Presenter:
Transcript:
Morning everybody HOU.SEC.CON. Hi. Welcome to ballroom C, track five. Just to, you know, get your grounding. You're here for this. This talk before lunch. By someone who has 28 experience, across industry markets, including oil and gas, chemical, chemical, automotive, power, water and D.O.D., full cycle expertise. From sales and R&D to hands on engineering installation and support.
Skilled in IT/OT systems PLC, programing motion control, networking and industrial protocols ge CSP certified Isa, IEC 62 443 certified instructor with certifications from Ami's Fortinet and Nozomi Networks. I wish I didn't mess anything up. Here to present to you, Mr. Patric Dove, on unlocking the power of Deception technology. Proactive approach to defending oil and gas networks.
Mr. Dove, the floor is yours. No. Okay. Is the mic working now? All right. Great. Thank you, everyone, for coming in. All right. An introduction to deception. Technology. So why this topic? Right. Risk and safety in oil and gas is, is paramount. And we can tie them together, right? So there are, there are high consequence operations.
We've got, cyber risks that directly tied to our safety, air and environmental and, and continuity. So, you know, we're we're all used to hearing HSA, right. Health, safety and environmental and cyber directly ties to that. You know, our recent reality is people have talked about these things a lot. But it's still good to mention them.
Colonial pipeline. Right. It was forced to shut down on back 2021. End of, end of 2024. In December, Turks and Caicos Island government was the victim of a ransomware attack, resulting in major disruption to services. We've seen volt Typhoon. And it long term pre-positioning in US critical infrastructure based on seasonal reporting from 23 and 24, as well as ISIS capable toolkits like pipe, Dream and Controller from 2022.
We also saw, Triton crisis targeting safety systems in 2017. Now we've got more standards and mandates coming out. Right. So based on Colonial Pipeline, TSA security directives, they've enhanced every year, made them, made them stronger, more stringent. 62443 is becoming more widely adopted. We now have, you know, nest version two and, and so we're trying to align with these standards.
We're trying to be in compliance. We're trying to make sure that bad things don't happen. To keep our our names out of the headlines. So traditional controls, we've got perimeter remote access that are porous. Right. We we find ourselves falling victim to phishing attacks. A lot of oil. A lot of things in oil and gas have third party access, whether that's, you know, remote, service providers or service providers on our out on our rigs or we're getting information back, from our pipelines or we've got an on our downstream, we've got our, DCS vendors that have a constant connection, right?
Our Honeywell's, our our Schneider Electrics, our Siemens. Right. So we've got those again, we've got that perimeter remote access stuff that we're we're letting people in in a lot of cases intentionally, and poor endpoint monitoring, application gaps, legacy systems. Right. There are still windows 98, windows XP, Windows 7 things out there that can no longer be updated, but that are still being run.
And, we can't really deploy EDR or agents on those. We also have East-West blind spots. The, the a lot of cases, we have partial segmentation. We have unmanaged assets. Maybe if some traffic is being encrypted, we don't we're not able to see it. Okay. We also have signal and noise problems, meaning alert fatigue. I had, I had a call with a, company a few weeks ago where they were talking about their Nozomi network implementation, and they were getting 10,000 alerts a day.
They had finally whittled that down after a couple of years to 400 alerts per day. Who can manage that? Right. Are those are those valid alerts? Are they right? And so, alert fatigue is is clearly a very real thing. Right. And then early stage lateral movement is is often very subtle and and easy to miss, especially if there's, some living off the land going on.
So why deception? Why now? And, and potentially where does it fit? So the big advantages is that it's low noise, right. It's sitting there, it's quiet. It's waiting for somebody to come in and do something that it shouldn't be doing right or that they shouldn't be doing. So you're not going to get the alert fatigue because false positives are extremely rare, are extremely rare.
You also get early insight, and you also get misdirection, which buys you time. If anybody sat in this morning on, on the keynote, what did he say when he was, when they were doing White Hat? I called my customers. I was going to pay the ransom, and I called my customers to buy them. Time. Time is what's important to us.
Time to react. Time to put defenses up right. So effectively, we can slow and study adversaries. And we can do it safely. It also is meant to compliment our stack. This is not a replacement for the things that you haven't done. Okay. We can feed high confidence events into our sem, into our soar into our orders, and allows us to bake to make better decisions.
