Overview of Distributed Deception Platforms (DDP)

The use of infrastructure deception predates modern IT systems by a long time. During World War II, the belligerent parties regularly resorted to such techniques. The famous landing of the Allied forces in Normandy was successful largely owing to an extensive disinformation campaign code-named Bodyguard, in which Operation Fortitude played a significant role. As part of Operation Fortitude, the Allied forces created a simulation of two armies: in the vicinity of Edinburgh in the north and near the Dover Strait in the south. These armies consisted of inflatable tanks, wooden planes, and replicas of assault landing ships, as well as many non-existent units and divisions of the Allied armies. The main objective of the operation was to divert the attention of the enemy’s command from the actual landing point of the Allied forces in Normandy.

Operation of modern IT systems is virtually no different from the battlefield: destructive mass attacks and sophisticated targeted attacks have become commonplace in the modern global IT landscape. Information security and IT professionals all over the world face two major tasks on a daily basis: to implement the most effective proactive defense to fend off the destructive impact of attacks on the infrastructure, and to respond to a successful attack by researching it, restoring the infrastructure, and preventing it from recurring in the future. Nowadays, each of these tasks is solved by a tremendous number of different systems, including NGFW (Next Generation Firewall), SIEM (Security Incident and Event Management), EPP (Endpoint Protection Platform), EDR (Endpoint Detection and Response), etc.

Each one of these systems is designed to protect the organization’s existing IT assets through direct placement between the targeted system and the attacker. However obvious this may sound, the main assumption underlying the defense philosophy is the absolute certainty that the attack is targeting a real IT asset. History shows, however, that in any classical defense tactic there is always room for a non-standard approach, which is often just as (if not more) effective than the classical methods of combating the intruders. Sometimes it can effectively complement them, making IT systems maximally impervious to attacks. One such technology is the Distributed Deception Platform (DDP).

The Distributed Deception Platform concept is uniquely simple. In addition to existing infrastructure protection systems, it proposes building another parallel or, on the contrary, integrated infrastructure. From the viewpoint of an attacker, this infrastructure is no different from the real one. Yet it does not contain any valuable information and assets. This system also helps to proactively prevent attacks by calculating the attack vector on the test infrastructure long before the attacker gains access to the real system. It also helps to respond to an information security incident that has already happened using extensive analysis of the test infrastructure attack scenario.

The first representatives of the Distributed Deception Platform are honeypots: bait hosts that imitate real servers, which help information security researchers detect vulnerabilities in existing systems. One mention of the honeypot concept appears in the novel The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll, published back in 1989. Nowadays, every self-respecting vendor of information security tools (be that IPS / IDS or EPP) has tens of thousands of honeypots all over the world to more efficiently and quickly respond to emerging threats and vulnerabilities.

The evolution of the honeypot concept led to the emergence of modern Distributed Deception Platforms. Their distinctive feature is the simulation of the maximum number of IT systems: not just servers and endpoints, but also network infrastructure, applications, and data.

In architectural terms, modern DDPs are based on the so-called Deception Stack, which includes the following simulation elements: network, endpoint, application, and data. The order in which they have been mentioned is not accidental. All elements of the stack are sorted by the level of complexity of deception: from the simplest component (network) to the most complex one (real data in the target systems). There is no need to roll out all elements with each DDP deployment. Depending on the tasks at hand and the general threat model in the organization, these elements can be implemented as part of the deception infrastructure separately.



Fig. 1. Deception Stack. (From the Gartner report titled “Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities”, July 2015)

DDP is positioned in the overall information security landscape based on its main purpose, which is to deceive a potential intruder and detect unauthorized attempts to access IT assets. From a functional viewpoint, DDP can be categorized as a class of systems that detect (but not prevent) malicious activity. This essentially makes them similar to such classes of information security systems as EDR (Endpoint Detect and Response), IDS (Intrusion Detection System), and NAC (Network Access Control). Despite its specific features, this class of systems can be employed to fight modern-day attacks at every step of the Cyber Kill Chain. This is a chain of seven steps that virtually any modern-day targeted attack has to pass. Let us consider every stage of the Cyber Kill Chain and attempt to determine how DDPs help to fight the attack at each step.

