How 4 deception tools deliver truer network security

Modern deception platforms lay traps that point attackers to fake assets that are created by the deception product. Here's what we discovered about how deception works and the unique features that deception tools from TrapX Security, Cymmetria, illusive Networks, and TopSpin Security bring to network defenses.

The use of deception as a weapon has been around since the dawn of warfare, and certainly since Sun Tzu helped to define it in about 500 BC in his famous book The Art of War. In terms of modern cybersecurity, deception has also always been an option, though it was a bit clumsy when used to trick attackers into expending time and resources against bogus network assets. The original device deployed as bait in a deception defense was the honeypot, a single server or client machine loaded with seemingly tempting information like fake credit card numbers that admins hoped hackers would bite on, leaving real assets alone.

Named after the vessel in which children's book character Winnie the Pooh famously got his head stuck, the problem with network honeypots is that they are an extremely passive defense, relying on attackers to somehow find them and give them preference over actual production systems. The other problem with honeypots is that unless they are closely monitored by defense teams ready to quickly react to attacks, they don't do much more than buy a little time.

Because honeypots generally have no interaction with real network assets, there is no activity trail for attackers to follow. By contrast, authorized users interacting with actual resources leave a large trail of activity behind in areas like browser histories and log files. Smart attackers know how to find and follow those trails back to actual assets … and ignore honeypots.

In fact, attackers must find those trails left behind by authorized users in order to move undetected through a network. Even if they use a phishing attack or similar technique to compromise a lone endpoint, they are still blind to the topography of the overall network. The old technique of doing a port scan to locate nearby assets will be flagged almost immediately by even the most modest of defenses. Instead, they must search their compromised local asset to figure out where to go next and how to blend in with real traffic when they make their move. It’s stealthy and very hard to detect, but also puts them at an incredible disadvantage if defenders can poison the well of data they are trying to mine.

That is what a modern deception platform does. It lays traps, sometimes called lures or breadcrumbs depending on the company, that point attackers to fake assets that are created by the deception product. Attackers think they are looking at the credentials left behind when an administrator took control of the local machine to troubleshoot an issue, or a record of the nightly interaction with a backup server, but they are really seeing a deception lure pointing to a fake asset. The best deception vendors mix in lots of diverse types of lures to confuse attackers even more, and they keep their breadcrumbs refreshed and constantly updated.

The goal is to get an attacker to quietly move to a deception asset instead of a real one. At that point, alerts can be triggered that an attack is underway. Because no valid user makes use of network resources by searching for hidden triggers, there is nearly a 100 percent certainty of an attack whenever any asset in the deception network is touched. The false positive rate when using deception technology to unmask attackers is practically zero.

Once an attacker has been lured to interact with a deception system, different vendors do different things. Some capture the forensic data from the attacker, some alert a SIEM, some try to keep the attackers engaged with the fake asset as long as possible and some make moves to immediately boot them. But all know with near certainty that an attack is taking place, and alert defenders about the breach. Given that a deception-based alert means that an attacker is already past perimeter security and moving within a network, it should be treated as a very significant issue, though it also means that they have not moved far enough along to reach a core asset or their target data. As such, deception can become a last, best line of defense when everything else has failed or been bypassed.

We dove into the world of deception technology, talking with experts and testing their deception platforms. We included four major companies working in this space, TrapX Security, Cymmetria, illusive Networks, and TopSpin Security. This is what we discovered about how deception works, why its popularity as a defensive tool is increasing, and the unique features that each product brings to network defenses.

TopSpin Security DECOYnet

The TopSpin DECOYnet deception product was one of the most mature we looked at, and goes beyond simply deploying and monitoring decoys, though that remains its core function.

When first installed, the appliance driving DECOYnet begins passively scanning all internal network communications as well as outbound traffic. It runs all traffic through an analyzer, something it will continue to do from that point forward. On a moderately-sized network, DECOYnet should be allowed to listen in for at least a few hours, though it didn’t need nearly that much time for our small testbed. Using traffic data combined with other sources like DNS records, it builds a good picture of not only the network topography, but also all the common interactions between devices, like clients accessing servers, or remote users working with a VPN.

TopSpin Security DECOYnet main dashboard John Breeden II

TopSpin Security DECOYnet main dashboard

Armed with that information, it devises a suggested deception network made up of clients, servers and devices that will completely blanket a network. And because it knows what and who is accessing different resources, it knows exactly where to place deception lures that attackers will follow back to a fake asset. These breadcrumbs are kept up to date and refreshed by DECOYnet at regular intervals, so that they never get stale and remain both tempting to attackers and indistinguishable from actual traffic indicators.

Both the deception assets and the breadcrumbs are designed to mirror the type of traffic and interactions regularly happening on the network. They are invisible to normal users, but seem like actual network resources and traces of activity to attackers and advanced threats trying to get their footing.

It only takes a couple clicks to confirm the DECOYnet plan and deploy it. But once the deception net is in place, TopSpin continues monitoring traffic. This way the program knows whenever a new asset, like a client or server, or even something small like an IoT device, gets added to the network and begins accepting and sending traffic. DECOYnet can then, automatically with permission, deploy more deception assets as needed to keep the grid up to date and fully covering the network.

