Given enough time and resources, advanced adversaries will bypass modern
intrusion detection solutions. SIEMs are often configured to gather as much
information as possible in an environment, and the resulting value of provided
alerts and responses rely on attempting to lower the number of false positives.
The goal of The Aerospace Corporation was to conduct an experiment in achieving
higher fidelity true positive alerts by utilizing cyber deception concepts. Our
research concluded that by through a mix of low and medium interactivity
honeypots deployed on a production system, it is possible to gather not only
true positive alerts but also threat intelligence on adversaries.
The talk will cover a brief overview of current FOSS deception solutions and
will pivot to the research showcasing our own FOSS cyber deception experiment
that detects and monitors cyber adversaries.