Deception as a Security Discipline: Going on the Offensive in the Cybersecurity Battlefield

Deception as a Security Discipline: Going on the Offensive in the Cybersecurity Battlefield

  • July 2016 •
  • 10 pages •
  • Report ID: 4090186 •
  • Format: PDF
Might there be a means to consistently produce high-fidelity alerts that are unmistakably associated with attackers and malicious insiders, which include a comprehensive catalog of the attacker’s system moments, and are triggered in real-time? That, in a nutshell, is the objective of deception, and the focus of this week’s insight. Also included in this insight is a brief description of a deception solution provider that has been making headway in this new security category—Attivo Networks.

Introduction
Security analysts tasked with overseeing alert investigations and incident response are inundated with security alerts. The origination of alerts is far from singular in nature as they arise from both internal
operations and cyber attackers. In internal operations, the combination of IT hybridization (onpremises and cloud), end users with multiple devices, the Internet of Things, and partner and supplier integrations, contributes to a complex and broadening system of assets, connected devices, and interrelationships. Moreover, this system morass is dynamic. It changes constantly, for a number of legitimate reasons such as revised business requirements, altered circumstances, and the introduction of new applications and technologies. And with change representing deviations from the norm, even if anticipated, the alert pile can still increase in size.

The user community also represents its own slice of uncertainty and non-conformity. In the spirit of attending to business, users veer from their normal routines, and they also cross the boundaries of
acceptable practices (e.g., sharing and reusing credentials, and sharing other forms of sensitive information with individuals that are not in the “need to know”). Additionally, they unintentionally, but nevertheless directly, place the business at risk by providing a toehold for malware in internal systems through divulging their credentials when, for example, they are tricked into clicking on dubious email attachments and interacting with questionable Web sites. All combined, operations and user activities add to alert volume. Cyber-attacks, the core focus of security analysts, are the ever-present wild card and a prominent
cause for alert generation. Professional attackers, however, are fully aware that deviation-tripping alerts call attention to their activities and potentially put a stop to them. Therefore, they pattern their
activities to minimize detection (e.g., proceed slowly) and cozy up to routine operational behaviors.

Even when their activities generate alerts, dressed the same as the crowd of operational- and user- triggered alerts, attackers gain time in the pursuit of their ultimate goal—exfiltrating valuable data.
For security analysts, a high volume of alerts, attackers’ activities spread over a lengthy period of time, and undifferentiated alerts challenge their effectiveness and speed to detect and respond.