DECOYnet provides a very easy-to-use graphical interface that shows every device in the network overlaid with a map showing recommended deception coverage. New decoys can be installed automatically (or manually by administrators who want to go beyond the recommended coverage for certain areas like core assets). Given how precise DECOYnet is at analyzing and monitoring network assets, most users are probably going to want to let the program do its job, but the option is there to deploy as many extra decoys as desired.

Finding a robust traffic scanning tool inside a deception platform is a bit unique, but given how the product taps into traffic streams to help plan the decoy network, there is no reason not to use it as an extra layer of security. The passive traffic monitoring was accurate in our testing and on par with dedicated traffic monitoring programs. For example, it could easily distinguish between a human using a browser and machine-generated processes. It could even flag a machine trying to use Chrome to mimic human activity. For the most part, it leaves human activity alone, unless that human manually navigates to a deception asset, in which case it gets flagged just like everything else since no real user has any business interacting with a decoy and could have become an insider threat. It could monitor any network protocol including DNS, TCP/IP, HTTP, SSL, FTP, SSH and others.

Traffic scanning gives DECOYnet the ability to see attacks as they happen, even before they hit a deception point. These types of threats are generally given medium-level priority assignments by the program. However, as soon as they touch a deception asset, they immediately go to high alert status, with a near certainty that an attacker is inside the network.

All interactions with a deception asset are fully logged, down to the application level, providing full forensics about the tools and tactics used by the attacker. Users can examine the forensic data within the program itself or integrate DECOYnet with any popular SIEM platform using Syslog, CEF or STIX/TAXII.

TopSpin DECOYnet full forensic data John Breeden II

TopSpin DECOYnet full forensic data

Of every program examined here, the TopSpin DECOYnet came the closest to being truly fire and forget. Administrators could deploy deception assets automatically as recommended by the program, with the whole net being monitored and automatically updated with new decoy assets as needed. Any interaction with a decoy can then either be dealt with using the DECOYnet interface, or all forensic data can be sent to a preferred SIEM for analysis. And if that data is sent to a SIEM, it is done with a near 100 percent certainty that an attack is taking place.

TrapX DeceptionGrid

The heart of the TrapX DeceptionGrid is the TrapX Appliance. Besides being the brains of the deception operation, it also provides a TrapX TSOC module that can analyze and capture files related to specific attacks made against the grid. It also includes a unique sandboxing ability that can explode files in a secure area and provide the results about targets, techniques and files used by attackers. TrapX can work with other sandbox tools if an organization already has one, but provides their own as well to ensure that everyone has access to this vital tool.

In addition to the main appliance, there is also a TrapX Automated Incident Response (AIR) server. It does all the heavy lifting in terms of file capture and network forensics, freeing up the appliance to run the deception program.

TrapX DeceptionGrid main dashboard John Breeden II

TrapX DeceptionGrid main dashboard

When first installed, users have TrapX scan their network to get a clear picture of actual assets and the relationships between them. It then suggests a deception network that is mixed with the same type of assets, and large enough to practically ensure that attackers will hit one of the traps. If you agree with the assessment, it only takes one click to put the deception network in place.

The traps created by TrapX are some of the most realistic we experienced while working on this feature. They also take a lot of different forms. They can become servers or clients, run multiple operating systems, and even take the form of network switches or other communication devices. Even point of sale terminals, medical devices and industrial control consoles are represented, and can become part of an industry-specific deception network if needed.

All TrapX traps provide basic functionality to further trick attackers, keeping them engaged for prolonged periods of time. When we navigated over to a fake Cisco Catalyst 2960-X switch in the deception network, we were presented with the same graphical interface you would get from a real device. We could even click on different ports to get status updates and traffic reports. All of it was completely fake of course, but was presented as if it were actual data. Clients and servers were also highly realistic. Deceptive TrapX Linux boxes, for example, allowed us to run Linux commands and returned the proper responses.

TrapX DeceptionGrid perfect cisco fake John Breeden II

TrapX DeceptionGrid perfect cisco fake

Although every device in the deception network seems real, at least down to about a medium level of interactivity, none of them exist. Everything is emulated and hosted on the TrapX appliance. Because each emulation program takes up very few resources, you can install about 1,200 of them on the TrapX appliance.

In addition to the suggested traps, users can work with a very nice GUI to create more traps by hand. We pretended we wanted to protect a group of users in one of our divisions a bit more, so we decided to deploy extra deception boxes. To do that, we simply selected a Windows operating system radio button menu and then designated what kinds of services and programs were running on that computer. We could also name it, and give it whatever credentials we wanted. Once we deployed the box, it looked like we had added another Windows 7 computer to the group.

TrapX also does a great job of protecting its traps from being unmasked by attackers. Besides integrating into groups of similar devices, each decoy is given a unique IP address, its own name based on the naming structure of real devices in the network, and is populated by different types of deception host data. No two traps are exactly alike, which would prevent attackers from uncovering some type of litmus test to figure out what is real and what’s not.

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies