Review: Fidelis Deception breathes life into fake assets

Today's skilled hackers know, or at least suspect, that deception is in place and won't blindly follow breadcrumbs to fake assets. To combat this, Fidelis Deception creates realistic, living deception assets.

Mousetrap and cheese, seen floor-level from the perspective of the mouse.
KTSimage / Getty Images

Deception as a defensive technology has come a long way in a very short period of time. Today, almost every enterprise network is going to have some form of deception employed to trick and trap unauthorized users. But its success is also becoming a problem because attackers are starting to expect, and in some cases even spot, deceptive assets.

The one thing that has not changed is the overall concept of how deception technology works. Fake assets are deployed throughout a real network. While valid users would have no easy way of reaching them, or even know that they exist, breadcrumbs and other clues pointing to them are left on real assets. Because hackers must crawl networks blindly, those clues can lead them astray, causing them to land on a deceptive asset. And because no valid user ever would, the fact that a user or program is interacting with a fake asset is almost always cause for alarm, and evidence that an intruder has bypassed other network defenses.

Early versions of deception platforms helped users deploy fake assets and drop breadcrumbs pointing towards them but did little else to improve that deception. And when the technology was relatively new, many attackers took the bait. Today, however, skilled hackers know, or at least suspect, that deception is in place and won't blindly follow breadcrumbs. Dead or inactive assets only used for deception purposes probably won’t get touched by attackers who suspect a trap. Even advanced malware can sometimes sniff out the deceptive paths.

Fidelis Deception was created to make deceptive technology a valid defense once again, even if an attacker knows that it’s protecting a network that they are trying to breach. It does this by creating living deception assets that can interact with one another and perform tasks that make them seem alive. It can also create fake users that interact with the deceptive assets on a regular, yet randomized, schedule like a real human would. And it even has a few nasty surprises in store for unauthorized users to ensure that they completely waste their time, thus giving cybersecurity teams a large window to catch them in the act.

The Fidelis Deception platform can be deployed as an on-premises solution, in the cloud, or as a service. It can also exist as hardware or software. In terms of performance, most of these deployments are identical with the one exception of the traffic monitoring sensors, which are used to automate and bring deceptive assets alive and to track possible attackers. The hardware sensors from Fidelis can accommodate up to 10G of traffic volume while the virtual machines top out at around 2G. Pricing for the platform, regardless of deployment method, is based on the number of real users that are being protected. There is no limit to the number of deceptive assets or even deceptive users that the program can create and deploy, and deploying more assets or users doesn't change the price.

1 Fidelis Deception John Breeden II

From the Assets screen, users can see exactly how many and what kind of assets have been deployed. There is no limit to how many deception assets can be created.

Setup and testing

Deploying deceptive assets is extremely easy with Fidelis Deception. Users can go into specific user groups or asset categories and deploy deception assets using a series of drop down menus. Or, they can have Fidelis automate the process. Because traffic monitoring through the sensors is part of the Deception platform, the program watches network traffic and learns how it flows. By clicking the “Suggest for Me” button, Fidelis Deception will propose a list of deceptive assets that would naturally sit within the existing workflow. That might involve anything from mail servers to printers. It then records those assets so that it can interact with them later and make them all seem alive.

This deployment process is also ongoing. Because Fidelis Deception monitors traffic and network assets, it will know when, for example, a company adds a bunch of new IP security cameras. It will detect that and then suggest that deceptive cameras be added to the network as well. The same thing happens if an organization is migrating over from Windows to Linux or making any other transition or additions. The deceptive assets will mirror that action.

Fidelis Deception is one of the only deception tools that supports both emulation decoys such as internet of things (IoT) devices and real operating system decoys that may include unique information technology on the same decoy server. In the course of our evaluation, we were able to add many IoT devices to the deception net, even specific printers or routers found in office settings. For operational technology (OT), human to machine interfaces and custom golden OS images are supported as decoys.

When deploying a deceptive desktop or server, Fidelis Deception provides a good choice of images to load on the deceptive system. Clever organizations can even upload their golden image to the platform that is used with other systems and Fidelis will deploy that instead to completely mirror the real environment. You can even add common passwords to deceptive assets, including known default passwords and things like “password” and “12345.” Invalid users will think they scored when they try one of those and get in and won't realize that they just fell for a clever trap.

Setting up breadcrumbs and lures is likewise very straightforward. Here again, because Fidelis Deception is monitoring traffic through its network sensors, the program will know what kinds of real information is left behind by valid user interactions. It will suggest similar but fake breadcrumbs to add to real assets and will work to keep them constantly refreshed. It even goes so far as to poison the Address Resolution Protocol (ARP) table to make it look like deceptive assets are as active as similar real assets within the protected network.

The icing on the deception cake is the platform’s ability to create fake users. These are essentially real users that are controlled by the platform. You can program their preferences and permissions when they are created. Perhaps someone works in the morning or in a specific department. Fake users will act within those parameters but also express some randomness so that it doesn’t seem like they are machines working on a schedule. Fake users will interact with deceptive assets and even use them, further making them seem alive, only without triggering an alert.

Any time a malicious user or program touches a deceptive asset, an alert is generated. However, that does not necessarily mean that it will be a priority. Even though most deception platforms have few false positives, Fidelis Deception takes this a step further by examining all alerts to see if there is evidence of similar activity. Perhaps a user who interacted with a deceptive asset has also been interacting with real assets. Fidelis will collect all of that information, if it exists, and present it as a conclusion that breaks down all of the evidence. Conclusions are pretty much like alerts from other platforms in that they are what IT teams will want to concentrate on. They just provide both a warning and a lot of context.

2 Fidelis Deception John Breeden II

The Decoy Activity tab shows if any of the deceptive assets have been interacted with and what the attacker attempted to do with them.

3 Fidelis Deception John Breeden II

An alert triggers whenever any activity, other than the interactions made by the platform itself to improve the asset’s believability, occurs at a deception point.

Fidelis Deception has a few other advantages over similar offerings. One is that any file that is uploaded to a deceptive asset is sandboxed. Not only does this allow for a better breakdown of an attacker’s motives, but the information collected by this process can be used to improve or validate other network defenses.

4 Fidelis Deception John Breeden II

Alerts are not always critical and thus do not automatically ask for help. Instead, the Fidelis platform compiles the activity of other traffic and alerts and attempts to draw a conclusion about the potential attack. Those conclusions are detailed under the Conclusions tab.

5 fidelis deception John Breeden II

Whereas most deception platforms stop at the alert phase, Fidelis compiles all relevant information, including data from other network traffic, and creates a full report about related attacker activity when necessary. This creates a perfect asset for threat hunting, and will also help when mediating the problem.

Another advantage is that deceptive assets can have their own layer of defense meant to delay and stymie attackers. Fidelis has included a tool in Deception whereby certain highly targeted files on deceptive assets look really small, such as a few kilobytes. However, when a user tries to download them, they turn out to be rather huge, sometimes spanning into the gigabyte or terabyte range. That might delay a hacker for hours and give IT teams more than enough time to respond to the attack. And if the attacker is actually a malicious script program, it might be held up indefinitely as the malware would have no way of knowing that it’s being fed an infinitely expanding file.

The last word

Fidelis Deception is one of the most advanced and mature deception platforms that CSO has evaluated. Its deceptive assets are highly believable, blend perfectly with the real environment and can even be interacted with by similarly believable deceptive users. Extra features like sandboxing, deep traffic analysis and defensive layers for deceptive assets adds even more value. In a world where hackers are learning to expect decoys around every corner, Fidelis has still found a way to deploy an irresistible network of deceptive assets that stand ready to protect the real thing.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!