It also nicely aligns with 62443. The detection response practices as well as TSA expectations. Right? Again, mentioning it's an enhancement, not a replacement. So understanding what do I mean by deception. Okay. We're putting in deliberate decoys, lures, honey tokens that are designed to be found silent until touched. Right. This is why they're silent. This is why they're, not causing false alerts.
And we get high value alerts when, when they are touchless because they're meant to be sitting there dormant until somebody goes after them. Generally. Deception. Decoy. Honey token. Honey pots. These things are all used interchangeably. We talked about honey pots for years. There have been, studies out on the net, you know, that have done that, have deployed honey pots.
And, I remember seeing one study where they had deployed, like, 80 honey pots and over 75% of them were hacked by China within, like, the first, you know, few hours that they were deployed. So there's some there's some effectiveness to doing, deception or honey putting that talked about high fidelity alerts in places you can't safely run agents or generate rich logs.
Right. Ot first value as well. Expose identity abuse and reconnaissance before, any risk is is, escalating? How does deception differ? So EDR it needs agents. It needs deep OS hooks. And it's often limited in, in our control environments where deception is agent less for production assets. So I was, I was deployed to a rig.
I don't know, probably a year ago now. We wanted to do a risk assessment on a specific box. We were told absolutely not the last time anybody touched this box. The company had to come back out, rebuild the box from scratch. And it was old technology. It was running Windows 7. Right. And the cost to them was $70,000 plus downtime.
Okay. So we we can't go out and we can't be touching things are our uptime is, is paramount. Simmons saw aggregate react to existing telemetry. Deception creates new intentional signals. Very, new intentional signals and blind spots. So our identity, our DMZ, our plant subnets.
Can't touch the box. All right. What is it going to cost to rebuild this? All right. OT and IDs monitoring. Right. It observes real traffic. Deception adds a proactive trip. Targets again. So we can now monitor, we can capture, we can capture, we can analyze some recon, reconnaissance and lateral movements early. Again, not a replacement. It's an additive control.
So the core deception types to be able to protect O.T. pathways. Active Directory right. We see that our first entry generally is identity. Right. It's some sort of a stolen credential or a credential that, that hasn't been fully secured. Okay. Network decoys. Right. DMZ and plan adjacent. So isolated windows. Linux hosts jump servers, historians and databases that look and feel real ot Unix protocol emulation.
Right. And and we're doing it safe by design so we can emulate plc HMI historians that are speaking Modbus Ethernet IP, DNP 3S7. Okay. But we have no ties to real processes. So we don't want to and we don't want to actually give them an entry point.
And then of of course remote access deception talked about this contractors ops. Right. Decoy VPN portals, jump boxes and seeded third party credentials. Okay. Use cases in context.
Again, early identity abuse on the authority. Active directory probing decoy. Credential testing. Third party remote access abuse. We have decoy VPNs, contractor credentials, things that look 100% real but are not. And then also ICS reconnaissance. So we get interactions with emulated PLC and RMI services.
And then our threat context for the United States, Triton and Tracer showed systems safety system targeting pipedream and controller showed ICS capable toolkit. U.S infrastructure faces sustained interest in Pre-positioning. Okay. We know that we're being attacked. We know that our way of life is being attacked.
So what is the relevance here in oil and gas? Well, our reality is and and why detection is hard. We've got we've got hybrid distributed operations. We've got offshore platforms. We've got offshore vessels, we've got onshore platforms, onshore rigs. We've got, concrete trucks. We've got fracking trucks. We've got midstream where we're, you know, separating gas from oil.
We've got downstream where we're doing refining. Right. And we've got a bunch of operations, centers. We've got pipelines that we still need to monitor. Okay. Insider mistakes and third party rule, not remote access, are a primary risk to OT. Where things are getting better, we're doing better things. But there are still a lot of risks. And I mentioned before legacy and patch constraints on my servers, our premise and service.
Right. We can't run heavy agents and we can't patch. And sometimes patches are gone because we're running old or we're running old assets, right. We also have remote and low bandwidth sites.
Right. Vsat is extremely slow. Things are improving with Starlink, but it's not everywhere, at least not deployed everywhere, right? Some rigs are fortunate enough to actually have, you know, cables run. So they've got, they've got some better they've got some better throughput, but still we have constraints. Right. And then interdependencies. We've got our shared services identity often bleed across it and ot unless deliberately separated.
Right. I'm a huge advocate for 100% separation of those, of it in OT Active Directory. I don't think they should touch it all. I don't think there should be any trust. But not everybody does that. Sorry, I forgot to hit the clicker. All right. So how can deception address these challenges? Right. Identity and deception are you put at the item boundary.
So I do decoy users. I do decoy service accounts in SPN so that I can catch the enumeration and the credential testing. I want remote access, deception for contractors and operations. So I have decoy VPN tunnels portals. I have decoy jump servers. I have decoy engineering workstations. Right. So even when people think that they've gained a foothold and they're doing living off the land, hopefully they're still just contained within my deception, right?
I also do that emulation. I talked about this before. Right. We're deploying the, the PMA, the PLC, the HMD, the historians, so that we can run our services. We can run Modbus. I've got a device that responds to Modbus queries. I've got something that says, hey, if I see a 40,000 register, I'm going to try to query it.
That immediately triggers an issue, right? Or we do it with DNP three or Ethernet IP or S7 or, you know, our Honeywell or our Emersons. Okay. They need to look real, but they're isolated and no connection to our life processes. Okay. And then again, network decoys that look like our offshore assets or our assets. Right. Believable hostnames, services shares mirrored from your environment.
I'll fake, of course.
And it needs to be, discoverable by Active Directory and DNS. But again strictly subnet segmented. So that you're are you are not tying it to anything that is real high operational fit some benefits no active scanning. I heard in one of the, I heard in one of the presentations, yesterday that the tools are getting better.
They are getting better. They're still not 100% there yet, though. I can 100% say I've kicked over some, I've kicked over some asset. I've gone out, I've scanned with manufacturers tools, and, I broke an asset. I kicked it over. Had to be rebooted. Fortunately, we were in a commissioning phase, so we weren't running production. But I've done it.
I've been there. Okay. Again, to assess a disruptive action is passive until touched. No changes to our control loops. We're not actually touching anything that we're using for production. So we'll have negligible operational impact when it's properly isolated and then tolerant of intermittent links. Right. And then this role, this, aligns to our safety, our standards and what benefits we get.
Early. High, high signal detection reduces the dwell time again. It's buying us time gives us the ability to have some time to throw up some defenses. So again, the standards in US context we've got 624, four, three which aligns with risk based defense in depth. This is one more kind of feather in our cap, or one more defense that we can put in place also strengthens our detect response where our instrumentation is limited.
TSA Pipeline directives. It helps us get there. Deception helps helps our surface, credential abuse. It gives us the ability to notice our safety system targeting. And again, our benefits for oil and gas then are high fidelity, high fidelity alerts. We can be confident that the alerts that we see are not going to be false positives. We should never get alert fatigue from these.
These should be real threats and real issues, real ttps that we can take action on, and we can gather intelligence on that and we can then start to take advantage of those things that we learn and start to close those holes and patch those things, or at least take appropriate compensating controls in our real systems. So the real question is, does it make sense?
What is the feasibility? Feasibility. Right. What's the value? Well, early high signal path detection. So again, it gives us that ability to have some insight as to what people are doing, how they're coming after me, how they're attacking. It mirrors our ICS, our identity and our remote access. So it fits. It fits well. We have all those things right now.
The cost is going to be cross-functional people time integrations, which of course leads back to people in time. I'm so are value here right. Are those early high signal alerts are not pathways where we see credentials trying to be exploited. We see third remote third party remote access try to be exploited. We see ICS recon, right. If we talk, if we talk and think about some of these things that we've seen in the past, particularly the living off the land.
Right. Engineering workstations used to scan. It's expected. We certainly don't expect it in our in our deception area. OPC being used to enumerate. We certainly don't expect that to be seen in our reception area. So these things that have been done in the past that are sometimes expected because they're living off of the land in, you know, in our actual lakes would be noticed and, and floated to the top in our deception.
So actionable ttps so that we can harden that remote access, harden that identity, do our segmentation, upskill our jump host so that we've got better protection. It also provides us with the ability to do training and exercise without having to touch real production. So I believe that there's some value there. Right. We can do essentially tabletop exercises through our deceptions.
