Threat hunting

Deception technologies: 4 tools to help you identify threats and mitigate risks

February 15, 2021 by Dan Virgillito

Introduction

Deception technologies have come a long way from the days when honeypots were used to analyze attacker behavior. Today’s deception tools contain advanced features like automation and machine learning to mitigate increasingly advanced threats. 

When it comes to choosing a deception tool for your business, here are four of the most innovative and advanced options:

1. Fidelis Deception 

Dead ends and false positives waste critical resources and time in network analysis. Fortunately, tools like the Fidelis Deception platform offer a breath of fresh air. The tool works by creating deception decoys and breadcrumbs that misdirect hackers to a deception environment. 

What’s different about these deception assets is that they adapt to the changes in the enterprise network. They all have their own IPs and appear as if they’re an integral element of the network. 

You can deploy the fake assets using the drop-down menus and wizards or leave it to Fidelis to automate the process. If you do it the manual way, the tool will make recommendations on how to mirror the network as it grows and evolves. It even supports IoT devices and various systems present in OT networks. So, for instance, if your organization adds a couple of smart door locks, Fidelis will identify them on the network and offer to deploy locks with similar traits. 

Another standout characteristic of this deception tool is that it generates fake users that engage with deception decoys in legitimate ways. Hackers see this as evidence that the asset they intend to interact with is real, which often convinces them to keep engaging with the network. The outcome? You get details of attack paths and initially compromised foothold systems. 

2. Acalvio ShadowPlex

Security firm Acalvio introduced its Acalvio ShadowPlex deception technology back in 2017. Since then, the platform has evolved to cover a range of enterprise endpoints, including IoT sensors and devices and industrial control centers that play a critical role in OTE (operational technology environment). This also makes it a viable security tool for industries like manufacturing, where it can replicate both desktop and smart manufacturing systems to keep attackers busy. 

How does ShadowPlex work? It deploys deceptive assets in the networks it’s configured to secure. You can instruct the tool to deploy these assets automatically, based on the host environment. Once done, the tool will select an appropriate combination of IoT, OT and desktop devices. 

As soon as a threat actor communicates with one of the devices, ShadowPlex’s AI-driven control (present in its deception farm) powers the asset, enabling it to function like a cybercriminal would expect. This allows the platform to engage the attacker while it collects critical insights for the security team. ShadowPlex can create and spin up many assets that can become proper clients in response to an attack.

ShadowPlex comes with a patented technology called “Fluid Deception” that uses just-in-time decoy creation to deliver resource efficiency, minimizing costs for the organization. Acalvio has linked it with its seminal innovation called “deception farms,” which could be present in a virtual server farm on-premises or inside the cloud. All deception assets live inside these farms and are projected onto the physical network through a series of sensors.

These sensors are rather inexpensive, so organizations can get one for each network they wish to secure without draining their security budget.

What’s more, you don’t need to be a deception specialist to get around ShadowPlex. The tool’s handy wizards will help deploy the right assets based on the type of threats you want to protect against. Nice!

3. Rapid7 InsightIDR Deception

Monitoring tools for analyzing log files often miss out on the attacker’s traces, which means your network could experience vulnerabilities later on. Rapid7’s InsightIDR prevents this by offering easy-to-deploy intruder traps. These include honey files, honeypots, honey credentials and honey users — these are all devised to detect malicious behavior in the initial phase of the attack. Additionally, InsightIDR offers endpoint and UBA (user behavior analytics) detection tools to detect compromise early.

The intruder traps are the centerpiece of InsightDR’s deception technology. They are quick to configure and built using continuous attacker research from Rapid7’s pentesters, 24/7 Security Operations Center and the Metasploit project. 

When an adversary first lands in the enterprise network, the first trap — honeypots — decoys servers/machines set to monitor their activity, such as the use of nMap and other scanning tools, informing the security team of the threat actor’s presence. You then get to define a honey user (like PatchAdmin) to identify passwords and guessing attempts. 

Moreover, InsightIDR injects fake honey credentials on different endpoints to deceive attackers. If these credentials are used anywhere inside the network, like with pass-the-hash, you’ll be alerted automatically. This goes beyond identifying privilege escalation and other exploits involving cleartext and password hashes extractions. 

Further, InsightIDR deception tech enables you to specify a honey file in a critical system directory. If an attacker tries to get confidential materials off the network by copying files to a cloud storage account or an external drop server, their actions will be monitored, giving you “file-level visibility” without requiring you to invest in File Integrity Monitoring. Combined with endpoint detection and UBA analytics, you can be sure that the tool will help you identify threat actors across the entire attack chain.

4. Attivo Networks ThreatDefend Platform

Attivo Networks is considered to be a leader in the deception technology space. It was one of the first vendors to package attack response capability into its offering. ThreatDefend, the company’s deception tool, allows users to deploy unique deceptions for new and exclusive devices that appear to be real assets. This helps to identify adversaries moving laterally through a network to raise their credentials or spoof sensitive data. ThreatDefend has a modular design that gives organizations the flexibility to add detection coverage for cloud, active directory, network and endpoint. 

The platform also goes beyond high-fidelity alerts. Once an adversary interacts with one of the deception decoys, ThreatDefend sends them the type of communications they might expect. However, it does that while opening a sandbox so that any backdoors and malware code are injected into the sandboxed environment. This allows users to safely analyze the hacking attempt to determine the attacker’s objective.

Additionally, the tool offers the option to use third-party integrations that automate blocking and share threat intelligence, threat hunting and quarantining to accelerate incident response. Plus, controlled access management keeps hackers from escalating privileges or discovering the critical information they seek.

Conclusion

These are some of the best deception technologies available today. All of them introduce an offense in the realm of cybersecurity with the ability to get attackers into revealing themselves. Organizations that integrate one of these tools into their security stack should experience lower operational overheads and gain the capability to protect different devices, including IoT systems, embedded devices and even legacy devices. 

 

Sources

The ins and outs of deception for cyber security, Network World

Emerging Products: Deception networks tools, SC Magazine

Acalvio Launches Industry’s First Comprehensive Distributed Deception Platform to Protect Public Cloud Workloads, PR Newswire

Posted: February 15, 2021
Articles Author
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.


Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117