Bridging the Gap: Deception Engineering as the New Frontier in Detection Engineering

Introduction

Modern Security Operations Centers (SOCs) face a significant challenge in dealing with alert fatigue and the high volume of security alerts generated by various security tools.

With the increasing sophistication of threats, SOCs are inundated with alerts on a daily basis, making it difficult for analysts to identify and prioritize the most critical threats. This can lead to missed threats, increased response times, and a higher risk of security breaches.

To address these challenges, organizations are doubling down on detection engineering.

However, a few question remain, should we collect all data, and does garbage data lead to garbage outcomes? While we discuss the importance of detection engineering we will also explore how cyber deception engineering can complement and enhance detection engineering capabilities and provide a "beacon of light" in an ocean of garbage data.

The Issue of Alert Fatigue in SOCs

With the increasing volume and complexity of security alerts generated by various security tools, SOC analysts are often overwhelmed and unable to effectively triage and investigate all alerts.

The Importance of Detection Engineering

Detection engineering is a critical component of modern cybersecurity strategies. It involves the creation and implementation of detection rules and algorithms to identify and prioritize security threats. Effective detection engineering can help organizations quickly identify and respond to security threats, reducing the risk of security breaches and minimizing the impact of any successful attacks.

However, the current state of detection engineering in many organizations is far from ideal. Many organizations rely on static detection rules and signatures, which can result in a high number of false positives and negatives. In addition, many organizations struggle to keep up with the ever-evolving threat landscape, resulting in outdated detection rules and a lack of visibility into new and emerging threats.

In order to avoid missing a signal in an sea or alerts, SOC team must focus on crafting excellent detection as opposed to fix the bad ones.

Which ultimately means, that a good detection tactic generates a manageable amount of alerts and extensively user automation in order to increase the capacity of the analysts.

To my knowledge, the reality is often much different, SOCs often have a high number of custom detection rules, but a high number of rules doesn’t often translate into a high number of high fidelity alerts. In fact this is often the opposite.

Poor Detection Leads to Poor Alerts

Alex Teixeira identifies this as before a poor alert, you often have poor detection.

He also compares this phenomenon to the realm of project management, wheremanaging the influx of demands for new features or changes without compromising delivery quality is a formidable challenge. This struggle often manifests as Scope Creep, where the expansion of project boundaries leads to a discernible decline in quality.

Indeed a similar situation unfolds within enterprise Security Operations Centers (SOCs) as they scale, particularly when the number of data sources and detection rules multiplies. Alex compares this phenomenon to 'creepiness' of detection rules.

In many ways, scope creep can seem inevitable in a SOC environment, particularly as the volume and variety of data ingested continue to grow. This growth is driven by the expanding digital footprint of organizations, the proliferation of cloud services, IoT devices, and the constant evolution of threat vectors and new security services adopted.

However, while the challenges associated with scope creep are real, its impact can be managed and mitigated through strategic planning, robust processes, and the adoption of advanced technologies.

Deception Engineering and Alert Fatigue

Traditional approaches to threat detection, such as manual triage and investigation of security alerts, are no longer sufficient to address the issue of alert fatigue. Manual triage and investigation can be time-consuming and labor-intensive, and can lead to delays in identifying and responding to critical threats. In addition, manual triage and investigation are often based on static rules and signatures, which can result in a high number of false positives and negatives.

Alex, in a great post focused on the concept of using AI and ML and ended with the questions “Can we use AI to generate context-rich, high-fidelity security alerts with super intuitive triage and investigation interfaces the SOC is engaged with?” to ultimately reduce alert fatigue.

While I agree, this is a good approach, having also spent a decade developing cybersecurity tools using AI and ML, I also know that AI more oftne than not generates it’s own set of challenges, and false positive.

So, here is another approach, to reduce alert fatigue. Cyber deception engineering.

It involves the use of decoys, lures, and other deceptive techniques to mislead and detect attackers. Cyber deception engineering can help SOCs identify and respond to threats more quickly and effectively, while also reducing the volume of false positives and negatives, and produce beacons of ligts in a sea of garbage data.

While Cyber deception can help you crafting better detection rules, the alerts that you will obtain from deception will be high-fidelity as no one should ever interact with your decoys, allowing you to improve your detection through better correlation.

What is Cyber Deception Engineering?

Cyber deception engineering is an emerging field that involves crafting deception techniques to detect threats based on a doctrine.

It is a strategic approach to cybersecurity that involves understanding the adversary and the state of one's own estate to build effective deception plays.

As Sun Tzu's "Art of War" teaches us, deception can be a powerful tool in warfare, and the same principles can be applied to cybersecurity.

Cyber deception engineering involves deploying deceptive strategies to mislead and detect attackers at all stages of the MITRE ATT&CK framework

One example of a cyber deception engineering framework is the MITRE Engage, which provides a systematic approach to creating and deploying deception techniques.

MITRE Engage includes a range of deception techniques,that can be used to detect and respond to threats. However, MITRE Engage also emphasizes the importance of understanding the adversary and the state of one's own estate to build effective deception plays.