Our capability and fit. Right. We need to make sure that we've got our ICS in our OT stack coverage. We've got to make sure that if we have delta V at our site, where we're doing delta V, if we've got Emerson or Siemens, Rockwell, Honeywell, whoever it is, we need to make sure that we are 100% emulating what we've got there.
Modbus, DNP, three, Ethernet, IP, OPC, Believable. Ise. We need we need to have historian banners. Okay. So things that we would expect to see when we query these devices also need to be in place. Identity deception in a separate OT Active Directory. So decoy users groups ESPN's our honey tokens are realistic. Kerberos remote access match our VPNs, our RDP, SSH anything.
Citrix contractor workflows zero trust those things should and could also be deployed in our, in our deception area. Right. Also plant like network decoys. So I want my naming, my services and my shares that blend in. I shouldn't have anything that says, you know, deception or honeypot. It should be almost identical to our our typical naming conventions, kind of Active Directory DNS, visible and strictly strictly isolated resources and some guardrails.
People in time is going to be our biggest resource, right. We're going to need it. We're going to need a SoC. Deception engineer. Those are the people that understand our Active Directory. We're going to need OT engineers brought in. These are the people that understand our PLCs, our DCS, our eyes right. Our control networks. We're going to need an identity team.
And then we're going to need a network and security architecture. This needs to be realistic, as realistic as possible. And we're going to want to integrate these back then into our SIM into our soar. Right. Case management.
Our identity and our XDR. We also have an operations overhead in this. This is not a sudden forget. This needs to look like what we do in our in our OT environments as well. Right. Or or our IT environments or Active Directory. We have to upgrade these things. We have to have a decoy lifecycle. We have to pull things out.
We need to have gaps where it looks like we've upgraded a piece of equipment. Right. So the realism needs to match what you're doing in your actual OT environment. Right. The other thing that we do have the ability to do then is, remote and offshore logistics. So we can do store and forward. This can be minimal on site.
Very low, very low overhead. Right. Again, guardrails, isolation from our control loops. We should never have this attached to or a pass through or any way be able to get from our decoy into our real operations. No active scanning. And then avoid a, a parallel deception. Only. Decision. Cuz. Deploy when versus. Wait. This is for mature groups, right?
This is if you don't have, if you don't have a separate Active Directory or a separate O two domain, I would not recommend doing this. If you've got a high risk OT remote access, you haven't secured it. You don't have good segmentation with a 3.5 DMZ and control and well controlled jump hosts. Don't do it right. Your time can be well spent elsewhere.
Hardening things. If you don't have a, you know, if you don't have a baseline for hardening your switches and your PLCs and your HMO, if you're not practicing good coding practices in your PLCs, don't do this. Wait. But if you've done all these things and you're mature and you're going on to that next phase of the journey, what else can I do?
Because I've done all those other things and my guys have alert fatigue.
Consider this right. So if you, if you have things where you're doing tabletop exercises, this again is a is a natural kind of trends, I guess transition to that because now I can use it, utilize it not only as a training exercise, but also gathering Intel, gathering on who's trying to attack me.
Options to evaluate. So there are ICS aware, platforms out there, as well as some open source platforms. Okay. Counter craft claims to have, ics aware ot shadow Plex, Fortinet for the disruptor. They definitely have an OT. I've seen that one run, traffic security Sentinel one has threat defend. They also do ICS, ICS as well as, thanks to Canary.
They have industrial modules. Compote is an open source version. Gas pot is a is as well. And teapot, which is, done by basically the T-Mobile folks. Telecom. They have it bundled through compote. It supports, Modbus S7, Ethernet IP. You can deploy it for free. You can, you can spin those up. It's not that resource intensive.
Right. So try it. It's, It's good. It's akin to Malcolm. If anybody is, aware of Malcolm, it's got the, Elasticsearch and Kibana, front end. So it's, it's it's familiar. If you've ever dealt with Malcolm, implementation strategies, I it's a risk based rollout, right? Everything you should be doing should be approached as risk based.
So I, I would recommend the priority and descending kind of. I already mentioned identity and remote access. Those are the big deals. And those are the things that tend to get, hacked first. That seems okay. Then go with your network decoys. Right. Plant DMZ adjacent and then roll into your own protocol emulation. Goals. I've mentioned this already, but it's worth saying again.
