Deception is a natural fit with threat hunting and threat intelligence gathering: it allows teams to engage with adversaries earlier in the attack sequence that has been defined by the MITRE ATT&CK framework. Here we explore and explain the benefits of using high-end, full-spectrum deception in the context of today’s threat hunting challenges. Download the full white paper.
Security has always been a game of cat and mouse, in which the defender is always one step behind the enemy. It’s the same with traditional threat hunting tools, where the defender typically tries to detect an already occurring attack. With deception, we strike first, creating custom synthetic environments designed to lure the attacker in, with the added capability to develop deception campaigns tailored to the type of attacker you want to track.
Threat intelligence relevant to your organization
One of the biggest problems when dealing with threat intelligence is distinguishing which information is relevant to your organization and which is not. Deception gives threat hunting teams the capability to deploy deception campaigns that are part of their enterprises attack surface. This ensures that any activity detected, and thus the intelligence gathered from the campaign, is relevant to your organization specifically.
A proactive solution
Traditional threat hunting tools involve looking inside your organization to try to detect anomalies or known behavior. Deception lures attackers into the synthetic environment and builds an attack surface designed to give them access to investigate he attack in the created environment. This is safe for the enterprise as no production IT is at risk. As the threat hunting teams quietly observe the threat actors working, they gather intel, they divert the actors from their real attack, they uncover motives and objectives, they can then thwart further activity on production systems. Threat hunting is in this way threat actor hunting, an altogether more specific operation.
Trusted threat intelligence
You won’t always know where threat intelligence comes from. You’ll have an idea about who provides the intel, but you don’t get any insight into how and where the magic actually happens. Instead, you have to trust that the data you have is rigorous, unbiased and reliable. Now, with a deception solution, you can control the environment and you control what, when, where and how the evidence is obtained.
Avoids alert fatigue
It’s likely that the massive volume of IOC your organization is ingesting is already giving some or lots of false positives, making life more difficult for your SOC analysts, and worse still, forcing them recreate some rules to quieten the noise, and creating more weak points in your defense system. By design, deception generates only information and alerts that are relevant to your organization.
Easy to manage information
There are tons of information to be checked; huge databases of IOCs, lots of reports and white papers to analyze, conferences to attend, new techniques to be aware of, the list goes on. Staying up to date is difficult and time consuming and knowing what could be relevant to your organization is not a trivial task. Deception delivers a vast intelligence knowledgebase, but the analyst will see only the information related to the incident (IOCs and TTPs) and the most detailed insights, saving time and reducing the need to process large amounts of unnecessary data.
Relevant actionable information
Continuous monitoring of thousands of IOCs is not a bad thing, but it is not what you will get with a deception tool. When an incident occurs, you will get IOCs found during the event and other related IOCs that might be relevant, enabling you to narrow your hunt for malicious activity within your organization’s infrastructure using specific, and often unique, intelligence.
Plug the gaps in your defense system
Threat hunting teams can rapidly deploy deception campaigns to cover specific threat areas, such as merger and acquisition activity, that will create specific threat actor interest. They can also cover specific areas of IT systems that are unable to generate logs or provide monitoring such is IOT systems. Also, during long upgrade and roll-out cycles for more traditional cyber security controls where full coverage cannot be provided, deception can be rapidly deployed to mitigate specific system risks while the traditional controls are being upgraded and deployed.
Unleash the Power of Deception for Threat Hunting
Threat hunting is not only about early threat detection. Why not try to completely prevent an attack? If only you could redirect attackers away from your internal network and into a synthetic deception environment, where you can study the attacker with no risk to enterprise systems… With CounterCraft, you can. And shall we dig deeper to reveal concise insights about the attackers who actually want to attack you, and use them against your adversaries? The answer is surely yes, let’s do it!
A synthetic deception environment captures the most accurate and complete information about an attacker’s behavior. You have complete control of the environment and are able to monitor all the movements the attacker makes while they’re engaged with a campaign. It sounds like we’re getting pretty close to the concept above of studying, profiling and controlling threat actors, doesn’t it?
High-end deception is guaranteed to tool-up your threat hunting team. Our cyber deception platform is fully integrated with the MITRE ATT&CK™ classification schema and offers full-spectrum threat hunting, enabling you to detect and identify external pre-attack stealth activities and find evidence of internal or external attackers on enterprise systems. Powerful automation enhances the whole process even further, and makes life simpler for your teams.
Don’t sit back and wait. Engage with the threat actors who are actually attacking you.
Excited to know more? Register for the first in our brand new series of webinars, “How to Hunt Cyber Threat With Deception”, 3pm, 29 April 2019. SIGN UP HERE.