Deception technologies are gaining traction in the enterprise as a means of detecting and responding to incidents more rapidly and effectively. While the different vendor and open source options differ widely in depth and breadth of coverage as well as features offered, there are some universally applicable ways that deception tech tools can help improve defensive tactics. Here are five actions you can take to immediately improve detection and response capabilities using deception technology:
- Prioritize and tune correlation and alerting in the security operations center (SOC). One of the most valuable benefits of deception technology is the highly accurate results and alerts that they generate. In essence, deception tech is only in place to lure attackers and those with malicious or suspicious intent. As a result, only legitimate alerts should be generated, with no or minimal false positives. Some may occur when a user accidentally accesses the wrong IP address, for example, but otherwise, no legitimate use should exist for accessing honeypot systems, using false credentials or trying to access or open documents that are lures for attackers. In many cases, SOC teams can prioritize alerts from deception technologies and spend less time validating whether they are legitimate or not, and this can speed up investigations and case resolution.
- Build insider threat use cases and playbooks. Along with detecting stealthy attackers that may have gained access into the environment, deception tech is adept at ferreting out insider Most insiders are looking for access to interesting or valuable information, and the process of searching alone will likely lead to discovery of certain deception files and credentials, which can help security teams detect and stop these threats. Security teams can build playbooks focused on this kind of detection and response, which has been notoriously difficult for many due to privacy or entrapment concerns.
- Consider new automated response tactics. One of the most powerful features of deception tech is the ability to perform automated actions and responses, either directly with the tools themselves or through integration with other vendor solutions like incident response automation and orchestration platforms. Examples of automated response actions might be generating new "breadcrumbs" to lure attackers to another decoy or fake system, or automated capture of forensic evidence or indicators from the attacker's actions.
- Develop highly tactical threat intel. Many in the threat intelligence community will tell you that the best intel is often generated from within your own environment, and deception technology can greatly ease and facilitate the generation of this data. Critical information like file indicators for malware and attacker toolkits, processes running, ports opened, patterns of network traffic and many more can be captured within decoy environments easily and used to look elsewhere in the environment for those same indicators and tactics.
- Minimize (or enhance) attacker dwell time and enhance defense response time. Finally, deception tech, with its rapid detection of bad behavior, can create a more granular level of control in how long attackers actually retain access into the environment. Dwell time -- the amount of time an attacker actually lurks in the environment while performing malicious activities or planning them -- is something all security teams want to reduce overall unless their goal is to observe the attacker in action. With deception technology, you can shift dwell time in either direction as desired, perhaps depending on specific attacks or use cases.
As we can see, deception technology holds enormous promise in helping refine and perhaps even reinvent many core defensive security processes.