Immerse yourself in the world of cybersecurity with industry leaders Ondrej and Jan as they unravel the strategic nuances of cyber deception and active defense, offering valuable insights for fortifying digital defenses. Join Sean Martin and Marco Ciappelli in a captivating exploration of cybersecurity tactics, bridging ancient techniques with modern cybersecurity challenges to stay ahead of evolving threats.
Guests:
Ondrej Nekovar, Director of Cyber Security, Board Member, SPCSS s.p. [@csirtspcss]
On LinkedIn | https://www.linkedin.com/in/onekovar/
At RSAC | https://www.rsaconference.com/experts/Ondrej%20Nekovar
Jan Pohl, Analyst, SPCSS s.p. [@csirtspcss]
On LinkedIn | https://www.linkedin.com/in/jan-pohl-89231a264/
At RSAC | https://www.rsaconference.com/experts/Jan%20Pohl
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
On this new On Location episode, Sean Martin and Marco Ciappelli dive into the intricate world of cyber deception and engagement operations with guests Ondrej Nekovar and Jan Pohl. The conversation kicks off with an intriguing discussion about the art of deception, drawing parallels between magician tricks and psychological manipulation in cybersecurity. Sean and Marco navigate through the complexities of cyber deception, shedding light on its historical roots and modern applications.
Ondrej and Jan, experts in the field of cybersecurity strategy and active defense, share their expertise on the evolving landscape of cyber threats and the role of deception in defense mechanisms. Their journey into cyber deception unfolds as they highlight the necessity of incorporating false assets to mislead adversaries in the digital realm. The duo emphasizes the importance of leveraging cyber threat intelligence and modern defense techniques to stay ahead of malicious actors.
Furthermore, the discussion pivots towards the strategic implementation of deception in security programs. Ondrej and Jan elaborate on the significance of creating a cohesive narrative to anticipate and thwart potential cyberattacks. They underscore the meticulous planning required to craft deceptive scenarios that outsmart adversaries and bolster organizational defenses.
As the conversation progresses, the guests delve into the nuanced world of cyber counterintelligence and the utilization of frameworks like MITRE ATT&CK to enhance defense strategies. Ondrej and Jan's insightful case study during their upcoming RSA Conference talk promises to offer profound insights into the practical application of cyber deception and active defense mechanisms.
Key Questions Addressed
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS-B9eaPcHUVmy_lGrbIw9J
Be sure to share and subscribe!
____________________________
Resources
Deception Is on the Rise, But Is It Time to Unleash Engagement Operations?: https://www.rsaconference.com/USA/agenda/session/Deception%20Is%20on%20the%20Rise%20But%20Is%20It%20Time%20to%20Unleash%20Engagement%20Operations
Time to Talk About Cyber Counterintelligence: https://www.rsaconference.com/USA/agenda/session/Time%20to%20Talk%20About%20Cyber%20Counterintelligence
Learn more about RSA Conference USA 2024: https://itspm.ag/rsa-cordbw
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Deception Is on the Rise, But Is It Time to Unleash Engagement Operations? | An RSA Conference 2024 Conversation With Ondrej Nekovar and Jan Pohl | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco.
Marco Ciappelli: Sean.
Sean Martin: There's something behind you.
Marco Ciappelli: No falling for that.
Sean Martin: No, really. I think there is,
Marco Ciappelli: there is something. Yeah. Honestly, there's gotta be something. That's right.
Sean Martin: They're trying to deceive me. I'm trying to, uh, trying to get you to look at something else. Oh, yeah. Yeah.
Marco Ciappelli: Funny story. Magician do that.
Sean Martin: They do.
Yeah, just underrated.
Marco Ciappelli: I got my my watch. I didn't even realize that.
Sean Martin: Yeah, until you looked at the time and said,
Marco Ciappelli: so they asked me and I look like a fool. That's that's that's what happened.
Sean Martin: Yep. Sleight of hand. A little bump here. A little Hey, look over there. So it's a tried and true. Technique to, uh, to get people to do something that then you can use against them somehow, some way.
