Automatic investigation

Cyber deception can be used to automate decision-making in incident response, leading to lower SOC costs. ActiveSOC enables analysts to deterministically validate below-the-threshold events and determine whether an alert is a false positive. Once there is a trigger, a deception intervention is deployed. ActiveSOC only deploys deception when and where it is needed.

Using ActiveSOC, we can treat a suspicious login attempt example as a trigger, and proceed with a deception intervention—in this case, adding a breadcrumb (a credential) to memory. Thus, if the attacker steals the breadcrumb and uses it, it will be detected immediately and the event can be marked with high fidelity as a real alert.

Other deception interventions could include creating a decoy when we see someone connecting to an IP address not in use, or creating a web application. With ActiveSOC, you only deploy deception when and to where you need it, on demand.

Share this:

Related

Detecting lateral movement

September 26, 2017

Incident response

September 26, 2017

Personalized threat intelligence

September 26, 2017