Integrating Cyber Deception Engineering with Detection Engineering

Traditional approaches while powerful, may still miss sophisticated, novel attacks or generate false positives that contribute to alert fatigue. Cyber deception engineering, by creating environments specifically designed to obtain high fidelity alerts generated by attackers, offers a proactive defense mechanism that can detect adversaries who have evaded initial detection layers.

The integration of cyber deception with these methods enhances overall security postures by adding depth to the defense strategy.

Deception techniques can serve as a high-fidelity alert system, catching threats that have bypassed other measures, and when combined with AI's broad surveillance capabilities and traditional methods' reliability, create a comprehensive, multi-layered defense approach. Cyber deception engineering can be used as a proactive approach to security that can help detect threats that may have evaded other security controls.

When integrated with detection engineering, cyber deception engineering can provide high-fidelity alerts that can help reduce false positives and improve threat detection and response capabilities through threat intelligence and correlation.

For example, when an attacker interacts with a deception system, an alert can be generated that provides valuable context and insights into the attacker's tactics, techniques, and procedures.

This information can be used to create new or correlate with existing detection rules or improve existing ones, resulting in more effective threat detection and response.

Integrating cyber deception techniques with various security tools can significantly enhance an organization's detection and response capabilities.

1. Deception and Endpoint Detection and Response : Deception technologies can complement EDR tools by creating decoy files, systems, or credentials that, when accessed, indicate a breach. For example, a decoy document placed on an endpoint might trigger an alert when opened, suggesting unauthorized access. This alert, along with detailed information about the access attempt (such as time, IP address, and process executed), is sent to the EDR system. The EDR can then use this context to launch an investigation, isolate the compromised endpoint, and prevent the attacker from advancing further.

2. Deception and Security Information and Event Management : Cyber deception can enhance SIEM effectiveness by feeding it high-fidelity alerts. Consider a scenario where an attacker interacts with a decoy thinking it's a valuable asset. This interaction generates an alert that is immediately forwarded to the SIEM, which then correlates this information with other logs and events. For instance, if the SIEM observes login failures followed by a decoy interaction from the same IP address, it can escalate the priority of this alert, allowing security analysts to quickly identify and respond to potential threats.

3. Deception and User and Entity Behavior Analytics : Deception strategies can be designed to attract insider threats or compromised users. By deploying decoys that mimic sensitive internal resources, any interaction with these resources can be flagged as suspicious. For instance, if a seemingly legitimate user accesses a decoy financial document, this interaction generates an alert that is analyzed by the UEBA tool. The UEBA tool assesses this behavior against the user's normal activity pattern and, if it deviates significantly, raises an alert indicating a potential insider threat or compromised account.

4. Deception and Security Orchestration, Automation, and Response : When a deception tool detects an interaction with a decoy, it can trigger a predefined response workflow in the SOAR system. For example, if an attacker engages with a decoy service, the alert generated can instruct the SOAR platform to automatically collect relevant forensic data, block the attacking IP address, and alert the incident response team. This seamless integration allows for rapid containment and investigation, significantly reducing the time to respond to incidents.

5. Deception and Threat Intelligence: Cyber deception provides a unique source of threat intelligence by capturing the tactics, techniques, and procedures (TTPs) of attackers in real-time. . This information is then shared with the threat intelligence platform, enriching the organization's threat intelligence database with new indicators of compromise (IOCs) and helping to preemptively block similar attacks across the network.

By generating high-fidelity alerts and providing a "beacon of light" in the ocean of data, cyber deception engineering can help organizations improve their threat detection and response capabilities.

Shifting Left

By shifting left and incorporating cyber deception engineering into the early stages of the security maturity lifecycle, organizations can create a comprehensive security strategy that pairs well with tools early in the security maturity cycle and in turn improve their detection.

To effectively integrate cyber deception engineering with detection engineering, organizations should adopt a strategic approach to deception. By deploying deception around a doctrine, organizations can create a deceptive environment that is tailored to their specific needs and requirements.

Deception doctrines vary from an SME to a fortune 500, but I am confident to say that there is a play for each and every organisation no matter the organisation.

The great thing is that there are now deception as a service solutions that will help with such deployment.

Closing

By generating high-fidelity alerts and providing a "beacon of light" in the ocean of garbage data, cyber deception and deception engineering can help organizations improve the quality of their detection and alerts.

By pairing deception with other security tools, organizations can create a comprehensive security strategy that provides high-fidelity data and improves threat detection and response capabilities.

To effectively integrate cyber deception engineering with detection engineering, organizations should adopt a strategic approach to deception that is based on a thorough understanding of the adversary and the state of their own estate. By deploying deception around a doctrine, organizations can create a deceptive environment that is tailored to their specific needs and requirements.

Organizations looking to adopt cyber deception engineering as part of their cybersecurity strategies should consider the following recommendations:

1. Start with an assessment of the current state of their security posture and identify areas where deception can be used to improve threat detection and response.

2. Develop a strategic approach to deception that is based on a thorough understanding of the adversary and the state of their own estate.

3. Choose deception solutions that are easy to deploy, manage, and integrate with existing security tools.

4. Continuously monitor and adjust deception strategies to ensure they remain effective against evolving threats.