Author: Satnam Singh, Chief Data Scientist at Acalvio Technologies
How do we detect and profile the adversaries who have already infiltrated and are hiding in the network? To answer this question, we need an approach that can improve the detection and provide more visibility. At Acalvio, we have developed a system that leverages the deception and SIEM (Splunk) to detect and profile hidden threats. The deception offers a way to identify the hidden adversaries by confusing, diverting, and trapping them. When an adversary interacts with deception, the deception platform raises an alert containing information about the adversary, e.g., source IP address, OS, services, username, file activity, registry activity, packet capture, etc. By correlating the deception alert data with other data sources in SIEM, the incident responders can profile the threats and generate internal threat intelligence. We provided the architecture and technical details in a Tech Talk at Splunk .conf 2018 on Oct. 2nd. In this session, we also provided an introduction to deception and shared details on how to triage deception alerts with other alerts in SIEM.