Deception technology may be able to help your organization identify and mitigate external and internal threats computer security threats faster finding compromised computers fast enough to prevent breaches of critical information. With new approaches, commercial deception products emulate existing workstation and server operating system images, log files, activity, and accounts providing a set of realistic targets for the malicious individual to look at. When the malicious individual attempts any interaction with a deception host your Security Operations Center (SOC) gets a very high confidence level zero false positive alert–a bad actor in the network requires immediate action now. This kind of alert is hugely valuable to SOC staff members sifting through sometimes terabytes of log data daily.
In a recent survey of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their organizations’ computers had been breached at least once by hackers over the past 12 months. Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months.
We all face compromises and for cyber resilience, reacting to these compromises is crucial to avoid operational impacts and expensive breach responses.
How can deception technology help us? For the non-technical, attackers will typically compromise a workstation and then start looking around, conducting reconnaissance in the cyber kill chain, with tools like ping, nmap, and others. In effect, they are turning on a flashlight in a dark room. With deception technology in your network, this flashlight beam of packets immediately sets off alarms–a compromised computer inside the enterprise network. Nobody should be shining a flashlight, beam of packets, into a room in your home where that room does not actually exist. Deception tools are configured to ignore known sources of these packets like network management hosts and troubleshooting workstations. A scan or login attempt to a host that does not exist can immediately identify both external compromises and internal malicious activity. It could be a malicious insider looking for sensitive information in other departments–something you need to know about but may be blind to without instrumentation. Deception technology is something most large organizations should consider to improve visibility and speed incident response. High confidence emergency alerts significantly improve SOC effectiveness preventing a highly likely workstation compromise from escalating to a breach of sensitive information on critical servers.
If you would like more information, contact LP3. We will be glad to help you make an informed decision on deception technologies in your environment.
Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.