AMBER

Alert fatigue, sometimes known as alarm fatigue happens when a person tasked with responding to alerts is overwhelmed by their occurence and starts responding to them improperly.

If you’d like to see an example of this happening, look no further than AMBER alert, a system implemented in Northern America meant to inform nearby residents of a potential child abduction happening in their neighbourhood. The idea is simple -

1. if a child is confirmed to have been abducted
2. is at serious risk of being in danger
3. there is sufficient information to issue an alert

all phones in the area where the child and the kidnapper are presumed to be display an alert meant to deliver information meant to help the general public locate the missing child.

The system is great and its alerts are clearly a decent solution to a horrible problem. However, if you look up some keywords like “Amber alert disable”, you will find hundreds of pages of forum posters clearly wanting to disable them! Why would a person want to do that? It’s simple - people are overwhelmed with the volume of the alerts they receive and often find them not very useful. You’re likely to find pages after pages of people complaining about receiving irrelevant alerts which seem to turn themselves back on when disabled.

Imagine every day you receive an alert that is completely useless. Dimissing the alerts becomes a habit for you - you don’t even take time to process the alert, you just look for the “close” button ASAP so you can get on with your business. Do you think you’re likely to be of much help when an actual alert of a child abducted in your neighbourhood comes around?

Alert fatigue and you

As a SOC analyst, you are bound to have experienced alert fatigue. A vendor flooding you with alerts, a clearly non-malicious IOC making its way into your threat intel feed or an overzealous colleague crying wolf every couple of minutes are all common occurences in the cybersecurity field. A good way to tell when you’re experiencing alert fatigue is when your first instinct when looking at a new alert is to look for reasons to dismiss it as a false positive rather than reasons to investigate deeper.

How do you fix it?

Focus on detection quality over quantity.

Detection logic should be tuned and constantly improved. If a certain alert is getting too bothersome, you should see if it is possible to fix it. If not, you shouldn’t be scared of just tossing it out of your detection stack! Make sure that everyone in your team has the time to do this.

As a manager, avoid giving tasks like “create 10 rules meant to detect Active Directory attacks”. This KPI-based approach encourages your employees to write many mediocre rules. Instead, give your employees a list of techniques you’d like to see covered and ask them to research high-fidelity,low-false positive rules for the techniques.

The people writing the detection logic should be close with the people reviewing the results. Information between the reviewers and the detection wrtiers should flow freely. Nobody should be afraid to walk up to a colleague and tell them their rule needs some work.

Smug red teamers will often scoff at you: detect the attack, not the tool! While they may have a point, don’t make their jobs any easier by not writing detections for hacking tools popular with attackers. Never be ashamed to pursue “easy wins”. Not every detection needs to be an impossible to bypass masterpiece. A rule looking for names of known hacking tools in the names of newly created files will be crude, but extremely effective. Attackers get lazy too.

Remember that as a defender, you only need to catch the attacker once. One good detection is enough to bring in an incident response team or start an incident response process.

Utilize deception techniques. Set traps and honeypots for attackers. Look into HoneySPNs in particular - they are great at catching actual attackers!

When tuning and creating rules, don’t be afraid to dive deep. Great rules often come from great understanding of the thing you are trying to detect or avoid detecting.

If you’re looking for detection logic inspiration, make sure to keep up with public reports of attacker TTPs. The DFIR Report is a great resource worth spending hours of your time reading!