Deception tools and how they ensnare attackers
Featuring TrapX, Fidelis Deception, Attivo and Aclvio Shaddowplex
Deception tools have come a long way in a few years and can now more closely emulate real network activity and help security teams identify and stop attacks.
A few years ago, many deception technology companies were in the process of adding advanced features like cloud integration, artificial intelligence (AI) and automation to their platforms to combat increasingly advanced threats. The upgraded defences were necessary because skilled attackers were starting to unmask and circumvent classic deception tricks like dropping breadcrumbs pointing at fictitious, static assets. Today, deception technology again has the upper hand and can deploy a labyrinth of realistic looking but fake assets that act very much like the real thing.
The upgraded effort to lure and ultimately ensnare even the most advanced hackers is being led by several companies with deception platforms at the forefront of this still-emerging technology. The following are four of the most advanced and innovative deception tools available today.
The Shadowplex platform from Acalvio was designed from the ground up for use in enterprise environments. The company does not just look at typical IT devices like computers, printers and file servers as part of that potential enterprise. Shadowplex can also protect internet of things (IoT) sensors and devices, and even industrial control centers that make up much of the operational technology (OT) landscape.
In the case of both IoT and OT devices, having a layer of deception technology to protect them is critical because many have limited or no native security on their own. This also makes it a good choice for something like a healthcare environment, where it can mimic things like desktop computers alongside medical devices, luring attackers into either one, depending on their interest.
Being able to protect IoT and OT is impressive, but what is remarkable about Shadowplex is how it handles massive deception deployments at scale without using too many resources. The secret is that all the deception assets exist inside what it calls a deception farm, which can be located inside the cloud or on-premises in a virtualized server farm. To connect back to the physical network requires a series of sensors that act as the endpoint for a software tunnel. The sensors don’t need to be powerful or expensive. A £50 network appliance will work just fine, or they can also be software based and virtualized. You need one for every network segment that you are protecting.
How Shadowplex works is that virtual, deceptive assets are deployed in the network that they will be protecting. These assets can be automatically deployed based on the host environment, with Shadowplex picking a good mix of operating systems, IT, OT and IoT devices as appropriate. The deception assets can talk with one another and generate traffic, but are actually interacting only within the deception farm, with those results mimicked in the real environment.
Although they are technically facades, as soon as an adversary interacts with one, the AI-driven control center in the deception farm immediately spins the deception asset up fully, helping it to perform just like an attacker would expect a desktop, printer or industrial control device to act. It will keep the attacker busy for as long as possible, while alerting security teams about the attack. Shadowplex will also present situations to the attacker to learn more about their intentions and tactics, which is great not only for mitigating the current threat but also in keeping them out in the future.
Finally, you don’t need to be a deception expert to work with Shadowplex. Surprisingly helpful wizards in the program will do a user’s bidding in response to simple questions and direction. For such a powerful platform, having such an effortless interface is a real strength.
Attivo ThreatDefend Deception and Response Platform
Attivo was one of the first deception technology developers to add response capability to its product, and the company has pushed that even more with its new Attivo ThreatDefend Deception and Response Platform. It can now be deployed on-premises, in the cloud, in data centers or in hybrid networks. The company is constantly developing deception assets based on new devices and offers to craft unique deceptions if a customer has something exclusive inside their environment. All deployed decoys appear to be real assets that are being used within the network.
The goal of the Attivo platform is the same as other deception toolsets, which is to deploy fake assets that attackers will interact with, but which actual users will either not know about or have no cause to ever touch. Some of the decoys are a little more public than others, which can help to ferret out insider threats or snooping employees. For the most part, deception assets are designed to catch threat actors creeping through a network and trying to map out a path further inside, raise their credentials, move laterally or outright steal data.
Once an attacker interacts with one of Attivo’s deceptive assets, it does more than just generate an alert, though it does that, too. It also interacts with an attacker, sending back the kinds of responses that the invader might expect. It can activate a sandbox, so that any malware or hacking tools uploaded by an attacker go into the sandboxed environment. This not only protects the network, but also allows for examining the malware to determine the attacker’s intent and tactics.
The platform also allows administrators to take various actions, like quarantining a system that is being used as a launch platform by an attacker or expire the credentials of a compromised user. Once users begin to trust the platform, those actions can be set to happen automatically once any important threat intelligence is collected.
The Attivo Deception and Response Platform not only provides good deception technology, but also helps defenders get a jump start on their response capabilities, an important advantage in a world where seconds count.
Managing any enterprise network is hard work. Putting a layer of fake or deceptive assets on top of that makes it even more difficult. Things can get a lot easier if users employ the Fidelis Deception platform, which automates most of the more onerous aspects of defenses based on deception.
You can walk through the process of deception asset deployment with easy-to-use wizards and drop-down menus, or simply have Fidelis automate everything. It does a great job of deploying assets that match whatever else is in the environment. It will keep monitoring a network as it evolves and expands, making suggestions as to how to mirror those changes in the deception network. For example, if a company adds a bunch of new IoT security cameras, Fidelis will detect that and offer to deploy a bunch of fake cameras with similar characteristics. It fully supports almost any IoT device and many found within OT as well.
Beyond easy deployment, Fidelis also controls its fake assets, having them communicate with one another and perform actions that a normal device of the same type would undertake. It even commences some surprisingly advanced tactics like poisoning the Address Resolution Protocol (ARP) table to make it look like deceptive assets are just as active as the real ones they are protecting.
Finally, Fidelis is unique in that it also spawns fake users that interact with deceptive assets in realistic ways. A hacker trying to determine if an asset is real will see evidence of users interacting with it and let their guard down, not knowing that the users themselves are part of the elaborate deception.
TrapX DeceptionGrid 7.0
The DeceptionGrid platform from TrapX continues to be one of the most robust deception defense programs, especially in terms of the number of realistic but fake assets that it can deploy. It’s not unusual for DeceptionGrid to deploy thousands upon thousands of fake assets on a network it is protecting, though that does not necessarily mean that each one is a fully functioning deceptive device.
The deceptive assets deployed by DeceptionGrid include normal network devices, deception tokens and active traps. Starting with the bulk of most deployments, the main deceptive assets are designed to seem like fully functioning computers or devices, and TrapX has several templates designed for specific industries like the financial sector or healthcare. It can mimic everything from an automatic teller machine to a point of sale device to almost any IoT asset. In addition, DeceptionGrid can deploy deceptive assets with complete operating systems. Called FullOS traps, they are designed to allow an attacker to believe that they are working with a real asset, while fully monitoring everything they are doing to gather threat intelligence.
Smaller but just as important are the deception tokens deployed by TrapX. Unlike the fully functional deceptive assets, tokens are simply ordinary files, configuration scripts and other kinds of lures that attackers use to gather information about the systems and networks they are trying to compromise. They won’t interact with an attacker, but will alert security teams whenever they are accessed, copied or viewed.
Active traps round out the volume of deceptive assets deployed by DeceptionGrid. These traps stream volumes of fake network traffic among themselves, with pointers and clues leading back to the rest of the deception network. Any attacker who is quietly monitoring network traffic is likely to be deceived by the bogus network stream, which will lead them right to a deceptive asset even though they probably assume it’s safe since it looks like it’s in regular and full use within the network.
If you want to blanket your network with an army of deceptive assets for total protection, nothing can help achieve that goal better than the TrapX DeceptionGrid. It’s not exactly subtle, but there is almost no way for an attacker to successfully navigate through the complex maze of diverse deception assets that DeceptionGrid can deploy.