Page 24 - Cyber Warnings
P. 24
Simplifying Incident Response with Deception
By Carolyn Crandall, CMO
Computer security incident response teams (CSIRTs) continue to struggle to deploy effective
incident response. A combination of more data to sift through to detect malicious activity; limited
time, manpower and expertise resources; and the more severe consequences of data breaches
all contribute to the challenges of effective incident response.
Integrating deception into incident response solutions has caught the attention of industry
experts. KPMG highlighted many of the common mistakes teams make in deploying,
maintaining and enhancing incidence response solutions in a 2016 report. In addition, in
another 2016 report, "Best Practices for Detecting and Mitigating Advanced Threats, 2016
Update," Gartner analysts note, “When possible, consider your IR investigation and triage
efforts with integration between forensic analysis tools and other security monitoring software to
more rapidly respond to potential suspicious security events when they occur.” They also noted
as a best practice to consider, “Utilizing deceptions across endpoint, application, data, identity
(fake credentials) and network infrastructure to enhance your advanced-threat and insider-threat
detection goals.”
A new generation of innovative technologies has emerged to address these challenges. At the
forefront of these is deception. These new solutions accelerate incident response by not only
providing early attack detection, but also by automatically taking disparate attack information,
correlating and displaying it on one dashboard where the solution can score it based on the type
of attack activity, and creating playbooks CSIRTs can use to create repeatable processes,
simplifying future incident responses. New incident response solutions based on deception
platforms integrate with third party prevention systems, such as firewalls, SIEMs, NAC, and end-
point (EDR) to automatically block and quarantine attacks. This expedites response actions,
prevents the attack from continuing to spread through the network, and empowers threat
hunting for forensic artifacts in other parts of the network to confirm they have eradicated the
attack. To integrate and automate incident response using deception, CSIRTs should have an
understanding of how these solutions work and key capabilities requirements.
Gaining a Complete Picture
Incident response solutions should be able to ingest information from threats detected by
deception engagement servers, SIEMs and other devices, correlating attack data, logs,
endpoint memory forensics, and use of deception credentials by tracking failed log-ins. This
approach provides a more complete picture of the attack and ultimately reduces false positives
and investigation time, thereby simplifying overall incident response.
Additional Attack Insight via Adaptive Deception
Solutions should apply advanced analytics to correlate the multi-source attack information and
be able to open communications to Command and Control Centers (C2C) in order to
understand the attacker’s lateral movement and any polymorphic activity. With advanced
24 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide