Many articles have been written about Deception. It is not surprising as deceptive technologies have been taking over the cyber security world in recent years. In the recent Gartner report Deception was named as one of the most effective information security technologies: according to experts, it is almost at its peak and is expected to reach the plateau in the horizon of 5-10 years. We decided to fantasize about what it would be like if there was some “ideal solution” in the market that combines all the features of modern cyber deception technologies.
In this series of articles, we have compiled a summary list of Deception’s features present in these or those solutions. And here we will not go into technical details, our goal is to help readers take a broader look at cyber deception technologies and their possibilities, especially in terms of a defensive strategy, and choose their own “golden standard” for themselves.
Let us start with the basics: the architecture and possible product delivery options. Architecturally, Deception solutions traditionally fall into several classes:
Most of the SOC analysts’ time was spent daily for manual prioritizing security alerts from the SIEM and then for manually generating IT tickets in SD. Between these two big processes were chaotic enquiries for colleagues to find out what equipment was involved in incidents and numerous attempts to reactively respond to these incidents.
There literally was no time for something else in terms of cybersecurity needs of the Organization.
When a new organization wanted to use SOC services, all the generated data during this process was stored in different shared folders and electronic documents. It was a great challenge to combine the whole picture of how the interaction with this specific organization was handled. Plus, there was a demand to keep the control not only of IT assets, but also cameras, physical control points, USB tokens and fetch them with the IT asset model.
There is a structure of playbooks designed for every type of registered incidents and implemented in SOAR. All the correlation rules of the SIEM alert to the SOAR, where everything is instantly mapped and labeled with MITRE ATT&ACK tactics and technics.
There is a main playbook that contains subplaybooks that are launched depending on the conditions that are gathered during the playbook execution.
Our colleagues from the Center of expertise at Defensys use MITRE quite often during our PoC and implementation projects. And we would like to share our thoughts about these very MITRE matrices and their application in this article.
Recently, we hear more and more often that developers actively use MITRE methodology when developing various cyber security products. In MITRE terms, these databases are called matrices, and the number of projects where they are used is constantly growing.
At the same time, we have been wondering for quite a long time now: what does MITRE support give to vendors and end users in the end? Why do we need it all, if we already have, say, some kind of “smart” SIEM or a specialist who constantly works with it?
Our article is designed to get to the bottom of these questions. And to begin with, we suggest to remember what MITREs are.
MITRE is an American non-profit organization that manages systems engineering research and development centers at the U.S. federal government and local government levels.
And then there’s MITRE, a manufacturer of sports equipment.
What is MITRE famous for?