What is ShadowPlex Cyber Deception
Cyber Deception detects threats by overlaying a fabric of pervasive deception across the enterprise network. Deception is not part of the enterprise business processes and systems. Hence any interaction with deception generates a high-fidelity alert. This form of threat detection, which can detect even zero-day exploits, is increasingly acknowledged as an important security layer in the fight against cyber attacks.
Cyber Deception has been around for a couple of decades mostly as honeypots – cleverly crafted fake computing resources, placed as to seem part of the enterprise IT network and containing valuable information. Honeypots, though effective, have been difficult to deploy at scale and to manage by keeping them fresh and relevant.
The state of cyber deception has evolved significantly in the recent years. ShadowPlex is a state-of-the-art Distributed Deception Platform (DDP), which can automatically deploy thousands of deceptions corresponding to any network element, across distributed and hybrid enterprise networks.
Deception is NOT just Honeypots
ShadowPlex Cyber Deception provides a comprehensive deception palette that includes Decoys (also called honeypots), Lures, Breadcrumbs and Baits. The deceptive assets are blended into and deployed throughout the distributed (and hybrid) network, on the enterprise endpoints and in credential stores such as Active Directory. Any attacker access to deception generates a high-fidelity alert.
Start with Decoy Types
Low Interaction Decoys
- Network services and applications
- Attacker cannot login
- Often done via emulation leading to lower quality decoys
- Can deploy many decoys
High Interaction Decoys
- Real VM Hosts, Applications, Database Servers, Shares
- Attacker can login – full interaction higher quality decoys
- Can only deploy Few Decoys
Add Lures to make Decoys Attractive
Deliberately place Lures
- Vulnerabilities in OS, Application, Protocols
- Weak configurations and permissions
- Fake Service Accounts
→ Extensible framework for the customer to add lures as necessary
Lead Attacks to Decoys
Many uses for Breadcrumbs / Baits
- Act as Micro-sensors
- Give (mis)information
- Give booby trapped tools
- Redirect attacks to decoys
- → Completely automated configuration, deployment and management of breadcrumbs and baits
Deception needs to blend into the environment continuously to be effective
- Networks can change
- Adversary behavior will change
- Threats will change
- → Integrated AI keeps track of each network neighborhood and each endpoint settings across the enterprise and automatically blends deception
Keep Deception Dynamic
- Hardly changes
- Easy to fingerprint & avoid
- → Always auto-changing
- → Hard to identify or fingerprint
How does Deception work?
A Spear-phishing Example
- Initial foothold
- Attacker has remote command & control
- Initial recon
Establish Additional Beachheads
- Sacrificial lambs
Lateral move towards Mission Objective(s)
- Initial foothold
- Data exfiltration
- Dense Minefield
- Detect Adversary as Beachheads Established
- Present False Trail
- Deceive Adversary During Recon
- Divert Away from Mission Objective to Decoy
- Tripwires detect and alert when accessed
Cyber Deception provides a completely different way to detect attacks and complements existing security solutions which are based on signatures and behavioral models. Cyber Deception has proven to be very effective, but the first-generation solutions had limitations. Acalvio ShadowPlex provides a modern platform, that is enterprise scale and autonomous.
Please follow the “Read More” link to understand why you need cyber deception when you have other security solutions already deployed in your enterprise network.
Explore our patented technologies to enable Active Defense in your enterprise.