Doron held executive and management roles in cyber security and software development for over 25 years. He serves now as the CTO for the Deception in Fidelis Cybersecurity. Doron founded TopSpin Security... Read More
April 11, 2019
Examining Different Approaches to Architecting Deception Technology
Deception is an emerging technology that gives the good guys a way to literally change the game. How deception is architected and deployed can vary greatly and it’s important for customers to understand the optional Deception Architectures, their advantages and any issues that might be encountered.
The Deception architecture should deal with the following aspects of deception among others:
Collecting pertinent information on your cyber terrain
In order to build an effective deception layer, you must know your terrain. This information can be gathered using the following methods:
Scanners: Run a scanner and use its output to understand the terrain. The information is limited according to the scanners’ ability to drill into assets and applications, and to the responding devices, as well as the scanned subnets.
Active Directory and asset databases: Learn from the Active Directory and the asset database the information about the assets known to IT. No devices connected to the network which are not listed in Active Directory or the database will be covered.
Analyze multicast and broadcast packets: By analyzing multicast and broadcast packets the solution can collect some information about the assets, providing a very partial knowledge of the terrain, the assets and the applications.
Profiling and classification: Sniff the traffic of the organization to profile and classify the network, assets, applications and any active device on the network. This provides complete knowledge of the protected terrain.
Generally, there are two types of decoys that are offered: Emulated decoys and Real Operating System decoys.
Emulated decoys provide a high-fidelity alarm system for detecting adversaries operating inside the organization. The emulated decoys scale easily and won’t require a lot of resources to deploy thousands of them. Emulated decoys serve for the initial connections with the adversaries and communicate with the attackers up to a certain point. For example, when an attacker connects with an emulated FTP server, the attacker goes through a login into the server, then can move around the file system, read files and write files. While they are easier to reveal by the attacker than Real OS decoys, by the time the attacker recognizes this the organization already knows which assets are infected and communicating with the emulated decoys.
Real OS decoys are a great option to contain the adversaries, however they are costly to scale and resources should be invested in order to make sure that the attackers do not compromise these systems.
There can be significant overhead for building, deploying and maintaining the deception layer. A good solution embeds automation that is derived from complete knowledge of the terrain and the changes occurring in the protected environment to ensure the deception layer is always up-to-date and looks real to the attacker.
The deception layer should adapt to changes that occur in the environment like additional subnets, applications and type of devices. This goes along with the “terrain to be protected”. The more accurate knowledge the solution has on the environment, the better it can adapt the deception layers to match the changes.
Fidelis Deception – Know what you are protecting
Fidelis Deception is unique in that it constantly profiles and classifies assets within the organization. It learns the environment and automatically builds an accurate view with respect to:
The networks and subnets in use
The different assets including the IoT and any assets with presence on the network
The applications used in the organization – The communication patterns of the organization
The networking servers being used (DNS, Proxy, etc.)
In order to achieve this level of knowledge of the organization’s terrain, the platform continuously and passively inspects the traffic.
Note that a huge advantage of this approach over others is that all devices communicating on the network are profiled and classified and will have a relevant deception layer deployed. This approach does not rely on scanners, on any active presence on the network or just on broadcast and multicast packets or any incomplete or partial asset databases.
There is no way for attackers to conclude that this Traffic Monitoring is taking place because it is done out of line without any activities on the network and without responding to any queries or protocols exchanged packets on the network.
Building and Adapting the Deception Layer
When you know the terrain, you can protect it by altering the environment. Fidelis does this through profiling and classification and it is easy to build the deception layers including decoys, applications, breadcrumbs and Active Directory integration. The detailed knowledge of the organization provides the means to automatically build the deception layer and to constantly adapt it to the changes occurring in the environment. Fidelis Deception provides emulated decoys and Real OS decoys on the same systems to address different use cases.
Integrate Deception into Your Broader Network Visibility
Fidelis Deception is a stand-alone product that provides visibility of lateral movement, as well as visibility of systems where you cannot deploy an endpoint agent – i.e. legacy systems, enterprise IoT devices and Shadow IT. Fidelis Deception is also fully integrated into the Fidelis Elevate platform and when used in conjunction with Fidelis Network gives consolidated visibility traffic at multiple points throughout the network and cloud environment.
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.