Early high signal detention on our paths to OT. Figure out what those steps are. Understand them so that we can then do better at defending them. And of course, do no harm. I mentioned it before. I mentioned it again. Zero interaction with our control loops do not have anything that touches one another in your deception versus your, versus your real world.
My. But do integrate with your existing deception and response workflows. So again tie this to your Sims. Tie this to your source. All right. And sites domains. Has anybody watched the rig TV show. Right. So the Kim Lock Bravo and the Kim Lock Charlie, those are the rig names in the TV show. Make them realistic. So make your site domains.
Ken bra. Ken char. Right. Your bravo dot offshore dot. Nothing with deception in those names. Nothing should point to. Hey, this is obvious, right? If you can come up with it, somebody else can figure out that it was fake. So they need to be real. Placement and isolation. Must do's place in your level 3.5 DMZ and plant adjacent segments only.
Okay. Enforce strict ACLs. No traffic goes from one to another. One way telemetry, one way logging. No inbound management from Oti. Even though I believe that Oti should own this. You should never be able to access this from OT even for management. Don't make that mistake. Make sure you've got unique names and IP addresses, but also those subnets, they need to correspond with whatever your subnetting, scheme is, whatever that template is that you use, it should be consistent.
It has to look real. Make sure you're checking for collisions. Right. No duplicate IP addresses, no duplicate names. We also don't want to give anything away. Hey document these things in change control. Treat it like it's another control system. Separate Oti Active directory again per site. Bravo dot offshore dot oti, whatever you call them. I avoid any decoy or emulator on a control loop or a safety network.
Again, never let them touch. Never reuse credentials as a lure. We don't. Again, we don't want to give anything away. I know free information. Pass no pass through proxy to real plc Maya historians. No act of scanning. Right up and realism profile again. Come up with a pattern. Follow that pattern with a gate with occasional gaps to imply decommissioned.
Gotta look real high organizational units inherit our normal gpos our sites are they go to our jump hosts, to our workstations, to our service servers, to our service accounts. Can no decoy owe you nothing that gives away that this isn't real? Okay. No inter domain trusts 100% separate, 100% segmented. We need to do our TLS and our hygiene.
So if we're using certificates out in the field, we need to use certificates on these. They need to be the same as what we would use on our assets. Patch uptime right? Iron skate a very aged. If you're only able to patch your skate every two years or four years or whatever it is, our decoys should look the same.
Our engineering workstation. Maybe they have semi recent patches. We take those when we patch those more frequently because generally they're running a Windows 10 or a Windows 11. Right. A more recent I know there are instances where we've got programing software out there that that has to be older and we can't patch make those look real high jump hosts, monthly reports do the things that you're doing on your OT as part of your deception.
Okay. Our DNS, Mac or shares these things should all look realistic. If I've got, if I've got Strat X in the field, I should emulate some Strat X in what a digital twin, right? We can bring our digital twins into this from our companies like Rockwell or Siemens or Honeywell.
Any shares engineering drawings historian exports patch staging OEM drops. These things should also look real. Okay. Our density prefers sparse, right? We don't want to do too much of this because then it looks unrealistic. If I've got 5000 PLCs in my, in my deception area and I've got ten on my rig, that's unrealistic. It'll throw a flag.
Somebody else notice, somebody will get it. Okay. Services and protocols again that the jump hosts. I need to make sure that those things that I would normally have on my jump hosts RDP, SMB, SSH, active directory, visible my engineering workstation may have I may also have RDP and SMB outbound engineering tools. Only my H and my PLC emulation panel.
Do you like. Right? I set up ethernet IP to run on port 48 818 mod Modbus 502 right. My S7 on 102, my OPC. I also maybe I run a simulated or an emulated ignition software, if that's what I've got in my facility in my control network. Right. With those ports open, DCS four, four, three with a believable, experience or a Delta V style banner, something that gives me some sort of information so that I can I can do my own reconnaissance on what's being hacked.
Can my PLCs. My VFD is right. Maybe I'm running UDP on port 2222 for some Ethernet IP. Okay. And then I need to mimic my, my network devices and maybe I even throw a telnet in their on port 23 so that it looks like legacy stuff.
Okay. So implement implementation steps, identity and remote access. Do our decoy users do our service accounts to our spns and our Active Directory decoy VPN route alerts into existing queues. Our pre-approved actions right. Disable accounts, block remote access our network decoys. Windows, Linux, right out on out on a rig. They're now deploying Linux in the, in the, cyberterrorism.
