Deception has proven itself as a valid form of defense for millennia — a fact to which militaries, nature and attorneys can attest.
However, effective deception takes skill, with many claiming that deception is more of an art than a science.
In the world of IT, the concept of deception proves tricky simply because information systems are designed to record, process and report data accurately. The contradiction of deception in an environment designed for truth has created a conundrum. One that has culminated in InfoSec practitioners creating technological deceptions such as honeypots, which may fool some attackers but rarely lead to catching those attempting to compromise systems.
Therein lies the real challenge: how can IT professionals practice deceptive techniques that can lead to more than just a temporary reprieve from attack?
TopSpin Security, based in Herzliya, Israel, aims to answer that query with their DECOYnet platform, which is designed to deceive and then trap intruders — trap, as in engage an intruder to record their actions and gather intelligence, while also preventing the intruder from obtaining anything of value.
In essence, TopSpin Security has created a paradigm shift around information security, one that works more like a Venus flytrap, as opposed to the traditional firewalls and gateways that once defined a strong defense. That is not to say that DECOYnet replaces those established technologies; it supplements them by reducing the attack surface of a network by redirecting attackers into well-placed traps.
InfoSec Pain Points Addressed
Many IT security professionals have come to rely on perimeter defense technologies, which have fallen short in some situations, leaving attacks undetected and critical data exposed. However, there is an even bigger issue here: attacks have transitioned from drive-by style intrusions to orchestrated and persistent elements that are not prevented by traditional InfoSec measures.
That situation has forced InfoSec professionals to adopt post-breach detection methodologies to investigate the source of attacks and to use the forensic data gathered to create new policies or controls to prevent similar attacks from happing in the future. However, there is a major problem with that approach, one that can be summed up as “an attack has already happened.” What’s more, the damage from that initial attack may be hard to measure and, worse yet, may have gone undetected for a significant amount of time. Most alarming of all, by the time new policies and controls have been put in place, the attack vectors have evolved into something new, which may defy detection.
DECOYnet leverages digital deception, which employs decoys and traps, backed by multiple analysis engines, internal correlation and the obfuscation of an enterprise's digital assets. More simply put, TopSpin’s technology creates the bait, and then primes the trap to catch hackers.
A Closer Look at DECOYnet
The DECOYnet platform is a software appliance that can run on physical or virtual hardware. One of the key elements for setting up DECOYnet comes in the form of properly configuring the network settings. For example, the DECOYnet configuration requires that a static IP address be assigned, management ports (443 and 22) be configured, as well as setting up access to a network SPAN port and a network trunk port.
While deployment and configuration are not complicated, they are best left to those who have network experience and understand the principles of TCP/IP, as well as how to configure routers, switches and VLANs. Administrators also have the option of configuring a cloud connection to TopSpin to receive reputation updates, as well as other information that helps to improve the effectiveness of the platform.
Installation on a physical server follows normal software conventions, meaning that an installation wizard handles most of the chores. For virtual environments, TopSpin provides an OVA file, which can be imported as a virtual appliance onto a virtual server. Either way proves to be straightforward and enables administrators to move on to configuring the management console and options associated with the platform.
Once initial configuration is completed, administrators need only to browse to
https:// to launch the management console. First timers will need to logon with the appropriate credentials (as outlined in the installation documentation), install the appropriate license files and then create users. The platform supports multiple user roles, such as administrators and other roles with less privileges. User account information is independent of the network, and integration with Active Directory (AD) or other directory services would be a nice addition to the platform.
DECOYnet is all about sensors, traps, traffic monitoring and the analysis of traffic flowing across the network. That said, the platform requires unfettered access to the network and also requires the deployment of sensors, which are pieces of client code that record activity so that decoys can be defined and traffic analyzed. It is important to understand the relationships between sensors, decoys and the overall platform. Those components all work in concert to garner understanding of the network and its resources to effectively devise a deception strategy.
Hands on with DECOYnet
From an operational standpoint, the DECOYnet platform proves rather easy to understand. It is a combination of intelligence-gathering tools, which are then used to define decoys and traps and, most importantly, to provide the data for real-time analytics.
