Advanced Deception Technology Through Behavioral Biometrics presented at DerbyConVIIIEvolution 2018

by Curt Barnard, Dawud Gordon,

Summary : In cybersecurity, the attacker tends to have a significant advantage over the defender. A motivated network defender should look for opportunities to have an asymmetric advantage over the attacker to level the playing field. In this talk, we will apply the concept of Behavioral Biometrics in the realm of deception technologies to obtain such an advantage. There are three common factors used in authentication: something you know (a password), something you have (a token), and something you are (a biometric). Each factor has its own unique strengths and weaknesses. In the case of biometrics, biometric data is, in many cases, easy to steal and spoof. Once biometric data is stolen, it is impossible to change, since it is inherently tied to the user. Behavioral Biometrics is the authentication paradigm of using an individual’s behavior as a biometric, rather than a fingerprint. The technology looks at how how a user interacts with a system, such as how they type or move the mouse, touch the screen, which hand they hold the device in, the characteristics of their gait from the motion sensor, as well as spatial and temporal patterns. The result is a biometric that is not immediately visible to an attacker, and incredibly difficult to spoof. Traditionally, should behavioral components detect an intrusion, access is blocked, authentication escalated, or the user was de-authed completely. However, this does not necessarily have to be the case. Deception technology has emerged as a method to either delay attackers, coax out their TTPs (Tactics, Techniques, and Procedures), or gather clues about their true identities. This strategy typically includes things such as canaries, honeypots, or tainted or tracked data. The challenge with deception technology is often in identifying an attacker in the first place in order to divert them to fake resources. We will demonstrate in this talk that Behavioral Biometrics are uniquely positioned to identify an attacker as unauthorized, independent of credentials, in a way that is invisible and spoof resistant. With that information, deceptive technology can redirect their attack in order to delay it, discover the attackers TTPs, or even learn the identity of the attacker as they attempt to exfiltrate mocked data, transfer funds, or use services. We will conclude by demonstrating this combination live.