This is a new category this year and it may, over time, prove to one of our most interesting. The idea of deception networks began sometime ago with the Honeynet project. The idea then was that with a honey pot – or honeynet – you could gather a lot of information about how the adversary attacked by monitoring his actions and analyzing them after the fact.
Today's deception networks are a lot more than really smart honeynets. They are crafted to entice a criminal to perform his actions on a network that looks – and sometimes is – the real enterprise. Deception vendors have several ways of accomplishing this. In some cases, the deception network is an overlay on the real enterprise. This lets the adversary interact with the network in a real way but without endangering the network, network devices, applications or data. Interspersed with the real targets are deception targets which may include applications, devices such as servers and data. The adversary cannot discern the real assets from the deception targets.
When the deception network is completely separate from the real network, it behaves more like a honeynet. In this case the adversary is lured to a network that looks like part of the real network but isn't. In either case the deception network is heavily instrumented and gathers logging data in sufficient detail to useful forensically. Those data are protected from compromise to make them forensically useful.
The paradigm shift from honeynets as research tools to deception networks as part of the security stack has not taken place overnight. Until fairly recently, deception networks and honeynets were considered little more than research toys, to be deployed in universities and as learning/research tools. Today, we see these networks as viable security tools as well as research tools. Here in the labs we have a home-brew deception network that we use for intelligence gathering. It is not configured to provide protection. Rather it is a rather old-school honeynet with one exception: The level of instrumentation and the types of lures are more typical of today's deception nets.
We have two deception networks this year in our innovator's group. They do their tasks somewhat differently but they certainly are at the top of the deception game.
Company Name |
Illusive networks |
Flagship Product in this Category: |
Illusive Core Solution |
Flagship Product cost |
$60 per user per year tiered volume pricing. |
Web |
https://www.illusivenetworks.com |
Innovation |
Pioneered the “deceptions everywhere” concept. |
Greatest Strength |
Continues to be transparent to the adversary with forensic-level monitoring, data capture and analysis through an increasingly sophisticated deception layer over the entire enterprise. |
Last year we introduced this innovator and over that time we have watched them carefully. As we pointed out last year, Illusive takes the perspective of the attacker. As we have written before, the use of honeynets as something more than research tools was not common nor did most security pros believe that they made good security defense tools. However, the evolution of the honeypot to the honeynet and, finally, to the deception net has changed all of that. Illusive has been instrumental in moving that evolution along.
Last year we pointed out that the company takes approach of an agentless network overlay. There are some real benefits to that. Without agents the adversary has a harder time discovering that he is in a deception net instead of the real enterprise. This year Illusive continues to innovate. It launched a completely automated deception fabric. In a large – or, even, moderately large – it nearly is impossible to populate a full-scale deception network manually. To automate the process, Illusive uses such things as its Deception Management System (DMS). DMS learns such things as naming conventions, what kind of user data are on the network, and predicts attack vectors.
Network traffic deceptions add reality to the network. These sniff enterprise data and create deceptions that are consistent with the applications in use by users. So, for example, an accountant will not have the keys to the database administrator's castle. Over the past year Illusive has partnered with Intel to extend deceptions to the hardware layer, adding deception services on servers. Illusive terms this “fake on real.” This term could be extended to the entire deception network. It is nearly impossible for an attacker to discern that he is in a deception net and if he suspects it, escaping from the net into the real enterprise is, likewise, nearly impossible. And if he did, he would be able to have no confidence that he actually is in the real enterprise. Of course this opens up all sorts of forensic analysis possibilities and this innovator is solid in that regard.
TrapX Security DeceptionGrid
Company Name |
TrapX Security |
Flagship Product in this Category: |
DeceptionGrid |
Flagship Product cost |
Price is per VLAN on a tiered basis (the more you buy the less you pay per VLAN). Average price is $1000 per VLAN. |
Web |
https://www.trapx.com |
Innovation |
Migration of honeynet research to a new breed of deception network. |
Greatest Strength |
Extending the concept of lures and forcing attackers to engage with an increasingly high interaction deception environment while collecting detailed forensics on the adversary. |
|
TrapX does deception a bit differently than one might expect. In some regards they are a bit closer to honeynets than some other similar tools. But at the same time, they've added some elements that simply don't exist in honeynets. With smart automation and sophisticated machine learning algorithms they have done a nice job of extending the deception net paradigm to wat they call a deception grid.
What is unique about DeceptionGrid is that it starts out fairly inconspicuous and apparently benign. But, under the covers is a sophisticated low interaction set of traps. These traps can never be touched without triggering an alarm. The theory is that nothing ever should touch one of the traps. If an attacker begins to engage with a trap, he is caught like a fly in a spiderweb. DeceptionGrid then goes into action to create ever more-tempting – and high interaction – traps, enticing the attacker to delve deeper into the grid and away from the real enterprise while, at the same time, it is collecting detailed forensics on the attacker and the attack.
This innovator was founded in 2011 and went to market in 2012. Now, five years later they have over 300 customers and 60 employees. @012 was not a good year to introduce deception. It was a very new technology and its promise was far from being realized. TrapX spent its first 3 years educating its public and, over the past two years, the company feels that the market “gets it.”
The founders have a mix of background from hacking to security. They realize that it is easier to hack than to defend. They use the same tactics against the adversary that it uses against the defenders. So, they don't try to cover the entire attack surface. They wait to see how the bad guys attack, mess with their decision process and change the economics of cybercrime to make it less cost-effective to hack.
How does a company with a relatively new entry into a relatively new market space plan for survival and, perhaps, dominance? Their philosophy is, don't just fight the battle today. Be ready for tomorrow. In that regard they are extending into two new battlegrounds: cloud and IoT. They actively are extending the DeceptionGrid into these environments and are starting to add vulnerable IoT devices already.