Administrators will start most endeavors from the main console, or in TopSpin’s parlance, the main dashboard, which shows summary information about the various types of activity detected in DECOYnet. The dashboard does an excellent job of visualizing that activity and provides a graph view of all the incidents, decoy activity, number of uploads and network activity detected in the platform. It highlights suspicious activity, as well as identified infections and/or attacks, making it very easy for administrators to spot trouble. Because DECOYnet has a traffic analysis engine on top of the deception engine, its dashboard provides a very rich set of data, including, for example, information about the number of assets in the network, the type of assets, the various subnets, the number of decoys, the deception coverage area and more.
The main dashboard also functions as the starting point for system tasks, as illustrated by a menu on the left side of the dashboard. From that menu, administrators can navigate through the complete feature set of the product.
By default, DECOYnet creates a sensor on the server, which gives it the capability to detect and analyze traffic and changes to the network. However, administrators responsible for distributed environments will need to deploy additional sensors so that all assets can be identified and monitored. Deploying additional sensors proves to be a relatively easy chore; administrators should be able to accomplish the task with a little intuition and minimal manual configuration.
Once DECOYnet is able to see “the big picture” of the network, administers will be able to quickly identify assets, as well as the traffic interacting with those assets. That capability powers the traffic analysis functions, where administrators can garner a visual representation of incidents and behaviors, and more importantly — egress communications, which can highlight data theft or unauthorized access.
The platform allows administrators to drill down into specific asset traffic, providing a detailed view of all communications, both internal and external. That proves to be a critical forensic capability and provides the knowledge necessary for deception deployment.
The deployment of deception elements can be done over time and staged based upon specific needs. Administrators can start by deploying manual decoys, move on to adaptive decoys and mini traps, and then define protections around credentials and file systems.
Administrators can orchestrate deception elements to create a sphere of protection around system assets that shifts attacks towards decoys and traps. That protection can be deployed for each subnet, allowing administrators to isolate protection based upon defined subnets and observed needs. For example, access to a database may leverage the full range of deception elements, while access to an external facing website may just use protections to prevent defacement. Either way, administrators have full control over the deceptive techniques put in place.
While that may sound complicated and difficult, DECOYnet has bundled in tools that automate many of the deployment chores and offer guidance to those looking to configure an element manually. For example, administrators can manually deploy a decoy on a specific subnet, but they do not have to do the process completely by hand. They can use the “Smart Auto-Generate” option to create decoys which are built by inferring information from network traffic.
Another example comes in the form of creating an adaptive subnet, which enables decoys to adapt automatically to dynamic network changes. Adaptive subnets are powered by the adaptive deception feature, which can detect network reconfigurations and then automatically adapt the subnet’s decoy configuration to fit the changes (for example, adding new assets, upgrading the operating system, etc.).
Decoys are further empowered with mini traps, which are pieces of technology that lure attackers to decoys. Mini traps can be thought of as breadcrumbs — various pieces of information that are planted on endpoints that hold links and credentials to the decoys that are deployed. There are several types of application mini traps, each matching a specific service on the decoy. For example, recent Word documents link to decoy shared folders, MyFTP credentials link to the decoy FTP server, and so on.
Mini traps are configured from the subnets tab on the dashboard environment window, and the creation is aided by an integrated wizard that suggests which mini traps should be configured for that subnet and to which decoys they should point. DECOYnet deploys a wide diversity of decoy types, including for IoT devices.
Administrators can also create file traps, which look like legitimate files and include links to the decoys. File traps can be Word or PDF files, that contain information such as VPN connection instructions, which actually point to decoys. Another type of file trap is an email file that looks like legitimate corporate emails with similar links to the decoys. Worth noting is an advanced type of file trap that is referred to as a beacon-file trap. That type of file trap includes some code that allows it to “phone home,” providing forensic information on the actor that stole the file.
DECOYnet includes additional capabilities, such as tarpits, sinkholes, and black holes — all of which are designed to reroute attackers to decoys by enticing them with what is thought to be valuable information. That said, it is up to the administrator (or corporate policy) on how to deal with an intruder. Some prefer to just end the connection and block the intruder, while others prefer to attempt to gather forensic information for legal pursuits.
All things considered, DECOYnet provides an excellent combination of forensic capabilities and protection techniques that will stop or catch attackers in the act.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant. He has written for leading technology publications including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom's Hardware, and business publications including Entrepreneur, Forbes and BNET. Ohlhorst was also the executive technology editor for Ziff Davis Enterprise's eWeek and eeformer director of the CRN Test Center.