Security-savvy organizations understand that it’s best to assume that their systems are breached. It’s one reason why zero-trust architectures get so much attention nowadays, and it’s why more enterprises have threat hunters who go on the lookout for attackers that are already active on their networks.
This practice has grown popular because threats have become so pervasive, and traditional intrusion detection/prevention systems dispatch too many false positives. They can be too easy to circumvent. Still, threat hunters can’t catch everything, and there are not enough people with these skills to go around. So, where do security teams go to get some relief? More are turning to active defense, or deception technologies, to help identify attacker movement within their systems.
Deception technologies do precisely what they sound like they do: They try to trick attackers into thinking that they are infiltrating actual assets of value or accessing valuable data when they’re actually fumbling around within a ruse that not only wastes their time on harmless systems it also makes their attack techniques easier to observe. They also provide security teams with the tools, techniques, and procedures their adversaries are employing. This intelligence can then be used to protect actual systems.
To work, deception technologies essentially create decoys, traps that emulate natural systems. These systems work because of the way most attackers operate. For instance, when attackers penetrate the environment, they typically look for ways to build persistence. This typically means dropping a backdoor. In addition to the backdoor, attackers will attempt to move laterally within organizations, naturally trying to use stolen or guessed access credentials. As attackers find data and systems of value, they will deploy additional malware and exfiltrate data, typically using the backdoor(s) they dropped.
With traditional anomaly detection and intrusion detection/prevention systems, enterprises try to spot these attacks in progress on their entire networks and systems. Still, the problem is these tools rely on signatures or susceptible machine learning algorithms and throw off a tremendous number of false positives. Deception technologies, however, have a higher threshold to trigger events, but these events tend to be real threat actors conducting real attacks.
While deception technologies are known for endpoints, servers, traditional IT devices, and networking equipment, they can also work with IoT devices, such as point of sale systems, medical devices, and more. There are several things to consider when purchasing deception technologies for any enterprise:
- Ability to scale: To be effective, deception technologies must be able to be deployed throughout an enterprise’s environment.
- Centralized management: With scale comes thousands of endpoints and the need to manage these deceptive assets, ideally from a centralized console.
- Agility: Deception technologies must also be deployed within form factors: on-premises, cloud, network equipment, endpoints, and IOT devices.
- Integration: The information deception technologies gathered are invaluable to the security operations center, incident response teams, and threat hunters. It’s also valuable to other security tools, such as security information and event managers, firewalls, vulnerability managers, and traditional intrusion detection and prevention systems. Look for deception technology that makes it straightforward to share data, which plays well with the existing security toolbox.
Top deception tools
Below is a selection of deception technologies currently available on the market:
Acalvio ShadowPlex
Acalvio’s ShadowPlex platform provides enterprise-capable deception at scale. The company says ShadowPlex is designed to require the least administrative overhead and daily management possible. Their installation framework is flexible and scalable for decoy deployment, with options for the management dashboard to be deployed via cloud or on-premises.
When attackers interact with decoys, the information can be examined in a timeline, detailed incident data such as PCAP (packet capture), log capture, and credentials used in the attack. When something called “high interaction mode” is engaged, ShadowPlex will provide all the keystrokes typed, the networks they are connected to, any file modifications, and any system processes and tools used within the decoy. Enterprise environments are constantly changing, and ShadowPlex boasts continuous assessment of the environment and updates decoys appropriately.
ShadowPlex works with the tools threat hunting and security operations teams use. Because it should produce few false positives, these teams will be given data they can use in incident response and active threat hunting. ShadowPlex integrates with SIEM and log management solutions for SOC teams, such as Splunk, ArcSight and QRadar.
ShadowPlex can also protect internet of things (IoT) sensors and devices and even industrial control centers that make up much of the operational technology (OT) landscape. In the case of both IoT and OT devices, having a layer of deception technology to protect them is critical because many have limited or no native security on their own. This also makes it a good choice for a healthcare environment. It can mimic things like desktop computers alongside medical devices, luring attackers into either one, depending on their interest.
Attivo ThreatDefend Deception and Response Platform
In March, 2022, SentinelOne acquired Attivo Networks, and while analysts believe the primary motivation for the acquisition is Attivo’s identity security assessment capabilities to monitor passwords and user anomalies, SentinelOne also gets Attivo’s network and cloud-based deception capabilities. Attivo was one of the first deception technology developers to add response capability to its product, and the company has pushed that even more with its Attivo ThreatDefend Deception and Response Platform. The platform can be deployed on-premises, in the cloud, in data centers or in hybrid environments. All deployed decoys appear to be real assets that are being used within the network.
The goal of the ThreatDefend Deception and Response Platform platform is the same as other deception toolsets, which is to deploy fake assets that attackers will interact with, but which actual users will either not know about or have no cause to ever touch. Some of the decoys are a little more public than others, which can help to ferret out insider threats or snooping employees. For the most part, deception assets are designed to catch threat actors creeping through a network and trying to map out a path further inside, raise their credentials, move laterally or outright steal data.
Once an attacker interacts with one of ThreatDefend’s deceptive assets, it does more than just generate an alert. It also interacts with an attacker, sending back the kinds of responses that the invader might expect. It can activate a sandbox, so that any malware or hacking tools uploaded by an attacker go into the sandboxed environment. This not only protects the network, but also allows for examining the malware to determine the attacker’s intent and tactics.
