The majority of legacy detective technologies focus on looking for “evil”, either via a signature match, a behavioral match, or some heuristics algorithm. Unfortunately, attackers do a good job of making “evil” appear “not evil” and therefor our detective technologies fail to capture attacker activity. Making the situation even worse, many enterprises see between 10,000 and 150,000 alerts per day. That is a range of between 7 and 104 alerts per minute or one alert every 2 to 9 seconds. At this rate, even when our detective controls catch the malicious activity, it can get lost in the “noise”. Fortunately, there is a solution; we can change the paradigm.
Instead of looking for “evil” we can shift our approach to look for abnormal. When looking for evil, there are very specific things that detective technology looks for, signatures, behavior, etc. Only those specific things will generate an alert, therefore an attacker only needs to look unlike the specific detective criteria. Anything that does not look like “evil” will be ignored giving the attack virtually countless options and opportunities. By changing the paradigm to look for abnormal, anything that does not fall into the category of normal results in an alert. With this approach, the attacker can only do specific things defined as normal. Any other action will be identified as potentially malicious.
You may be thinking that attempting to normalize an entire computing environment is challenging, to say the least. You would be correct; however, this level of normalization is not necessary in the context of cyber deception. With cyber deception, we are placing non-production resources throughout our computing environment. These resources could be files, directories, user accounts, credentials, open ports, listening services, containerized systems, fully computers, or even complete networks of computers. The key is that these resources have no typical production value. As such, no legitimate user or production technology should be interacting with the planted non-production resources. Thus, any interaction is, by definition, abnormal. We are effectively redefining normal in a very specific context.
How does this help defenders or hurt attackers? First, you must keep in mind that user behavior is typically very predictable. They come in, do their jobs, and then go home. They interact with the same systems and applications, day in and day out. An attacker, on the other hand, will not behave like a normal user. Not only do most attackers not understand what they “should” be doing (as a normal user), also they don’t want to behave like normal users. They want to explore the network to find resources of value. They want to escalate their permissions and move laterally throughout the environment. Unfortunately for the attacker, the non-production (deceptive) resources placed in the environment are not easily differentiated from production resources. As a result, when the attacker attempts to explore the environment, they are likely to interact with one of the planted deceptive resources. The instant this occurs, an alert is generated that cannot be a false positive. Remember, normal equals no interaction. Any interaction is always abnormal.
It is possible that a non-malicious user was bored and exploring the environment. It is also possible that the security team conducted a port or vulnerability scan that included deceptive resources. In these, or similar cases, defenders would have the IP address from which the interaction occurred which makes determining malicious (or not) intent trivially easy. This means that cyber deception creates a high fidelity, low noise detection solution allowing defenders to reduce SOC costs and the costs of a data breach. In fact, according to a study conducted by Enterprise Management Associated, users of deception technology reported a 12x improvement in the average number of days it takes to detect attackers. Similar studies show as much as a 94.5% reduction in average dwell time.
Cyber deception is proven to reduce detection and response time and thus will reduce average breach costs. Cyber deception can reduce SOC operational costs by virtually eliminating false positive alerts. Together, these benefits can significantly reduce overall security costs.
Now that you have the data, what are you going to do about it?
Will you continue accepting weeks or months of attacker activity on your network before you even have the chance to respond?
Will you continue to pay one out of three SOC analysts to do nothing but address unnecessary false positive alerts?
Or will you implement a solution that is proven to work, proven to reduce dwell times, breach costs, and SOC costs; a solution that can be implemented at a cost that is a fraction of the savings you will see?
Image provided by Canva.com