And of course, I'm not even coming close to providing a proper definition of what our topic is today. So this is part of our chats on the road, obviously [00:01:00] Marco to RSA conference. And, uh, our two guests have quite the journey to get to San Francisco for their talk, which is called deception is on the rise, but it is.
Is it time to unleash engagement operations? And I'm thrilled to have Ondrej and Jan on. How are you guys? Good to see you.
Jan Pohl: Hey, how you doing?
Sean Martin: Very good. And, uh, first off, congratulations on, uh, Getting accepted, uh, as, uh, speakers at the, at the conference, so many submissions, it's not an easy task, so, so well done on that, and it's an interesting topic as well, and I think, uh, certainly plays heavily in, in the cyber world, but, uh, as we were kind of joking at the beginning, it's part of everyday life, right?
Right. Uh, so there's a lot we can, a lot we can learn from just being human. Uh, as we, as we look at what, uh, we can do with technology. So before we get into the topic of deception, uh, don't deceive us now. Give us the full [00:02:00] true story, a little bit about, uh, Ondrej and Jan and, uh, what, uh, what you guys are up to.
Ondrej, I'll start with you.
Ondrej Nekovar: Yeah. Yeah. Um, as far as, uh, cyber deception and our, our, uh, speech at RSA, what to say, I guess that now the people, uh, people know about cyber deception, everything they need. Yeah. Uh, but I can, I can say that it's all about trying to make false assets or things. to be believed that are true.
Yeah. And it comes from ancient history and it's nothing new, but some guys bring us theory that it's can be, it's possible to use it in cyber. And they create a lot of interesting books and methodologies, how to use it. And then we [00:03:00] came and tried it, simply.
Jan Pohl: So when I go, when I go back to Ondrej, right, uh, because always when we are giving the talk, like we are starting, like we introduce each other.
And so when you, when you say Sean, like Ondrej start, He was like, Oh, what should I do?
Sean Martin: So go for it. It gives us each other.
Jan Pohl: Yeah, because I had to always say that he's the greatest and smartest and, uh, and so on, because he is my boss. Uh, but Ondrej, he's like, uh, he sees all in our company and, uh, he's taking the care of us, the small guys.
Uh, and, uh, and he's also, uh, uh, What he called like, uh, Chief Deception Officer, uh, and it's, it's actually didn't start with the, with the cyber security, but with his, uh, character. He is lying all the time. . [00:04:00]
Ondrej Nekovar: Yeah. We,
Jan Pohl: I'm just receiving,
Ondrej Nekovar: we started with deception. Yeah. Yeah. Not introduce ourself. Just tell what are we talking about?
And you have to find us. Yeah. Just kidding. Yeah, no, uh, Yana is, is getting it all. Uh, yeah. Um, I'm, we, we were, we are. Our job is at a state company which offers, offers, uh, cybersecurity and data centers for the state. And we are a state cloud provider. And that's, this is the main reason why we're trying to use any, uh, any, any advanced techniques in defense.
Yeah, and I'm his boss and he's my greatest colleague and right hand. Yeah, he's technical guy. I am, you know, see, so
Sean Martin: you get to wear all the all the weight [00:05:00] on your shoulders.
Marco Ciappelli: I like the idea that you get on and start confusing people. So, you know, so that that's a good start. The other good start, if we can, as you start going there, like, what is the definition of deception?
Um, and, and then we can go into how we apply that. I mean, we're joking about the magician. We, we can joke about a lot of things. Like it can be applied and used to a lot of different things, but at the core.
Jan Pohl: I will say like the shortest one is the, the deception is act of, uh, causing, uh, causing someone to accept us true or valid.
Something what is false or invalid. So anything, anything food is actually not true. It's, it's actually deception. But we are that, that, uh, deception or concept of deception in cyber security is much wider than, uh, than this. I will say, this is the short end. Very, very good, uh, [00:06:00] very good line or how to say or how to describe that.
Ondrej Nekovar: Yeah. Nowadays you can find a lot of definitions in, uh, in, uh, studies and in the, in the websites and in the vendors websites about their products. Yeah. Which starts our solution best for deception because. Yeah. And, uh, the, the, the, the short one is great one, as Jan said.
