The Benign True Positive Challenge »

The Benign True Positive Challenge

David Lavinder

Recently, we posted an example of something we see a lot at Morphick; we have come to call them “benign true positives,” simply because the name “true-positives-but-without-any-associated-risk-so-kind-of-a-false-positive” seemed too long.  While the previous blog post discusses a microcosm example of this, let’s give some other examples (this list is certainly not all-inclusive, but hopefully you’ll get the idea):

  • A phish to an inbox that doesn’t exist
  • An exploit kit against a service you don’t have running
  • An exploit against an operating system that isn’t running
  • A loader-trojan with a dead command and control node

It’s an actual threat, but for whatever reason “missed the mark,” thereby not posing any real risk.

All too often I see security practitioners mark these discoveries as “false positives,” which is what this discussion is all about.  I want to provide some insights for security practitioners and their managers in hopes that they might avoid a dangerous pitfall of marking these benign true positives as false positives.  

Metrics, Metrics, Metrics

If you are like 99% of other security teams out there, you have metrics.  Metrics that are used to justify your spend, justify your existence, and justify your projects.  Whether those metrics are external (for your C-suite) or internal (for your security leadership) they are a very real, painful necessity.

A standard security organization metric is that of tracking false positives and true positives and the ratio between the two.  Commonly acceptable ratios range from 10 to 1, all the way to 100 to 1.  Security leadership then uses this metric to make high-level decisions on matters such as personnel and tools.

Incorrectly classifying these benign true positives as false positives can cause a not-insignificant swing.  At Morphick, these account for about 10% of all detections, meaning these threats would receive no further attention if marked as false positives and drive down the overall ratio.  That’s valuable intel that would fall on the floor.

Missed Opportunity

Despite what the sales teams of security vendors will tell you, the best source of threat intelligence (read: threat data) is your organization’s network.  It is your tactical ground truth, your best source of knowledge, and your only view of your security reality.  

When presented with a threat, whether or not that threat carries any associated risk, you have an opportunity.  An opportunity to analyze a threat deployed against your environment; not some threat published by a security vendor that you may or may not ever see.

The fact that this threat carried no risk means you were lucky.  This was a misfire by an attacker.  Maybe it’s part of a larger campaign that isn’t very targeted, but maybe it’s the symptom of a lazy attacker targeting you and not doing their research.  Either way, analysis of the threat needs to be taken seriously.  Next time you may not be so lucky.

Seize this opportunity to learn about the threat, the infrastructure behind it, and any unique Tactics, Techniques, and Procedures (TTPs) used.  Build this back into your defenses.  Maybe there’s little to learn from a phish to an inbox that doesn’t exist, but maybe the attacker just accidentally gave you insight into their world.