We should probably emulate that, right? Joined to an OT Active Directory as per the norm. If it's attached in your control network, attach it in your decoy. Any expected services, make them make them discoverable. Strict ACLs. Okay. OTM relation to our DMZ adjacent only enable our protocols and then vendor flavor by rig. If you've got one rig that is is heavily delta v lean that way in your deception lean experience in your on another rig.
If that's what you've got, make sure they are realistic okay. Our example an example flow our chain right. So we're noticing password spray. We're noticing decoy accounts on VPNs RDP probes and shares that can be enumerated on a decoy jump server. Our, our Modbus or our S7 probes. On an emulated PLC. And then a minimal runbook that we're trying to triage or correlate events.
We're trying to contain ran. This is why we're doing that analysis. This is why we're we're noticing the ttps. We're doing reconnaissance on it so that I can contain it, I can disable I can block and I can isolate and I can do that in the real world after I've seen what's happening in my decoy. Coordinate with OIC operations, preserve our logs and artifacts so that we can, so that we can scour through them and then that allows us to improve our controls and detections.
Okay. So some case studies so say we've got an offshore operator decoy VPN. The scenario is, decorator decoy con contractor credentials are seated. Right. We got an isolated decoy VPN portal and a jump host in our DMZ. What do we see? We see password is sprayed against the decoy account on the VPN. We see an SSL attempt on that decoy portal.
All right. Then an RDP scan and a share number and share enumeration on on the decoy jump host. What can we do if we can disable the account? Blocked source ranges in our real world, because we already know they're in our system, right? We can do tightened remote access. We can increase our MFA, we can increase the Aetna.
We can narrow our vendor access windows times of day. Maybe we're doing it. Maybe we do day two diodes now instead, so that we're just pushing information to them to collect instead of them needing full access. It gives us that ability to see what's happening and improve on it. Right. Routed alerts into our existing queues. Outcome detected before any reach into OT.
So it's allowed us to put up our defenses faster. Again, like we said this morning, by time, improved contractor onboarding and off boarding. Maybe also improved training for our contractors or our third parties that are monitoring. Right. It also allows us to harden things and do session controls. All right. Recording protocol breaks. So lessons learned place decoy credentials and pass app VPN and choke points ensure SoC has a clear response path.
So maybe if we're talking about, a refinery emulated PLC in a DMZ, signals observed where we're seeing some unfamiliar Modbus reads or S7 block lists or a SIP list identity. Opc UA browser from an IT subnet. Right. Action taken. We can isolate the source host. We can tighten our firewall rules. We can add detections for ICS probe patterns.
Okay. We can also validate the realism in response steps in the digital twin. Our outcome expose segmentation gaps when maybe we noticed some some lateral traversal traversal. Right. Added allow less monitoring around historian and jump host conduits. Lesson learned validate decoy realism in a twin. First I'm going to say that all of your vendors have digital twins.
Now. All right. Fortified is also an open source digital twin that's out there on GitHub. You can emulate plc HMI, you can emulate Modbus, you can have those ports open a seven ports.
Pipeline. So in insider and contractor misuse, things that we may observe there Ldap and Active Directory emulation. Okay. Kerberos of a decoy ESPN login attempt. Some actions taken. Disable contractor account, revoke third party access. Hey. Our outcome. Stop misuse before lateral movement, improve identity hygiene. And the lesson? Learn identity deception, decoy users and espns.
It pays off quickly when contractors have broad access. All right, lessons learned. Start where the attackers start. Do no harm, right. Deploy only in DMZ or adjacent. Never on control loops. Keep our signals actionable, routed to our existing cues. Attach a short containment guide rehearsed with the digital twin. Make decoys look native. Use findings, to harden.
Right. So refine. Refine. Our MFA is our hygiene right. Guide best practices. And I was notified I'm running a little bit long, so I'm going to speed this up a bit. I believe as with everything that is out in control networks, what should own this program? Right. That's where things fall. Things fall to the people that are ultimately responsible.
If we are not building things, if we are not making widgets, if we are not doing production, we have no need for it. Right? That being said, okay needs to lean on it because there are a lot of things that generally people don't understand. I don't understand well, Active Directory, have I ever stood up an Active Directory? No, I'm an old guy.
