Posted by: Nick Palmer, Sales Engineer
A recent study by the Ponemon Institute found that an organization can receive an average of 17,000 malware alerts in a week, resulting in costs incurred by wasted investigative time of up to $1.3 million dollars annually1. Further to that, only about 4% of alerts were actually investigated at all, because of unreliability and the sheer number of false positives. Attackers know this. Kaspersky suggest that Advanced Threat actors may even be trying to use diversionary tactics like Distributed Denial of Service Attacks (DDoS) to actually generate alert overload2. Any security professional operating in a real world Security Operations Centre (SOC) will tell you the same thing, that most of the effort is in separating the uninteresting from the interesting. Visualize the following scenario – your Intrusion Detection and Intrusion Prevention Systems (IDS / IPS) solutions are well tuned and you’ve accommodated the quirks of your internal applications to minimize false positives. Similarly, your Security Information Event Management (SIEM) solution has top quality correlation rules configured and can comfortably differentiate between routine administrative tasks being conducted on a server, and non-whitelisted processes spinning up or down on the same box. The problem is, that both of these platforms are probably still generating tens, if not hundreds of thousands of events per day. Security analysts spend the lion’s share of their time acknowledging legitimate, or non-suspicious events on the network. Regardless of the costs associated with such activities, they represent a risky misuse of resources.
Deception Solutions are different. They are designed to entice attackers from their hiding places on the infrastructure into interactions with controlled, managed shadow IT assets. Deception Solutions present no risk of being used to pivot and attack the organization, but can create convincing engagement points for attackers, causing them to reveal their Tactics, Techniques and Procedures (TTPs) in the hope of gathering monetisable intelligence.
Imagine you’re a juror serving on a trial. Prosecutors are trying to convince you of the accused’s guilt while the defense tries to convince you of their innocence. You must assume innocence until guilt is proven, but you obviously cannot make such assumptions in the world of cyber security. If your installed Deception Solution is generating events then the prioritization landscape changes, and matters demand immediate and urgent attention. A good Deception Solution is a device on your network with which NOTHING should be communicating. It will be instantiating no connections to anything other than sandboxes or other fictional real estate, and there should certainly be no reason for client machines or the vast majority of servers on the network to actually talk to it. No DNS traffic, no WSUS, no SSH. Nothing. Notwithstanding misconfigurations that can be easily exempted, anything that speaks to the Deception technology can be presumed to either be a threat actor, or operating under the control of one. An optimized installation will push the alerts and intelligence from the Deception tool into your SIEM or other centralized security console. As long as you acknowledge that anything talking to the Deception tool is an immediate and very tangible risk to your security, and elevate the severity of these events to the correct level, then your security staff’s productivity will be automatically improved. More importantly, you will be significantly closer to minimizing the material losses and reputational damage that result from breaches. In legal terms, we are used to presuming innocence until guilt is proven. A Deception solution reverses such assumptions. Anything speaking to it can be presumed guilty until proven innocent, with absolute conviction. What’s that worth to YOUR organization?