The main dashboard also functions as the starting point for system tasks, as illustrated by a menu on the left side of the dashboard. From that menu, administrators can navigate through the complete feature set of the product.

By default, DECOYnet creates a sensor on the server, which gives it the capability to detect and analyze traffic and changes to the network. However, administrators responsible for distributed environments will need to deploy additional sensors so that all assets can be identified and monitored. Deploying additional sensors proves to be a relatively easy chore; administrators should be able to accomplish the task with a little intuition and minimal manual configuration.

Once DECOYnet is able to see “the big picture” of the network, administers will be able to quickly identify assets, as well as the traffic interacting with those assets. That capability powers the traffic analysis functions, where administrators can garner a visual representation of incidents and behaviors, and more importantly — egress communications, which can highlight data theft or unauthorized access.

The platform allows administrators to drill down into specific asset traffic, providing a detailed view of all communications, both internal and external. That proves to be a critical forensic capability and provides the knowledge necessary for deception deployment.

Deception Deployment

The deployment of deception elements can be done over time and staged based upon specific needs. Administrators can start by deploying manual decoys, move on to adaptive decoys and mini traps, and then define protections around credentials and file systems.

Administrators can orchestrate deception elements to create a sphere of protection around system assets that shifts attacks towards decoys and traps. That protection can be deployed for each subnet, allowing administrators to isolate protection based upon defined subnets and observed needs. For example, access to a database may leverage the full range of deception elements, while access to an external facing website may just use protections to prevent defacement. Either way, administrators have full control over the deceptive techniques put in place.

While that may sound complicated and difficult, DECOYnet has bundled in tools that automate many of the deployment chores and offer guidance to those looking to configure an element manually. For example, administrators can manually deploy a decoy on a specific subnet, but they do not have to do the process completely by hand. They can use the “Smart Auto-Generate” option to create decoys which are built by inferring information from network traffic.

Another example comes in the form of creating an adaptive subnet, which enables decoys to adapt automatically to dynamic network changes. Adaptive subnets are powered by the adaptive deception feature, which can detect network reconfigurations and then automatically adapt the subnet’s decoy configuration to fit the changes (for example, adding new assets, upgrading the operating system, etc.).

Decoys are further empowered with mini traps, which are pieces of technology that lure attackers to decoys. Mini traps can be thought of as breadcrumbs — various pieces of information that are planted on endpoints that hold links and credentials to the decoys that are deployed. There are several types of application mini traps, each matching a specific service on the decoy. For example, recent Word documents link to decoy shared folders, MyFTP credentials link to the decoy FTP server, and so on.

Mini traps are configured from the subnets tab on the dashboard environment window, and the creation is aided by an integrated wizard that suggests which mini traps should be configured for that subnet and to which decoys they should point. DECOYnet deploys a wide diversity of decoy types, including for IoT devices.

Administrators can also create file traps, which look like legitimate files and include links to the decoys. File traps can be Word or PDF files, that contain information such as VPN connection instructions, which actually point to decoys. Another type of file trap is an email file that looks like legitimate corporate emails with similar links to the decoys. Worth noting is an advanced type of file trap that is referred to as a beacon-file trap. That type of file trap includes some code that allows it to “phone home,” providing forensic information on the actor that stole the file.

DECOYnet includes additional capabilities, such as tarpits, sinkholes, and black holes — all of which are designed to reroute attackers to decoys by enticing them with what is thought to be valuable information. That said, it is up to the administrator (or corporate policy) on how to deal with an intruder. Some prefer to just end the connection and block the intruder, while others prefer to attempt to gather forensic information for legal pursuits.

All things considered, DECOYnet provides an excellent combination of forensic capabilities and protection techniques that will stop or catch attackers in the act.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant. He has written for leading technology publications including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom's Hardware, and business publications including Entrepreneur, Forbes and BNET. Ohlhorst was also the executive technology editor for Ziff Davis Enterprise's eWeek and eeformer director of the CRN Test Center.