Fig. 2. Use of DDP at every step of the Cyber Kill Chain. (From the Gartner report titled “Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities”, July 2015)

Reconnaissance

The first stage of most targeted attacks is reconnaissance when the attacker tries to discern the internal structure of the target's IT systems. In this case, the DDP will mislead the attacker at the earliest stage, thereby greatly complicating the reconnaissance process and making it possible to conceal the real IT assets.

Weaponization

At the weaponization stage, the attacker can be misled through simulation of responses from applications and emulation of services, thereby significantly slowing down the entire attack. For example, if the attacker was misled into forming a false idea about internal services at the previous step, the attacker will proceed to develop the hacking tools and the general attack strategy using false input data. This greatly slows down any further progression of the attack or completely derails it.

Deliver

At the delivery stage, the attacker's main goal is to inject malicious executable code into the IT infrastructure being targeted. In this case, all unknown or suspicious files can be sent directly to the deception infrastructure to further investigate their behavior and decide whether to block them or, yet again, mislead the attacker by creating an illusion that the delivery stage was successful. This approach is used by widely popular network sandboxes, which send all unknown files for emulation to dedicated virtual machines.

Exploit

At this stage, the vulnerability is exploited to deliver the payload to the target system. At the exploitation stage, the deception infrastructure can also be a source of false information for the attacker. For example, on detecting suspicious traffic the boundary IPS system may not reset a suspicious connection (as is the usual practice), but instead dynamically redirects it to the deception infrastructure. If the malicious request from the attacker is correctly processed, the deception infrastructure can inform the attacker about successful exploitation of the vulnerability.
Install

At the installation stage, the malicious code is directly launched after being delivered to the target system through exploitation of vulnerabilities at the previous step. At the installation stage, the malicious code can be misled into thinking that it runs in a sandbox, after which many malicious applications abort their operation. Or, on the contrary, the malicious application can be misled into thinking that it has been installed successfully (for example, by confirming the creation of files that are not actually created), thereby preventing another installation attempt.

Command

At the command stage, the malicious application attempts to communicate with command servers to receive further instructions on malicious activity. At this stage, the deception infrastructure can emulate responses from command servers, simultaneously determining the type of malicious communications and the sources of these requests - compromised workstations and servers. Notably, some information security systems that fight botnets have similar functionality.

Act

At the action stage, the malicious code examines the infected system to create a data leak or crash the target system. In this case, the deception infrastructure can provide false data for the leak or simulate a false critical infrastructure that the malware has been specifically designed to crash. For example, you can greatly slow down the attack by supplying the attacker with fake credentials that the attacker will use for multiple authentication attempts, thereby further exposing himself.
Comparison of some Distributed Deception Platforms (arranged alphabetically)

The comparison is based on the Deception Techniques and Honeypots comparison table at ROI4CIO, where you can view it in greater detail across all parameters.

Acalvio - ShadowPlex

• User OS deception: Windows
• Industrial systems deception: IoT
• Integration with endpoints: yes
• Cloud platform support (SaaS): AWS, Azure, OpenStack

Acalvio was established in 2005 and is headquartered in Santa Clara, USA. The company's flagship product is the Shadowplex Autonomous Deception platform. The core of the platform is the Acalvio Deception Center (ADC), which controls the entire process of deployment and operation of the deception infrastructure.

The Acalvio engine places great emphasis on so-called breadcrumbs - elements that simulate critical information (addresses of target systems, credentials, databases, etc.) that mislead the attacker along the path intended by the platform. The system administrator can select from the list only those threats and attack techniques that he considers the most relevant: ransomware, horizontally spreading threats, data leaks, etc. and the system automatically scatters the necessary breadcrumbs all over the simulation infrastructure.