Generally my ad guy has never programed to PLC or an I right? So I need them. They need me right? Again, I've talked already about strict isolation. I've talked about starting with a risk based approach where it's highest validated in a lab or a digital twin. Hey, pre-approved response steps. Again, this allows us also to do our tabletop exercises and then are refreshers context driven.
So as we refresh our own stuff, we refresh our data, our decoy. Right. It's slow. It's not going to be immediate all the time. I've already talked about the OpSec realism, okay. Make sure that our hosts and our patterns are are viable. Make sure they look right. Make sure our services are there. Texture matters plausible shares right.
Engineering drawings. Historian okay. And our density is correct. Avoid things like, carpet bombing with subnets, with decoys. Don't do too many. Make sure we're doing high success signals. Whoops. I forgot to advance this. My apologies.
Okay. Future trends. What do I see? At some point, we're going to have AI driven adaptive deception. Right. We're going to be tying in Active Directory. We'll also have digital twin powered deception of zero trust and deception. What does I look like. Well audit will be able to start auto seeding honey tokens in decoy accounts. We'll be able to have adaptive banners and services that look realistic.
Also, we'll take from TTP and be able to go to playbook selection. So now we can train up on what we expect those TPS to look like. Hey. And we'll also have noise, discipline.
Some emerging things. We'll have closed loop campaigns as we do. As we do more, I will be able to, have, corporate AI is what I might say, as we have more corporate AI will be able to do more closed loops or even offline AI, things like private with llama. Okay. Digital twin and zero trust.
I think we should be utilizing, our digital twins. Highly. Right. We also need to do zero trust alignment and have a forward outlook.
Okay, so in conclusion, deception provides a low noise, high confidence, visibility to on or on past to what we should implement with strict isolation. Align our scope to our current maturity. If you're not ready, don't do it right. This is an enhancement, not a cool. I want to do this because it's a lot of work, right? Safety first, do no harm.
DMZ and adjacent zones only never touch. Control loops. Start where the risk is highest. Remote access identity and keep it real. Right. Realism is key. So those first steps maturity align map our paths into VPN jump host historians. Small set of plan adjacent. Start small and grow high. Validate in the digital twin. Leverage that digital twin for learning our ttps as well as for tabletop exercises.
Okay. All right, that's it. This is me. Sorry for the quick run at the end.
Thank you. Thank you, Mr. Dove. Sir. Yeah. Any questions?
We have time for one.
How do you communicate the the the value of the program. What metrics do you keep track? Show? One of the things I've struggled with on on our deception is it's easy to say, well, look how many we put out. Right? But for the most part, I should have zero hits on them. Right? So I don't have a lot of traction to be able to say, yeah, look, I put out ten and we got ten.
We got ten hits. It's generally I put out ten, I put out 20, I put a 30. Right? I still have zero zero. What is the what does how do you how do you communicate metrics and value in the in the in your programs? I think the best way to do that is again, I mentioned doing tabletop exercises, and I think the fact that you can do a leverage not only what you do in a response or two and an A in response to an attack by utilizing the system.
Right. Here's yes, we've caught nobody. So our defenses are working great. But we can also dual purpose this. So if we do see an issue our guys in our our guys in our SoC know what to do, we're able to better tune our source so that we can, have tickets created appropriately so that we know the right things to do.
All right. So I don't know that you're ever going to be able to have the ability to justify it. If you're already doing a good job from a standpoint of, yeah, we've caught nobody, and that's what we would hope, but justify it from a standpoint of, look, we can use this to train our people in a real world digital twin honeypot type scenario that if this attack occurs, this is the alert they're going to get.
And this is the the ticket that's going to be generated or so on and so forth.
It's that how. Awesome. Thank you. Thank you for the question. And if there's any more questions, I think he will be gladly to answer them. Absolutely. Yeah. Thank you so much. And yeah, right now I have three little points that I want to mention. After this talk, lunch will be served in Hall A3, which is by the exhibition, from 12 to 1 p.m. and remember to take this few moments also between your lunch to take one last lap at the exhibition hall to finish your passport and drop them off at the registration desk to enter one and win one of the prizes during the closing ceremony.
The exhibition hall will be closing at 2:30 p.m. this year. So. And with that, thank you all for attending this talk. Yep.
