Picture this horror story: An adversary has targeted your organization and commenced a campaign to breach your defenses, establish a foothold and begin to either gather up your proprietary information or encrypt it and hold you hostage until you pay the ransom demand.
If your present security solutions provide any warnings, they will be sent along to the front pane of glass of your Security Operations Center (SOC). Here, it is up to your team of analysts performing triage of the alerts to separate the wheat from the chaff, look at the alert details, and determine whether the alert is telling them something impactful is occurring, or decide it can be ignored.
What could possibly go wrong? Plenty.
Race to the bottom (of the alert pile)
Most organizations utilize a Security Information Event Management (SIEM) solution in their SOC to aggregate, correlate and prioritize alerts presented to the frontline SOC analyst. Initial triage of alerts is generally handled by a Level I analyst -- often the newest, and least experienced members of the team. With network-based IDS often spitting out 40 events per second along with a myriad of other security solutions and operating/application logs feeding into the SIEM, it is a daunting task to keep up with the alerts on the screen.
To further increase the pressure, SOC analysts are usually expected to triage an alert in three minutes or less. Get it right, you live to triage another day; get it wrong, your stock price tumbles, people lose jobs and your company gets a ton of negative press.
If you knew an alert was a true positive every time it fired, how would that impact your workflows and decision process in handling that particular incident? High-fidelity alerts essentially mean you can trust and act on the information contained within the alert. They also tend to be very low in volume (unless you're having a really bad day).
There are not many solutions out there that can claim zero false positives (and I would be wary of any vendor that does make that claim!); however, let's consider how deception solutions rate when looking at fidelity and alert volume.
Deception and high fidelity
Deception-based solutions utilize decoys and misinformation to divert and delay an adversary giving the SOC / IR teams sufficient time to perform remediation before the adversary can complete his mission. Deception objects are not known to normal end-users and are white-listed against allowed vulnerability and IT Asset Discovery scanning systems in the organization -- so no one should ever touch a deception decoy. Let's consider the possible ways a decoy could be touched:
- Network misconfiguration -- a scanner was missed in the whitelist or some other misconfiguration causes a system to attempt communications with a decoy
- Curious insider -- an end-user or system administrator pokes around outside of their normal duties, comes across a decoy and reaches out to see what the system is all about
- Malicious insider -- an end-user or system administrator is looking to steal information or cause disruption and stumbles across a decoy while looking for the crown jewels
- External adversary -- an adversary of varying skill level and resources has evaded your prevention layers and is now poking around inside your network
In all four cases, some type of action is required that demands immediate attention. The first two are not malicious in nature and will most likely involve different groups resolving the issue other than the security teams (most likely network operations for the first and human resources for the second). The last two are malicious and require immediate escalation and gathering of additional information to learn the full nature of the attack.
Deception and low volume
Deception is a breach detection solution. By that, I mean that deception is not generally used to detect intrusion attempts or even breach attempts. Deception is a great prevention failure detection solution because it focuses detection capabilities on adversaries and malware that have already successfully bypassed your prevention capabilities.
If we take a typical breach scenario, an adversary will spear-phish an end-user, get them to click on the malicious attachment or link, a payload gets downloaded and/or detonated on the end-user's system and command and control is established between the adversary and the compromised system.
Breach accomplished. The Doomsday Clock starts ticking.
Many security solutions had to fail for this to happen. This first beachhead is not the mission of the adversary, they want your data or to disrupt your operations. They must establish additional beachheads, reach out to application and database servers, map out your organization's assets and determine what are likely targets.
Most intrusion/breach attempts will be blocked by your prevention technologies, you aren't losing sleep over those. It's the ones that get through you need to lose sleep over.
For those, you need endpoint user session, processes and network connections to be correlated and presented completely and quickly so SOC analysts can make the right triage determination. This is where deception solutions step in and present the adversary with inviting targets -- targets that only an adversary should be touching. Working with your SIEM, these high-fidelity alerts can assist in correlation and necessary forensics.
For this reason, deception alerts are few and far between... unless you're having your own Nightmare on Elm Street!
&emdash; John Bradshaw, senior director, solutions engineering at Acalvio Technologies, has more than 25 years of experience in the IT industry focusing on network and system security.