This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Cyber attackers use deception to try to get inside your network by doing everything from spoofing email addresses in spear phishing attacks to hiding malware on legitimate websites. So, if deception is standard operating procedure for the bad guys, perhaps it's time to fight back with some deception of your own. In fact, Gartner says it's a good complement to your existing security infrastructure.
Deception technology designed to lure and trap malicious actors has been around since at least 1999 when Lance Spitzner, founder of the Honeynet Project, published a paper on how to build a honeypot. Early honeynets were pretty resource intensive and they had to be maintained to ensure the honeynet wasn't turned against the host organization. Since then, the advent of virtual machines has helped ease the deployment and use of deception technology.
TrapX Security is one company that has taken advantage of virtual machines and the capability to deploy its DeceptionGrid solution at scale inside an enterprise. This solution can be deployed by a managed security service provider (MSSP) or by an enterprise that operates its own security operations center (SOC). TrapX builds out various types of emulations that trap – and at times even lure – attackers so their actions and indicators of compromise (IOCs) can be detected, analyzed and turned against them through actionable intelligence.
The TrapX virtual appliance can be installed on VMware ESX or Microsoft Hyper-V, or on very low-end bare metal hardware. One appliance today can run up to 512 simultaneous emulations but that will soon go to 1,024, and eventually even beyond that. Then there are a couple of key interfaces that connect into the network infrastructure that allow TrapX to do its business.
The first is the connection to the SPAN or TAP port at your Internet egress point. This allows TrapX to monitor traffic for any IOCs from malware that may be beaconing out; for example, when ransomware reaches out to get its encryption keys, or when a successful phishing attack leads to communication with a command and control server. TrapX uses intelligence feeds from a range of sources to identify and alert on suspicious traffic.
One of the core components for the deployment of the decoys is the connection to the core switch over TrapX's trunk port. This allows TrapX to see any of the VLANs the core switch knows about and present IP addressable targets or decoys on any of the VLANs the switch understands. From the attacker's perspective, it looks like the target or decoy is on that network where those users or devices are, when in fact all the decoys are emulations that are running within that virtual appliance. This architecture is said to create a scalable, easily deployed solution.
Rolling out the deception grid is automated and low friction. TrapX supports some 70+ different combinations of emulations, from workstation types, Windows and Linux servers, infrastructure gear, SCADA devices, medical devices, databases, and custom emulations. TrapX cites a healthcare customer that has deployed medical device emulations throughout its hospital network to protect life-critical systems.
The vendor can support high interactive environments where its decoys are proxying through to actual live systems like a live database. An administrator can point and scale hundreds of decoys that look like database servers but only have to worry about the care and feeding of one that can be populated with fake information that looks like the information that would be of interest to an attacker. If the data looks realistic enough, the attacker might go as far as trying to sell it on the open market because he thinks he has credit cards or project plans or patent information.
Most of the traps are going to be fairly static, meaning an attacker will stumble upon them, but you can also set lures, or deception tokens, to draw an attacker in. For example, suppose an attacker uses a spear phish to get onto a user workstation. Once there, he will look at the directory to see what interesting things are available. TrapX can place lures – something like a juicy fake network share drive – in the directory to draw the attacker into a trap. These lures are agentless but utterly irresistible to an intruder.
If an attacker so much as touches any of the decoys, an alert will go off because there is no legitimate reason for anyone to hit one of these traps. There are almost no false positives with this system. TrapX can catch insider threats just as easily as threats from the outside.
When someone lands in a trap, an advanced incident response platform takes over. TrapX captures all sorts of relevant information, such as software that gets injected, the IP address it came from (which reveals which device was compromised), the binaries that can be checked against known IOCs, and so on.
TrapX automatically sends the relevant information to cloud-based sandboxes to analyze it. TrapX also has a built-in tool to construct a timeline and do forensic analysis, and it collects the entire PCAP to provide very detailed information on what the attacker is doing. All of this intelligence is sent to the TrapX Security Operations Center (TSOC) where it can be fed into your SIEM, if desired. You get an alert that directs you to precisely what is happening so you can follow-up on the breach in your chosen manner.
TrapX also supports a broader ecosystem with its threat intelligence through data sharing standards such STIX, TAXII, and Intel Security's DXL. Indicators that are found in one environment can quickly be shared, anonymously, with many others.
With virtual environments so prominent today, deception technology has become, well, deceptively easy to deploy and use. It's one more weapon in a defense-in-depth arsenal.