Behavioral and Deception-Driven Cyber Defense Management in SOCs Using Digital Decoys, MITRE ATT&CK, and SOAR

Abstract

Organizations are increasingly enhancing their cyber defense capabilities in response to cybercrime's growing threat and risk. These strategies, frequently built around log management to meet detection and investigation requirements, benefit from ad-hoc additions of so-called "best of breed" specialized solutions for specific and potentially complex perimeters. This tends to address their flaws or even introduce new ones. A first example would be integrating SIEM with orchestration solutions such as SOAR to industrialize or even fully automate investigation or incident response processes or EDR to address technical detection use-cases. Particularly at the system level and to facilitate endpoint response. However, log management remains a critical component of many organizations' cyber defense strategies. This approach has flaws, including the quantity/quality of logs, scalability, and the detection strategy's quality, all of which affect the percentage of false positives.Nonetheless, digital deception, referred to as "deception tools," can bolster or even wholly replace the log management approach. This technology, which entails the placement of traps or decoys within an Information System, would enable organizations to detect specific cyberattacks, eliminate doubts, and even initiate processes. Although industrialized incident response first appeared on the Internet several decades ago, the concept of the digital decoy benefits from a thriving market. The subject of this study is the benefits and limitations of various market solutions for enhancing the detection and response capabilities of today's businesses.