com