Examining Different Approaches to Architecting Deception Technology

Thursday, April 11, 2019

Deception is an emerging technology that gives the good guys a way to literally change the game. How deception is architected and deployed can vary greatly and it’s important for customers to understand the optional Deception Architectures, their advantages and any issues that might be encountered.

The Deception architecture should deal with the following aspects of deception among others:

  1. Collecting pertinent information on your cyber terrain
    In order to build an effective deception layer, you must know your terrain. This information can be gathered using the following methods:
    1. Scanners: Run a scanner and use its output to understand the terrain. The information is limited according to the scanners’ ability to drill into assets and applications, and to the responding devices, as well as the scanned subnets.
    2. Active Directory and asset databases: Learn from the Active Directory and the asset database the information about the assets known to IT. No devices connected to the network which are not listed in Active Directory or the database will be covered.
    3. Analyze multicast and broadcast packets: By analyzing multicast and broadcast packets the solution can collect some information about the assets, providing a very partial knowledge of the terrain, the assets and the applications.
    4. Profiling and classification: Sniff the traffic of the organization to profile and classify the network, assets, applications and any active device on the network. This provides complete knowledge of the protected terrain.
  2. Decoy types
    ​Generally, there are two types of decoys that are offered: Emulated decoys and Real Operating System decoys.
    1. Emulated decoys provide a high-fidelity alarm system for detecting adversaries operating inside the organization. The emulated decoys scale easily and won’t require a lot of resources to deploy thousands of them. Emulated decoys serve for the initial connections with the adversaries and communicate with the attackers up to a certain point. For example, when an attacker connects with an emulated FTP server, the attacker goes through a login into the server, then can move around the file system, read files and write files. While they are easier to reveal by the attacker than Real OS decoys, by the time the attacker recognizes this the organization already knows which assets are infected and communicating with the emulated decoys.
    2. Real OS decoys are a great option to contain the adversaries, however they are costly to scale and resources should be invested in order to make sure that the attackers do not compromise these systems.
  3. Automating Deception
    There can be significant overhead for building, deploying and maintaining the deception layer. A good solution embeds automation that is derived from complete knowledge of the terrain and the changes occurring in the protected environment to ensure the deception layer is always up-to-date and looks real to the attacker.
  4. Deception adaptation
    ​The deception layer should adapt to changes that occur in the environment like additional subnets, applications and type of devices. This goes along with the “terrain to be protected”. The more accurate knowledge the solution has on the environment, the better it can adapt the deception layers to match the changes.

Fidelis Deception – Know what you are protecting

Fidelis Deception is unique in that it constantly profiles and classifies assets within the organization. It learns the environment and automatically builds an accurate view with respect to:

  • The networks and subnets in use
  • The different assets including the IoT and any assets with presence on the network
  • The applications used in the organization - The communication patterns of the organization
  • The networking servers being used (DNS, Proxy, etc.)

In order to achieve this level of knowledge of the organization’s terrain, the platform continuously and passively inspects the traffic.

Note that a huge advantage of this approach over others is that all devices communicating on the network are profiled and classified and will have a relevant deception layer deployed. This approach does not rely on scanners, on any active presence on the network or just on broadcast and multicast packets or any incomplete or partial asset databases.

There is no way for attackers to conclude that this Traffic Monitoring is taking place because it is done out of line without any activities on the network and without responding to any queries or protocols exchanged packets on the network.

Building and Adapting the Deception Layer

When you know the terrain, you can protect it by altering the environment. Fidelis does this through profiling and classification and it is easy to build the deception layers including decoys, applications, breadcrumbs and Active Directory integration. The detailed knowledge of the organization provides the means to automatically build the deception layer and to constantly adapt it to the changes occurring in the environment. Fidelis Deception provides emulated decoys and Real OS decoys on the same systems to address different use cases.

deception architecture

Integrate Deception into Your Broader Network Visibility

Fidelis Deception is a stand-alone product that provides visibility of lateral movement, as well as visibility of systems where you cannot deploy an endpoint agent – i.e. legacy systems, enterprise IoT devices and Shadow IT. Fidelis Deception is also fully integrated into the Fidelis Elevate platform and when used in conjunction with Fidelis Network gives consolidated visibility traffic at multiple points throughout the network and cloud environment.

- Doron Kolton
Chief Strategy Officer – Emerging Technologies