<<

Lateral Movement Threat Detection to Enhance Security Consolidation

Illusive Networks and Microsoft 365 E5 Integration What If You Could Operate in a ‘000’ World?

Zero Zero Zero Privileged accounts False positive alerts to Wasted investigation accessible to attackers distract defenders time to slow responders Illusive Can Help Build a ‘000’ World

Shrink the True Create the Illusion Deliver Analytics Attack Surface of an Expanded and Actionable Attack Surface Insights

100% Agentless The Goal: Stop Attacker Lateral Movement

Cloud ‘A’ Cloud ‘Z’ Cloud movement Across/within clouds

Data Center Vertical movement To/from cloud

Lateral movement Across endpoints, datacenters, networks Credentials and Host-to-Host Connections Are the Attacker’s “Fuel” Excess credentials and connections:

• Enable attack movement no matter where attacker lands • Allow for evasion of other tools • Disguise attackers in a of normalcy or false positive alerts Shrink the True Attack Surface

Attack Surface Manager Verizon reports 80% of attacks use stolen credentials • View the attack surface through the lens of the attacker Illusive has assessed ~500K endpoints and found: • Identify and remove errant credentials, • 19% contained accessible privileged credentials connections and attack pathways • Many environments were much worse Create the Illusion of an Expanded Attack Surface

Attack Detection System “Organizations seeking to enhance their security • Deploy agentless, highly authentic data, device, and decoy posture with highly realistic, efficient, easy-to- deceptions deploy deception technology should take a close • Across Data Center, IIoT/IoT, Cloud look at Illusive’s real-time, automated platform.” • Force attackers to reveal themselves without generating false positives Enterprise Strategy Group • Undefeated vs. 110+ red teams (Mandiant, Cisco, Microsoft, DOD) Analytics and Actionable Insights Speed Response

Attack Intelligence System • Cut research time with on-detection and on- Customers report 60-90% reduction demand source forensics of SOC analyst investigation time, • Build threat intelligence with rich interactive target forensics increasing SOC capacity at least 2X Illusive Is Critical for an Enterprise Abiding by Shield ‘Active Defense’

MITRE Shield is a security knowledge base designed to capture and organize what they are learning about “active defense” and adversary engagement, and of great importance to security customers “Active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations”

MITRE sees Deception as a have in the modern security stack

Shield includes 8 active defense tactics and 33 defensive techniques Illusive and MITRE Shield: Enabling ‘Active Defense’ – Deception Is Essential Channel Contain Detect Disrupt Facilitate Legitimize Test

Admin Access API Monitoring Admin Access API Monitoring Admin Access Admin Access Application Diversity Admin Access

API Monitoring Application Diversity Baseline Application Diversity Application Diversity Application Diversity Burn-In API Monitoring

Application Diversity Backup and Recovery Decoy Account Behavioral Analytics Backup and Recovery Behavioral Analytics Decoy Account Application Diversity

Decoy Account Decoy Account Decoy Network Decoy Account Baseline Burn-In Decoy Content Backup and Recovery

Decoy Content Decoy Content Detonate Malware Decoy Content Behavioral Analytics Decoy Account Decoy Credentials Decoy Account

Decoy Credentials Decoy Credentials Hardware Manipulation Decoy Credentials Decoy Content Decoy Content Decoy Diversity Decoy Content

Decoy Network Decoy Network Isolation Decoy Network Decoy Credentials Decoy Credentials Decoy Network Decoy Credentials

Decoy Persona Decoy System Migrate Attack Vector Decoy System Decoy Network Decoy Diversity Decoy Persona Decoy Diversity

Decoy Process Detonate Malware Network Manipulation Email Manipulation Email Manipulation Decoy Persona Decoy Process Decoy Network

Decoy System Email Manipulation Security Controls Hunting Hardware Manipulation Decoy System Decoy System Decoy Persona

Detonate Malware Network Diversity Software Manipulation Isolation Isolation Network Diversity Network Diversity Decoy System

Migrate Attack Vector Network Monitoring Network Manipulation Network Manipulation Network Manipulation Pocket Litter Detonate Malware

Network Diversity PCAP Collection Network Monitoring Security Controls Peripheral Management Migrate Attack Vector

Standard Operating Network Manipulation Peripheral Management PCAP Collection Pocket Litter Network Diversity Procedure

Peripheral Management Protocol Decoder Pocket Litter User Training Security Controls Network Manipulation

Pocket Litter Security Controls Protocol Decoder Software Manipulation Software Manipulation Peripheral Management