Sean Martin: So how, help me understand how and where this fits into a security program. So we have presumably a team either in sourced or outsourced looking at activities, and we're looking for signs that, uh, somebody has come through. Our external defenses or whatever, what does it fit into the monitoring or is it, does it go beyond that?
Maybe describe that for me. I don't know, Jan, [00:07:00] Ondrejj. Yeah.
Jan Pohl: Well, you see, that's, uh, that's, uh, uh, we are going much deeper in our talk in this, uh, in especially this, this, this question, but, uh, uh, deception was perceived like, uh, honey pots, honey, something, honey, something. Uh, and we think like. Employing just these parts of defense.
We are going to where we are right now. So we are still going to the reactive part. We're still waiting for the honeypot to somebody visit the honeypot. Okay, we get something and we want to be more active. And this is about like we are more than that and that's the already the engagement, but, but, uh, when I go to the deception, we, we first thought when we first find that deception in 2018 or something like that, we thought it will solve all our problems.
So like, yeah, we just set up some honeypot here, some shadow account there, and we are set. But it's not [00:08:00] like that. It's not easy like that. It's have to be always part of that layered security, uh, like defense, and then it can work. And we see that, uh, big help with deception is like in, uh, uh, cyber threat intelligence.
Uh, to get the data information you need for the, for the next, uh, next process stuff in the cyber security or in detection engineering, like where you have high false positive ratios, you can use the deception to, uh, to fit that gap or stuff like that. So it's like, uh, we are seeing the deception as part of some process, which is already in cyber security widely used.
Ondrej Nekovar: Yeah, I hope, I hope to say anything more. Yeah, just, uh, maybe, maybe some advice when to start using these things. Yeah. Jan mentioned the honeypots. It's about 20, 30 years old, uh, old technology, which is, uh, which helps us to [00:09:00] collecting data. But. You have, you, you, you need, you need some process how to, how to use it, even it's just simple, simple, uh, honeypot, which shows us any vulnerabilities, especially for special, for some, some attack vector or something like that.
You, you need the story. My first advice is start with deception and or maybe we can move to active cyber defense at all because Jan started with it. Uh, when you are ready with your, with your, uh, sock, at least at some maturity. You have implemented some processes for detection engineering, you gaining, you have a good visibility and gaining data from all log sources almost or what you need.
Yeah, this is the [00:10:00] sometime you need to consider. Can I do something more?
Marco Ciappelli: So here's a question. We started with a joke of the. I mean, the joke is true. I mean, that's how magician get people to fall into into tricks. So it's very much psychology. And I'm wondering, like, when people think about the honeypot, you think about in cyber security, think about the technology part of it.
But then I started thinking about social engineering, and how you reverse that probably. And that's part of the program. It's part of preparing Way ahead of the game before the technology maybe even come into play. So what what is the balance there and and how early It's early enough.
Jan Pohl: That's very hard to say.
This is like, when we, uh, when we, like, you need that, uh, some kind of maturity. It's not for, like, uh, [00:11:00] for some start, uh, start teams. But, uh, you need a good scenario. You know, like, when you come, uh, come home from the pub, and you will say, I had only one beer. Uh, it have to look like you had, uh, you had only one beer.
Okay. You can just like, you know, uh, be totally like smashed. And, uh, so it's, it's about that. And you said it right. It's like, it's about the psychology. It's not. Uh, actually the deception and active cyber defense is no more about technical stuff. Uh, you always can get some technical stuff. You always can program some things.
You always can make application, but it was about psychology and about the state of your mind. So you need a scenario and to have somewhere honeypot, it's, it's cool thing. You can get some information probably, but it's not something what it, what will work against some. Advanced, [00:12:00] uh, uh, adverisory
Ondrej Nekovar: and it's still just the part of the story.
