2023-10-15 –, WestIn - Munich
Breaches continue happening at unprecedented levels with huge financial impact to the global economy year after year.
Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of data from disparate sources is not working. Adversaries know this fact and regularly benefit from it.
The average breach goes unnoticed for 212 days. That’s an ample amount of time for anyone to surreptitiously run off with the crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage.
We need a new approach if we’re ever going to stop the madness. Hackers also deserve a better opponent.
This talk discusses a different way of thinking about breach detection that is intended to reduce the number of false positives, improve alert fidelity, reduce time-to-detection, and prevent the massive level of burnout affecting our industry.
We will cover the history of breach detection, the current state of affairs, the paradigm shift to new ways of thinking about the problem, and many practical examples of how to deploy effective breach detection technology.
Detailed Talk Outline
-
Intro
a. A little background about myself and why I’m here
b. A brief overview of the topic, why it’s important, and what I hope you (the hackers) will get out of it. -
Why Are Breaches So Common?
a. Brief history of breach detection
b. Why the conventional method for detection doesn’t work
c. The cost and impact of continuing down the same path -
How we can detect breaches and prevent catastrophes
a. Past, present, and future of deception technology
b. Why deception technology is designed for real-time breach detection
c. Real-world examples of disasters that have been averted using deception technology
d. An important note on being so good at deception that your adversaries will question their reality -
Getting started with breach detection technology
a. The difference between honeypots and honeytraps and where each thrives
b. Honeypot deep dive - guidance on how to deploy them for maximum benefit
c. Honeytoken deep dive - guidance on how to deploy these digital tripwires for maximum benefit
d. Honeytoken types and deployment examples
1. Credentials (AWS API Keys, Slack tokens)
2. Cloud storage buckets (AWS S3)
3. Documents (Google Docs, Microsoft Word, PDFs)
4. Binaries, processes, and DLLs
5. Cloned websites
6. VPNs
7. QR codes
8. Kubernetes
9. Web bugs and redirects
10. DNS
11. Log4Shell
12. Databases
13. Emails -
Putting it all together
a. Configuring high-fidelity, low volume alerts and effectively triaging them
b. How to not let bad guys know that you’re trying to dupe them
c. Integrating deception tech with existing systems like a SIEM for better DFIR
d. Creating a complex minefield of deception inception using multiple layers and levels of trickery
e. Final notes and Q&A
breach, detection, deception
I’m a passionate and seasoned security professional with over 17 years of experience in the industry across a variety of security domains and disciplines.
My career started as a cryptographer at NASA working on the secure messaging system used by the International Space Station. During a focused and driven career, I’ve had the opportunity to work across a multitude of different industries and roles ranging from security architecture to offensive security to DevSecOps and everything in between.
My most recent endeavors have been focused on helping others improve their ability to rapidly detect breaches and generally bolster their overall security posture with simple and pragmatic means and methods.
I embrace any opportunity to teach fundamental security concepts to those who need help but have no idea where to look, and I pride myself on being able to break down and articulate complex topics in a fun, interesting, and engaging manner that appeals to people from all backgrounds.