The platform also allows administrators to take actions like quarantining a system that is being used as a launch platform by an attacker or expire the credentials of a compromised user. Once users begin to trust the platform, those actions can be set to happen automatically once any important threat intelligence is collected. The Deception and Response Platform not only provides good deception technology, but also helps defenders get a jump start on their response capabilities, an important advantage in a world where seconds count.
Illusive Networks Illusive Shadow
Illusive Networks aims to make successful lateral movement for attackers illusive. It does so by creating a hostile environment for attackers as they try to move around in an enterprise environment by turning endpoints into deception tools. According to the company, its agentless design prevents hackers from being able to detect the deception, and Illusive claims its deception technology is undefeated in over 140 red team exercises with organizations such as Microsoft, Mandiant, U.S. Department of Defense and Cisco.
Because it’s agentless, Illusive Shadow is straightforward to deploy on-premises, cloud or hybrid clouds. As one would expect, Illusive Shadow decoys come in the form of credentials, network connections, data, and systems, among other items that attackers may be interested. Illusive Shadow also automatically scales and changes as the enterprise environment changes and will customize endpoint decoys for each machine.
Security analysts and SOC teams will be interested in how Shadow’s management console models how close attackers are, as they are interacting with decoys, critical assets, and a timeline of the attacker’s actions.
CounterCraft Cyber Deception Platform
CounterCraft’s Cyber Deception Platform catches attackers through ActiveLures, which can be customized or based on templates. These ActiveLure “breadcrumbs” are spread across endpoints, servers, and even online on platforms such as GitHub. The deception doesn’t stop with the lure; it’s the job of the lure to attract the attacker into the ActiveSense Environment.
The ActiveSense Environment is based on data collected by agents and sent back over a secure and segmented environment. The entire system is designed to provide intelligence on attacker activity in real-time. According to CounterCraft, the ActiveSense Environments are deployed quickly and controlled from the CounterCraft Platform.
The entire deception system is designed to flexibly work within existing environments and integrate with existing security and information and event management systems and threat intelligence systems. It also works with formats enterprise security teams are already used to, such as SysLog or OpenIOC. The threat information collected can also be sent to other machines to support other security systems automatically.
One effective way to understand attackers is by modeling their activity through visual graphs. CounterCraft’s attack graphs and based on live feeds from the deception platform, help security teams understand the attacker’s tactics, tools and procedures.
Fidelis Deception platform
The Fidelis Deception platform claims to make it easy to deploy deception technology. Deception assets are deployed through drop-down menus and wizards, with the option to have the Fidelis platform look at the environment and automatically deploy deception assets. It does a great job of deploying assets that match whatever else is in the environment. It will monitor a network as it evolves and expands, making suggestions on how to mirror those changes in the deception network. For example, if a company adds a bunch of new IoT security cameras, Fidelis will detect that and offer to deploy fake cameras with similar characteristics. It fully supports almost any IoT device, and many found within OT as well.
Beyond easy deployment, Fidelis also controls its fake assets, having them communicate with one another and perform actions that a normal device of the same type would undertake. It even commences some surprisingly advanced tactics like poisoning the Address Resolution Protocol table to make it look like deceptive assets are just as active as the real ones they are protecting.
Fidelis is unique in that it also spawns fake users that interact with deceptive assets in realistic ways. A hacker trying to determine if an asset is real will see evidence of users interacting with it and let their guard down, not knowing that the users themselves are part of the elaborate deception.
TrapX DeceptionGrid (now CommVault)
In February 2022, data governance and security company CommVault acquired TrapX and DeceptionGrid, one of the most popular deception platforms, because of its fake yet realistic deception assets. With DeceptionGrid, enterprises commonly deploy thousands of fake assets on a protected network.
The deceptive assets deployed by DeceptionGrid include normal network devices, deception tokens and active traps. Starting with the bulk of most deployments, the main deceptive assets are designed to seem like fully functioning computers or devices, and TrapX has several templates designed for industries such as the financial or healthcare. It can mimic everything from an automatic teller machine to a point-of-sale device to almost any IoT asset. In addition, DeceptionGrid can deploy deceptive assets with complete operating systems. Called FullOS traps, they are designed to allow an attacker to believe that they are working with a real asset while comprehensively monitoring everything they are doing to gather threat intelligence.
Smaller but just as important are the deception tokens deployed by TrapX. Unlike the fully functional deceptive assets, tokens are simply ordinary files, configuration scripts, and other kinds of lures that attackers use to gather information about the systems and networks they are trying to compromise. They won’t interact with an attacker but will alert security teams whenever they are accessed, copied or viewed.
Active traps round out the volume of deceptive assets deployed by DeceptionGrid. These traps stream volumes of fake network traffic among themselves, with pointers and clues leading back to the rest of the deception network. Any attacker who is quietly monitoring network traffic is likely to be deceived by the bogus network stream, which will lead them right to a deceptive asset even though they probably assume it’s safe since it looks like it’s in regular and full use within the network.
TrapX DeceptionGrid recently added deception technologies container environments across on-premises and cloud infrastructures. By detecting advanced cyberattacks and providing visibility into attempts to exploit applications’ vulnerabilities and lateral movement between containers, DeceptionGrid 7.2 delivers comprehensive protection for enhanced incident response and active defense.
Copyright © 2022 IDG Communications, Inc.