Deception has proven itself as a valid form of defense for millennia — a fact to which militaries, nature and attorneys can attest.

However, effective deception takes skill, with many claiming that deception is more of an art than a science.

In the world of IT, the concept of deception proves tricky simply because information systems are designed to record, process and report data accurately. The contradiction of deception in an environment designed for truth has created a conundrum. One that has culminated in InfoSec practitioners creating technological deceptions such as honeypots, which may fool some attackers but rarely lead to catching those attempting to compromise systems.

Therein lies the real challenge: how can IT professionals practice deceptive techniques that can lead to more than just a temporary reprieve from attack?

TopSpin Security, based in Herzliya, Israel, aims to answer that query with their DECOYnet platform, which is designed to deceive and then trap intruders — trap, as in engage an intruder to record their actions and gather intelligence, while also preventing the intruder from obtaining anything of value.

In essence, TopSpin Security has created a paradigm shift around information security, one that works more like a Venus flytrap, as opposed to the traditional firewalls and gateways that once defined a strong defense. That is not to say that DECOYnet replaces those established technologies; it supplements them by reducing the attack surface of a network by redirecting attackers into well-placed traps.

InfoSec Pain Points Addressed

Many IT security professionals have come to rely on perimeter defense technologies, which have fallen short in some situations, leaving attacks undetected and critical data exposed. However, there is an even bigger issue here: attacks have transitioned from drive-by style intrusions to orchestrated and persistent elements that are not prevented by traditional InfoSec measures.

That situation has forced InfoSec professionals to adopt post-breach detection methodologies to investigate the source of attacks and to use the forensic data gathered to create new policies or controls to prevent similar attacks from happing in the future. However, there is a major problem with that approach, one that can be summed up as “an attack has already happened.” What’s more, the damage from that initial attack may be hard to measure and, worse yet, may have gone undetected for a significant amount of time. Most alarming of all, by the time new policies and controls have been put in place, the attack vectors have evolved into something new, which may defy detection.

DECOYnet leverages digital deception, which employs decoys and traps, backed by multiple analysis engines, internal correlation and the obfuscation of an enterprise's digital assets. More simply put, TopSpin’s technology creates the bait, and then primes the trap to catch hackers.

A Closer Look at DECOYnet

The DECOYnet platform is a software appliance that can run on physical or virtual hardware. One of the key elements for setting up DECOYnet comes in the form of properly configuring the network settings. For example, the DECOYnet configuration requires that a static IP address be assigned, management ports (443 and 22) be configured, as well as setting up access to a network SPAN port and a network trunk port.

While deployment and configuration are not complicated, they are best left to those who have network experience and understand the principles of TCP/IP, as well as how to configure routers, switches and VLANs. Administrators also have the option of configuring a cloud connection to TopSpin to receive reputation updates, as well as other information that helps to improve the effectiveness of the platform.

Installation on a physical server follows normal software conventions, meaning that an installation wizard handles most of the chores. For virtual environments, TopSpin provides an OVA file, which can be imported as a virtual appliance onto a virtual server. Either way proves to be straightforward and enables administrators to move on to configuring the management console and options associated with the platform.

Once initial configuration is completed, administrators need only to browse to https:/// to launch the management console. First timers will need to logon with the appropriate credentials (as outlined in the installation documentation), install the appropriate license files and then create users. The platform supports multiple user roles, such as administrators and other roles with less privileges. User account information is independent of the network, and integration with Active Directory (AD) or other directory services would be a nice addition to the platform.

DECOYnet is all about sensors, traps, traffic monitoring and the analysis of traffic flowing across the network. That said, the platform requires unfettered access to the network and also requires the deployment of sensors, which are pieces of client code that record activity so that decoys can be defined and traffic analyzed. It is important to understand the relationships between sensors, decoys and the overall platform. Those components all work in concert to garner understanding of the network and its resources to effectively devise a deception strategy.

Hands on with DECOYnet

From an operational standpoint, the DECOYnet platform proves rather easy to understand. It is a combination of intelligence-gathering tools, which are then used to define decoys and traps and, most importantly, to provide the data for real-time analytics.

Administrators will start most endeavors from the main console, or in TopSpin’s parlance, the main dashboard, which shows summary information about the various types of activity detected in DECOYnet. The dashboard does an excellent job of visualizing that activity and provides a graph view of all the incidents, decoy activity, number of uploads and network activity detected in the platform. It highlights suspicious activity, as well as identified infections and/or attacks, making it very easy for administrators to spot trouble. Because DECOYnet has a traffic analysis engine on top of the deception engine, its dashboard provides a very rich set of data, including, for example, information about the number of assets in the network, the type of assets, the various subnets, the number of decoys, the deception coverage area and more.