Attivo Networks - ThreatDefend Platform

• User OS deception: Windows, Linux, MacOS
• Industrial systems deception: POS, SCADA, IoT
• Integration with endpoints: no
• Cloud platform support (SaaS): AWS, Azure, OpenStack

Attivo Networks was established in 2011 and is headquartered in Fremont, USA. The company's flagship product is the ThreatDefend Detection and Response Platform.

Attivo ThreatDefend can simulate the infrastructure at the platform level, including dynamic baits for attackers, which simulate network devices, IoT devices, POS terminals, and cloud applications. The platform also offers common deception elements such as endpoints, which supply false credentials and files, as well as tools for tracing the most likely routes of potential attacks.

Illusive Networks - Illusive Platform

• User OS deception: Windows
• Industrial systems deception: no
• Integration with endpoints: no
• Cloud platform support (SaaS): no

Illusive Networks was established in 2014 and is headquartered in Tel Aviv, Israel, and New York, USA. In 2015, the company made it to the Cool Vendors list of the Gartner analytical agency in the Security and Intelligence category.

A distinctive feature of the Illusive Networks platform is that it focuses specifically on endpoints (user PCs or servers) instead of simulating the entire infrastructure. It has its own patented management system called Deception Management System, which uses machine learning algorithms to evaluate the current (real) infrastructure of the company and proceeds to build a unique deception network, populating it with fake data that additionally misleads the attacker along the path chosen by the system.

SmokeScreen - IllusionBlack

• User OS deception: Windows
• Industrial systems deception: SCADA
• Integration with endpoints: yes
• Cloud platform support (SaaS): no

SmokeScreen was established in 2015 and is headquartered in Mumbai, India. The company's flagship product is the IllusionBLACK deception platform.

The core of the IllusionBLACK deception platform is based on the BSD Unix operating system designed to provide a secure hypervisor for the deception infrastructure. IllusionBLACK also uses machine learning algorithms that use information about the real infrastructure as data input, owing to which the platform automatically creates a unique deception IT environment. Another distinctive feature of the SmokeScreen deception platform is the company's proprietary Mirage Maker technology. It allows not only creating deception IT infrastructure nodes but also generating fake email messages and even phone calls, making it possible to combat more complex attacks that include elements of social engineering.

TrapX Security – DeceptionGrid

• User OS deception: Windows, Linux
• Industrial systems deception: POS, ATM, SCADA, IoT
• Integration with endpoints: yes
• Cloud platform support (SaaS): AWS, Azure, OpenStack

TrapX Security was founded in 2011 and is headquartered in San Jose, USA. The company's flagship product is the DeceptionGrid platform. The company brands itself as the world leader in deception technologies and has more than 2,000 customers worldwide.

DeceptionGrid by TrapX can be rightfully considered an industry leader. The platform supports a large number of deception devices and contains many integration capabilities, both IS event management systems and authentication systems (e.g., Cisco ISE). In addition to simulating classical user systems such as Windows or Linux, TrapX can create deception versions of Cisco switches, SCADA systems, specialized medical equipment, POS terminals, and other industrial devices.

Conclusions

Distributed Deception Platform is a fairly advanced class of information security systems that, along with classical NGFW, EPP, DLP, WAF, etc., can significantly boost the level of a company's security. An important point to be considered before deploying a Distributed Deception Platform is that these systems primarily play an auxiliary role to other classes of information security systems. DDP can supply extensive information about attacks on the IT infrastructure of an enterprise and identify bottlenecks in the security system.
However, in and of themselves they are not designed to actively prevent attacks. The extensive analytical functions of deception platforms imply a high level of information security processes in the organization. In other words, deployment of a DDP presents very high requirements for the level of maturity of information security processes in a company.
Meanwhile, benefits from DDP deployment are likely to significantly exceed all procedural difficulties associated with their integration into the corporate information security ecosystem.

--

Author: Alexey Matveev для ROI4CIO