One of the oldest techniques for identifying, mapping, and attributing attack methods is deploying honeypots to lure attackers by creating strategically placed fake computing resources. Patterned after the age-old police sting operation, this technique involves deploying traps that appear to be a legitimate part of the infrastructure and contain information valuable for hackers. They contain no valuable resources, and security researchers monitor these fake resources closely. Analysts can consider attempts to access them to be malicious activities because there is no legitimate reason for users to access them.
Distributed Deception Platforms (DDPs) are the evolution of honeypots, and modern DDPs are becoming affordable and easy to deploy and manage for both SMBs and enterprises.
DDPs can enhance a security program by working alongside Network Detection & Response (NDR) and Endpoint Detection and Response (EDR) tools to simulate a variety of computing assets and environments. They can draw in would-be attackers and alert security teams to the presence of attackers. This deception draws attackers away from real assets and allows teams to study the TTP (tactics, techniques, and procedures) of attackers to better defend against current and future attacks.
Industry analysts and government think tanks have widely recognized deception technology as valuable for active defense, which counters current attacks and engages and learns about an adversary’s TTP.
Deception techniques are designed to use access credentials cashed on enterprise hosts to attract attackers. Attackers can potentially, however, also bring zero-day exploits to compromise decoys and gain privileged access.
Once an attacker compromises a decoy, the attacker may use the decoy as a base to launch pivot-back attacks into the enterprise network. Further, if the deception solution requires that decoys have multiple network interfaces, attackers can bridge over to other subnets, magnifying the problem. This security risk is a known drawback of legacy DDPs.
One solution to this drawback of legacy DDPs is available in a solution offered by Acalvio Technologies. Acalvio states that their solution, ShadowPlex, provides a novel and secure approach to attacker containment and provides early detection of advanced threats with precision and speed using SDN (Software Defined Network)-based policy enforcement. The unbreakable containment resides outside the decoy in the SDN switch; therefore, attackers cannot override it. In addition, ShadowPlex is agentless. The patented innovations make ShadowPlex the most secure and scalable distributed deception product.
Only today, ShadowPlex was named a leader in the KuppingerCole Leadership Compass report for Distributed Deception Platforms. It received the highest Security rating among all five deception products evaluated in the report. Acalvio says ShadowPlex delivers distributed deception at enterprise scale, across on-premises and cloud workloads, for both IT and OT environments.
“One of the core tenets of any security system is to not add additional vulnerabilities. This is especially relevant to Cyber Deception solutions, which provide decoys to engage with attackers. Acalvio has built-in protections to contain hackers within the decoys,” said Bruce Schneier, an internationally renowned security technologist, and Acalvio advisor. “In fact, this should be a litmus test for this type of product. Customers should reject simpler solutions that inadvertently increase the attack surface to adversaries.”
An essential defensive weapon in the arsenal of modern security teams, DDPs can provide invaluable information about a threat actor’s attack methods. This information can help provide an effective defense. Just be sure containment resides outside the decoy in the SDN switch where attackers cannot override it, expand the attack surface, and increase the enterprise’s risk.
Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, Instagram, and LinkedIn.