Acalvio weaves a web of deception on demand

Acalvio ShadowPlex offers clients unlimited deception assets without constant overhead or maintenance.

Deception is one of a handful of hot, innovative technologies in cybersecurity that might be able to turn the tables on attackers, putting the advantage squarely back in the realm of beleaguered defenders. CSO recently reviewed deception products from four major companies spearheading the development of this new technology. But in a field like cybersecurity, nothing remains static for very long, and already new contenders are emerging with completely different takes on how deception technology should be successfully deployed. We took ShadowPlex from Acalvio for a spin to see how the product adds artificial intelligence, wizards and the concept of deception on demand into the mix.

How deception technology works

Deception is a great way to protect a network, luring attackers to fake systems, which both unmasks their activities and sets up defenders to take action. In almost every case, a deceptive client is undiscoverable to valid users working in the normal way they always do, using whatever tools and shortcuts IT set up for them. Attackers, however, can’t use those same methods, can’t see them most of the time, and even if they could, using those methods would get them quickly caught. Unfortunately, attackers do have a wealth of clues about how to move laterally once inside a network. Valid users leave large trails in their wake in areas like browser histories and log files. Smart attackers know how to find and follow those trails back to new assets.

Most deception platforms involve at least two parts. First, fake assets are set up around a real network. Valid users don’t know they are there and have no reason to try and connect to phantom servers, printers, switches, file shares and clients. But just expecting an attacker to randomly find one isn’t realistic. Instead, fake clues are placed within real machines. Sometimes called breadcrumbs or lures, these are indicators that suggest that the fake assets are being used. From an attacker’s view, it looks like a user is connecting to, for example, a file share where they have admin privileges. So, they follow that trail to a fake asset. Because no valid user ever touches one, any interaction with a deceptive client is a nearly certain indicator of compromise.

Current deception platforms, however, have some limitations. Products generally fall into one of two groups. Either they deploy a sparse number deceptive assets that are highly realistic, practically full versions of whatever machines they are mimicking, or they deploy massive numbers of deception points, but with very limited functionality. 

The problem with the sparse-but-realistic approach is that maintaining deceptive assets with practically full functionality is almost as difficult as maintaining a real network asset. There are even licensing fees to consider if you are spinning up an actual Windows or Linux server, for example, plus the costs in real money and bandwidth, which keep going up as you deploy more assets. And unless you have very attractive lures, there is a good chance that an attacker will miss the deceptive assets based solely on the ratio of real to fake clients.

The other common approach of deploying massive numbers of machines that are little more than facades isn’t perfect either, because it won’t take an attacker long to discover that they have been tricked. As soon as they start trying to do anything more than a simple network ping, the fake asset will be unmasked. The attacker will still have been spotted at that point, but without being able to record detailed interactions, defenders gain little threat intelligence and may not discover other places in their network that the attacker has found to hide.

A different kind of deception

The Acalvio ShadowPlex product is designed to provide the best of both worlds, providing massive numbers of fake assets with very little functionality, which can suddenly spin up and become full clients in response to an attack or probe. In this way, networks get lots of deception points, but only spend resources on those that have captured an attacker’s interest.

As a different kind of deception, ShadowPlex needs to be deployed differently. Almost every network is going to be grouped into VLANs, with machines grouped into either geographical locations like California or Church Street office, or logical groups like Finance or Public Relations, or by some other methodology that makes large networks manageable. ShadowPlex requires that a small sensor be deployed into every one of those groups. The sensor acts as the endpoint for a software tunnel, connecting whatever deceptive assets get spawned there to the main console. As such, they don’t need to be very powerful. A $50 network appliance works fine for hardware, or a tiny application if using software.

To continue reading this article register now

How to choose a SIEM solution: 11 key features and considerations