System Activity Standard Operating Security Controls Pocket Litter Monitoring Procedure System Activity Software Manipulation Software Manipulation Security Controls Monitoring User Training shield.mitre.org/matrix Software Manipulation Software Manipulation Microsoft 365 E5 and Illusive Why Target Additional Security for the Consolidating Enterprise? Illusive Brings Critical Security Capabilities to a Customer Consolidating Security Tools around Microsoft • Ensuring Active Defense as advanced threats continue to evolve • Massive global shift to working from home creates increase in insider threat-risk, while existing incumbent anomaly detection tools are rendered ineffective due to the WFH shift • Current recession commands for tools that are efficient, effective, and low overall TCO • Well-funded nation-state attackers, or insider threats, demand an advanced, efficient, and high-fidelity response from an innovative tool with a proven record of being undefeated against red teams Use Cases – Illusive Networks and Microsoft 365 E5 Find & Fix Identity Risk Conditions in Microsoft Environments

USER CREDENTIALS 1 Finds Microsoft Active Directory creds & hosts with stored credentials that could allow attackers to expand their foothold JEWELS CONNECTIONS 2 Finds connections to the organization’s critical assets

LOCAL ADMINS 3 Finds hosts with local admin credentials that could be used to execute admin-level actions

WINDOWS SHADOW ADMINS 4 Finds high-privilege users & groups that are not members of known groups (domain admins, etc.)

MICROSOFT AZURE PRIVILEGED IDENTITIES 5 Microsoft Azure AD configuration and integration Deception Strategy Based on Microsoft Environment & Tools Leverage Active Directory Objects, Azure Cloud-to-Cloud Deceptions, and MS Office Files to Create Authentic-Looking Deceptions to stop Attacker Movement on-prem and in the cloud

• Customize the deceptive strategy with a “story” for each endpoint • Use a gradient of believability to further complicate the problem for the attacker • Automatically update the deception strategy based on changes in the environment so that the deceptions are continuously relevant Deceptive Microsoft Office Beacon Files

Turn real or Easy, customized Detect and stop deceptive Word and deployment of malicious insiders Excel files into a deceptions at scale beacon for early attack detection

1 MS DECEPTIONS 2 DECEPTION / 3 REAL-TIME 4 ISOLATE & DEPLOYED BEACON TRIPPED FORENSICS CONTAIN

Beaconized Intel

ILLUSIVE MGMT SERVER OFFICE DECEPTIONS ILLUSIVE CONSOLE SOC IR Protect IoT, OT, and Network Devices

Flood network with Eliminate threat Frictionless authentic looking, detection blind spots. deployment. deceptive OT Capture rich forensics No infrastructure infrastructure, IoT for attacker tactics & interruption devices, switches, methods routers, printers, more…

1 SELECT & DEPLOY 2 3 REAL-TIME 4 ISOLATE & EMULATION TRIPPED DEVICE EMULATIONS FORENSICS CONTAIN

Who What Where

ILLUSIVE MGMT SERVER OT EMULATION ILLUSIVE CONSOLE SOC IR Illusive Forensics on Demand for Microsoft 365 E5 Instant forensic intelligence for ANY alert

• Automated forensics collection for any system generated security event - even from other cybersecurity solutions deployed • Leverage E5 components (like MD ATP) to respond to Illusive alerts • Agentless retrieval from target system in <1s • Rich artifact timeline for correlation against other Microsoft security tools (like Microsoft Sentinel or MD ATP) • Increases SOC efficiency, speeds incident response Illusive Forensics on Demand – At a Glance • Collected automatically › REST API Call › User request › Tripping a deception • Volatile and non-volatile data • Screenshots • Powershell and command line history • Attack Path to domain admins and crown jewels Who benefits from real-time forensics collection? • No EDR • EDR • Every Organization Democratized Forensic Data Enables Shift Left Triage Time per Incident With Illusive Precision Forensics

SHIFT LEFT

Tier 1 Tier 2 Tier 3 Before After Before After Before After 20min 1 to 5min 60min <10min 180min <30min Avg 20 Avg 6 Avg 2 Incidents 80 to 400 Incidents >36 Incidents >10 per Day per Day per Day Time Saved: ~5hrs per Time Saved: ~5hrs per Time Saved: ~5hrs per day/per analyst day/per analyst day/per analyst Empower Tier 1 and 2, free up Tier 3 for what truly matters *Times can vary depending on uniqueness of incident, triage path and technical expertise of staff Illusive and Microsoft 365 E5 Together

Attack surface management in Microsoft environments Deceptions based on Azure AD, Office and more Agentless protection ideal for environments beyond Microsoft Illusive forensics reduce triage and investigation time

Triple zero within reach – no exposed connections, false positives or wasted investigation time THANK YOU

www.illusivenetworks.com