Acalvio weaves a web of deception on demand

Deception is one of a handful of hot, innovative technologies in cybersecurity that might be able to turn the tables on attackers, putting the advantage squarely back in the realm of beleaguered defenders. CSO recently reviewed deception products from four major companies spearheading the development of this new technology. But in a field like cybersecurity, nothing remains static for very long, and already new contenders are emerging with completely different takes on how deception technology should be successfully deployed. We took ShadowPlex from Acalvio for a spin to see how the product adds artificial intelligence, wizards and the concept of deception on demand into the mix.

How deception technology works

Deception is a great way to protect a network, luring attackers to fake systems, which both unmasks their activities and sets up defenders to take action. In almost every case, a deceptive client is undiscoverable to valid users working in the normal way they always do, using whatever tools and shortcuts IT set up for them. Attackers, however, can’t use those same methods, can’t see them most of the time, and even if they could, using those methods would get them quickly caught. Unfortunately, attackers do have a wealth of clues about how to move laterally once inside a network. Valid users leave large trails in their wake in areas like browser histories and log files. Smart attackers know how to find and follow those trails back to new assets.

Most deception platforms involve at least two parts. First, fake assets are set up around a real network. Valid users don’t know they are there and have no reason to try and connect to phantom servers, printers, switches, file shares and clients. But just expecting an attacker to randomly find one isn’t realistic. Instead, fake clues are placed within real machines. Sometimes called breadcrumbs or lures, these are indicators that suggest that the fake assets are being used. From an attacker’s view, it looks like a user is connecting to, for example, a file share where they have admin privileges. So, they follow that trail to a fake asset. Because no valid user ever touches one, any interaction with a deceptive client is a nearly certain indicator of compromise.

Current deception platforms, however, have some limitations. Products generally fall into one of two groups. Either they deploy a sparse number deceptive assets that are highly realistic, practically full versions of whatever machines they are mimicking, or they deploy massive numbers of deception points, but with very limited functionality. 

The problem with the sparse-but-realistic approach is that maintaining deceptive assets with practically full functionality is almost as difficult as maintaining a real network asset. There are even licensing fees to consider if you are spinning up an actual Windows or Linux server, for example, plus the costs in real money and bandwidth, which keep going up as you deploy more assets. And unless you have very attractive lures, there is a good chance that an attacker will miss the deceptive assets based solely on the ratio of real to fake clients.

The other common approach of deploying massive numbers of machines that are little more than facades isn’t perfect either, because it won’t take an attacker long to discover that they have been tricked. As soon as they start trying to do anything more than a simple network ping, the fake asset will be unmasked. The attacker will still have been spotted at that point, but without being able to record detailed interactions, defenders gain little threat intelligence and may not discover other places in their network that the attacker has found to hide.

A different kind of deception

The Acalvio ShadowPlex product is designed to provide the best of both worlds, providing massive numbers of fake assets with very little functionality, which can suddenly spin up and become full clients in response to an attack or probe. In this way, networks get lots of deception points, but only spend resources on those that have captured an attacker’s interest.

As a different kind of deception, ShadowPlex needs to be deployed differently. Almost every network is going to be grouped into VLANs, with machines grouped into either geographical locations like California or Church Street office, or logical groups like Finance or Public Relations, or by some other methodology that makes large networks manageable. ShadowPlex requires that a small sensor be deployed into every one of those groups. The sensor acts as the endpoint for a software tunnel, connecting whatever deceptive assets get spawned there to the main console. As such, they don’t need to be very powerful. A $50 network appliance works fine for hardware, or a tiny application if using software.

The brains of ShadowPlex can be deployed either on premises or through the cloud, with no difference in pricing. In fact, the pricing model is reasonable for a deception product. Users only pay based on the number of real assets they are protecting, calculated monthly. They can use as much bandwidth spinning up deceptive assets as needed, and can deploy an unlimited number of deception clients in their environment.

Testing Acalvio ShadowPlex

Our test network for this feature consisted of a moderately-sized enterprise filled with clients and servers, divided up into three logical VLANS. Acalvio had already deployed the sensors on each one before we got started.

The first thing that users will notice is that they don’t need to be experts to begin deploying the deception clients. ShadowPlex has a wizard-like interface that asks multiple questions, which basically boil down to “what kind of threats do you want to protect against?” Given how terrible the threat of ransomware is right now, that is what we chose. You are not limited to one choice either, and can go through multiple deployments as desired.

John Breeden/IDG

Once selected, ShadowPlex checked with the sensor in our Research and Design group and began proposing deceptive clients to help mask the real assets. ShadowPlex did an amazing job finding the naming scheme on that VLAN to make sure that the new deceptive clients followed suit. Beyond that, it even read the MAC addresses of the real clients and determined the type of manufacturer that made the network cards. The deceptive clients used the same MAC numbering scheme as others from the same company, a tiny little detail, but one that a truly advanced hacker might check if trying to avoid touching a deception point.

John Breeden/IDG

Once approved, the clients were deployed and we could seed them, and the actual network clients, with the proper breadcrumbs to make them look like functional assets. ShadowPlex also let us select the type of data to seed, including credentials, URLs, app data and other points, all generated to match existing information in the network, but completely fake. We could also seed specific deception lures like access to company handbook intranets and other things unique to our network that real clients would access.

After all the assets were deployed, we could look at them in the ShadowPlex console. All of them were sitting in their low-end state, basically set to answer network pings but not much else. Switching roles to an attacker, we infiltrated a real workstation and found a breadcrumb that looked like the user logged into a file server using credentials that were saved in the log. Following that trail, we arrived at a deceptive asset. We worked with the asset quite a bit, diving fairly deep into it and finding some of the fake data we had previously seeded. At no point did it seem like the asset was deceptive. In fact, we found new breadcrumbs on it that pointed to other fake assets. Had we followed that trail, we would have been going down a deep rabbit hole to nowhere.

Back on the main console, our activity had generated alerts. The façade of the asset we touched had automatically bloomed into a full client, keeping our alter ego hacker engaged. Nearby assets went to a medium level of activity as a precaution, in case the attacker took the new bait and jumped to one of them next. We collected information about the attacker’s tools and tactics, useful data that could be used to look for other instances of them inside our network.

We loved working with the ShadowPlex console, but wanted to see how it interfaced with a SIEM, since many organizations have standardized on a specific tool and don’t want to change. In this case, we used Splunk Enterprise. The Acalvio Ransomware module was deployed there. Once complete, we ran WannaCry on a network client and watched as files began to get encrypted. The Acalvio detector recognized it was happening and acted with Splunk to take immediate action — in this case disconnecting the machine from the rest of the network. Although slightly outside of the scope of a deception test, it was good to see how easily ShadowPlex and Splunk worked together.

John Breeden/IDG

Deception is an emerging field, and some of the drawbacks preventing easy, useful deployments are still being worked out. Acalvio ShadowPlex addresses some of those problems, offering clients unlimited deception assets without constant overhead or maintenance. And then those same, façade-like deception points can instantly spring to life when needed, unmasking attackers, keeping them engaged, recording valuable threat intelligence and then acting alone or with a SIEM like Splunk to eliminate them from a protected network.