Yeah, you, you, you had to start with why or what is coming soon. Yeah, you need some CTI, yeah, to evaluate what is important for you. What is happening? What, what techniques or tactics or, or, uh, APDs are around? Yeah, and who, who trying to get to your, to your infrastructure, if I make it simpler, yeah, to explain.
Yeah, and then you have to create the story. And maybe the PsyOps might be the part of it, yeah, of course. And once you know what, what is happening around, and then you know what you have in your, it in your armory. What is your trade craft? You can start to, to, uh, you [00:13:00] know, to prepare for home alone evening.
Yeah. And setting the traps. Yeah.
Jan Pohl: And that's, that's basically what we are talking about in our talk. Like, because we were battling always with these, uh, with these talks about just one thing. Okay. So we watched the talk, which was about how to import. About shadow accounts, about influence operations, about, uh, on always, it was only one topic and in our talk, we are trying to put that in the process from the start to the end.
Like you're starting with the threat intelligence with the use of the session in the threat intelligence and you end up with some validation of your steps you make on the, on the road to that, uh, to the perfection. Those steps are filled with the use of active cyber defense elements like deception, like, uh, using honeypots, shadow [00:14:00] accounts, et cetera.
Ondrej Nekovar: Yeah, we will show in our speech. Yeah, what's, what's, what are the parts of, of the things we can do? Because, uh, we, we have to understand that there are things we can do because we are not state agency, like, uh, you know, FBI, uh, and, or Kurds, who can, who can order just. Take this botnet down. Yeah, and please use these, these forces for, for, for this.
So there is a group of things we can do. Yeah. And you can do it separately and you're doing good. But if you think about it and you will connect it in the process. Yeah, where, where are inputs and outputs of each step, you'll get, you know, something which is, which brings you some value and [00:15:00] helps you to, to, to, to have a numbers you have, you know, for management, you have numbers.
Yeah. About efficiency, about money, of course. Yeah. So, That's why our basic, basic, basic, uh, stone or is, is, uh, the process and we created it after two years or three years ago, but it, but we started seven years ago. Yeah. It took three, four years to, to create it.
Sean Martin: Nice. And you're going to do a whole case study during your talk and, um, yeah, that's great.
You mentioned creating the story, and uh, don't give away any secrets, but how, how does that work? Is it, I guess you, to your point, Jan, if, if, if a police officer is asking you, Are you drunk? And you say, I only had one beer. And [00:16:00] they ask you, well, can you touch your nose? And you say, I only had one beer. And they say, can you repeat the alphabet?
And you say, I only had one beer. It's the same response over and over and over. They're going to realize. You're not doing very well engaging in that conversation. Um, so one can predict what that exchange might be with the police officer. Similarly, one might expect what the exchange might be in, in our tech stack, right?
If somebody reaches this point, then they might want to use something from that and move here or do some reconnaissance too. And so I don't know, do you use tools like, like MITRE or. Or other things like that to kind of help paint the story of how the, how the attackers might move and, and, and to your point, Ondrej, that with.
It's the cyber threat intelligence data to say, we know they move this way and this is how our organization looks. So I don't know, don't, don't give too much away, but, uh, how, how does that work?
Ondrej Nekovar: You, you will [00:17:00] understand once you will see our speech, of course. Yeah, but we can say, yeah, we can, we can say we use, uh, we use all known methodologies, frameworks.
around. Yeah, Maitre is very good and very far. Their, their things are, you know, it took three or four, four years to be, to, to, to, to get to the, to, to, to public or to be accepted by public for Maitre ATT& CK. Yeah. And now they have some things like ENGAGE, which Exists for two years, but I, I don't know how the people works with it.
They started with different, but it's step before in engage. Yeah. Yeah. So we will, we will see how it will goes and we can say that we use it. [00:18:00] Yeah, we are.
Jan Pohl: We, we love things for a mid term.
Sean Martin: Yep. I just picked that one out of there. It wasn't yeah,
Jan Pohl: but there's, there's like, there is much, much, there is much more like, uh, Much more open, open source tools and stuff we are using like in that, in that process.
But, uh, but Mitre is pretty good example of the, of, of complex, uh, complex framework or complex, uh, thing we are like to use because they are, they look visually good. You know, like you can, you can see that you can, you can connect the points.
Ondrej Nekovar: Yeah, and it makes sense and it's very complex and we guess that it's it needs sometimes Yeah to to to understand all their concept and they will go Out with new and new things which which will make or [00:19:00] show their their story behind Yeah, so it's very very good and it's much more better than that any commercial solutions for this Yeah, you, you will buy any box with their processes, but it's, this is a general and universal to use.
Jan Pohl: But we are like, as Ondrej said, we are using a lot of N Gage. Which is formal shield, I think, right? And, uh, and the defend is, uh, pretty cool as well. So this is like, this is really like three most used things we have in our armor. Otherwise, there is like some just tools which are need for the, for the reporting documentation and stuff.
Uh, but methodically, uh, we create something our own to get through some, our loop, we call it, uh, a active cyber defense loop. Which are going through, it has, uh, it has six steps and we are going to each, uh, [00:20:00] documenting and stuff and, you know.
Ondrej Nekovar: But, but there is another things which helps us with detection engineering.
Yeah. And it's, uh, open to every, anybody can use it, but, but I guess they, they, they, they doesn't. Yeah. And it's a, uh, ADC from Spectrops. Oh, Palantir. Oh, Palantir. So, sorry. Yeah. So it's 10 points. We, we maybe enriched it, uh, but, and it has 12 and it works great. And our detection engineering is based on it and we can recommend it to, to, to companies or to get to technical guys to consider it.
Marco Ciappelli: All right. Well, sounds interesting. And I liked the idea of that. You can have a lot of tools, but you know gotta use the one that are right for you And and create your own your own [00:21:00] system according to what you you do in term of your business What you have to defend you can't just say yep. I just got the zany part and uh, i'm good It doesn't it doesn't work like that.
Yeah, that makes sense. Well sean, I think it's a good uh, it's a very exciting Conversation I will tell you that I will not go
That's right, but I will, but you'll be there.
Sean Martin: You're not going to go, but you'll be there. Uh, well, if you, if you want to not go and be there still, it's Wednesday, May 8th at 1 15 local time in San Francisco, of course. And, uh, Ondrej and Jan will be there, uh, giving their case study. So, as you probably gleaned from this conversation, these, these guys can get down into the nitty gritty of what's going on there, and, and guess what?
You're in luck. There's, uh, there's birds of a feather where you can actually get into some of those details with them. It's called Time to [00:22:00] Talk About Cyber Counterintelligence. That's Thursday, May 9th at 1050 in the morning. And, uh, so two opportunities. One to hear or speak. Thanks. Maybe catch a few minutes with them after, and then a chance to sit down with them and others interested in this topic and go deeper.
Uh, clearly, you guys know what you're talking about, so it's, uh, as, as you got accepted, I mean, not an easy feat, as I mentioned in the beginning, right? So, congratulations on that, uh, wish you safe travels from, uh, from the Czech Republic, and, uh, look forward to meeting you in person and, and catching the others.
Catching the talk and, uh, maybe grabbing a feather from the birds of a feather.
Marco Ciappelli: Well, you know, I mean, like you said, they come a long way and, uh, and I think it will be a great opportunity to see a presentation that, uh, hasn't happened yet and, uh, and hear different perspectives. So I, again, I would not be there.
So I'm not going to see you
Sean Martin: [00:23:00] there. All right. Thank you, gentlemen and everybody listening. Thank you for, uh, Yeah, for catching this episode of our On Location Chats on the Road to RSA Conference. Lots and lots. I think, I don't know, what we've done thus far, we have as much. More to do in the next two weeks.
So as many conversations as we've had that many again, uh, for the next couple of weeks, we
Marco Ciappelli: will not have
Sean Martin: and many that we won't have, you won't hear them. That's the one I'm going to be my own going thing. I have a feeling you're going to carry it through to the other conversations today too.
All right.
Thanks everybody. Subscribe soon. We'll see you in
San Francisco.
Ondrej Nekovar: Thanks. See ya. See you then.