In part 1 we looked at what Deception Technology is. Examined the problems faced which put these techniques to good use. Then the tactics employed and related terminology. Now we take a look at leading solutions by top providers in the Cyber Security sector.
In this section we are going to examine products from some of the leading Deception Technology solution providers. These providers are Rapid7, TrapX, and Illusive.
Rapid7 provides a variety of Cyber Security products covering Application Security, Cloud Security, Orchestration & Automation, and Vulnerability Management. In addition to these they have InsightIDR which is a Detection & Response solution.
Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.rapid7.com
The main benefits of InsightIDR are:
- Immediate ROI (Return On Investment):
- This system is Cloud-based and touted to get you up and running faster plus can grow with your needs.
- Alerts that matter:
- Machine learning is used in conjunction with advanced analysis and out-of-the-box detections to help filter through alert data and identify real threats.
- Built by experts:
- Rapid7 allows InsightIDR users to leverage and benefit from their intelligence network and research.
Below are some of the key features of InsightIDR:
- User Behavior Analytics:
- This involves monitoring user activity to try detect stolen or guessed login credentials by an intruder. Notable behavior by a user is flagged using a Risky User Ranking.
- Attacker Behavior Analytics:
- Existing attacks are monitored to try prevent future ones by continuously creating new detection methods. Indicators such as bad hashes and domain names are analyzed as well as giving alerts context to make them more meaningful.
- Endpoint Detection & Visibility:
- A universal Insight Agent is used to access real-time endpoint scanning and threat detection alerts. Enhanced Endpoint Telemetry (EET) allows historical archives to be viewed as well as provide context of actions on endpoints.
- Network Traffic Analysis:
- NetFort technology is used to deploy an Insight Network Sensor to continuously monitor traffic across sites and locations on a network. This helps provide visibility and recognize any compromises quickly.
- Centralized Log Management:
- Event data is correlated to users and assets to highlight risks and prioritize where to search. This data is automatically collected and managed. Customized reports can be created to provide visual representations of network traffic & more.
- Visual Investigation Timeline:
- Log search, user behavior, and endpoint data are brought together into a single timeline. This helps smarter decisions to be made using personalized threats or those from Rapid7 & other communities. IoCs (Indicators of Compromise) can be tracked within threats and used to trigger alerts.
- Deception Technology:
- Intruder traps can be deployed which include “honeypots, honey users, honey credentials, and honey files, all crafted to identify malicious behavior earlier in the attack chain”.
- File Integrity Monitoring (FIM):
- FIM is included within Insight Agent. This can help verify compliance with regulations such as PCI, HIPAA, and GDPR through monitoring and auditing.
- These are a range of features to help accelerate threat detection and responses. They include threat intelligence to trigger workflows and alerts. Insight Agent can kill malicious processes as well as quarantine endpoints.
InsightIDR starts at $2156 per month and comes with a 500 asset minimum. This cost is based on being billed annually. The service is available on AWS Marketplace.
Assets are defined as servers, desktops and laptops whether physical or virtual. These can be spread over multiple locations.
Pricing is based on the number of assets with the cost per asset reducing as more are added within a tier-based pricing structure.
Customer support, documentation and other resources are included within this pricing.
Managed Detection and Response (MDR) services & solutions is available as an extra.
For a free trial of InsightIDR please click here.
TrapX are a product and solutions provider in Cyber Deception. Their products include DeceptionGrid and Flex, whilst their solutions address IT/OT* Convergence, Ransomware and Active Defense.
* Information Technology/Operational Technology.
In this article we are going to look at DeceptionGrid which uses ‘Active Defense’ techniques.
The only Deception platform that delivers comprehensive protection, full visibility-at-scale and MITRE ATT&CK integration for enhanced incident response and active defense. Unlike anything else on the market, our lightweight, touch-less technology offers non-disruptive support for a broad array of systems and devices, including IT, OT, IoT, SCADA, ICS, and SWIFT.trapx.com
DeceptionGrid aims to address the following ‘next-level’ forms of attack:
- Next-level Stealth Attacks:
- These are carried out in a way that is invisible to even the most robust conventional security technology.
- The New Normal:
- Modern ways of doing business involve remote working and distributed networks over many locations. This introduces security challenges as the coverage to keep safe expands.
- Limited & Complex Deception solutions:
- Traditional solutions tend to be resource-intensive and complex to deploy. This denies security the opportunity to reduce risk through a broad & deep deception environment.
“TrapX DeceptionGrid fills a vital gap in layered cybersecurity, providing protection for the expanded surface and the power to deploy Active Defense”.
Here are the Active Defense features to help support this:
- Deception in Depth:
- The notion of “More Traps = Less Risk” is used to hide real assets behind traps. This forces an attacker into a guessing game. The traps are easy to deploy and as more are put in place hence the exposure is reduced.
- Deception without limits:
- A unified platform is used to provide broad integrated deployments of traps. These traps include lures, emulated traps, and full interaction traps.
- Active Defense Scorecard (ADS):
- MITRE ATT&CK “is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations”. It provides techniques that can be used to test & validate the effectiveness of the trap environment. This framework helps plan an Active Defense strategy.
- MITRE ATT&CK Integration:
- Traps expose Techniques & Sub-techniques active within a network. Having an insight into any lateral movement can help trace this back to attack groups and align strategy.
- Fast, Simple, Adaptable Deployment:
- Whether using Advanced Cloud or on-premise technologies, 100’s to 1000’s of traps can be activated within minutes.
- Non-Disruptive Operation:
- Use of “Out-of-band agentless technology with no endpoint processing or computing”. See here for more information on Out-of-band management.
Unfortunately pricing information is not currently available on the TrapX website. There is a Request Demo link so presumably this would lead to bespoke pricing based on needs.
Illusive is an Israeli company founded by former members of the country’s military intelligence division. The company offers the following products to form a 3-pronged approach:
- Attack Surface Manager – identify & remove attack pathways.
- Attack Detection System – deterministic threat detection.
- Attack Intelligence System – reduce analyst investigation time.
Pricing information is not available on the Illusive website for all three products but there is a Request a Demo link which would subsequently lead to pricing being provided or quoted upon.
Below we will look at each of these company product offerings.
Attack Surface Manager
Shrink your organization’s attack surface. Find and eliminate the vulnerable credentials and connections that attackers use to escalate privileges and move laterally.illusive.com
The aim of this solution is to view an organization’s network from an attacker’s perspective and remove ‘lateral movement pathways’.
The key features of Attack Surface Manager are:
- Attacker View Dashboard:
- Maps critical assets by risk level and collects intelligence on potential violations. These can be drilled down into in order to view detailed metrics about the relevant attack surface.
- One-Click Attacker Pathway Elimination:
- For viewing all the connections that an attacker could potentially use to move laterally in the search for high-value targets. This leverages native connectivity and the connections can be eliminated at the click of a mouse.
- Tighten Privileged Access with Rules:
- Provides the ability to define credential (login details) and connection (access permission) policies for privileged users. This helps reduce inadvertent access to critical data.
Attack Detection System
Agentless, undetectable deception technology that creates a hostile environment for attackers, stopping lateral movement and access to your critical assets.illusive.com
Deceptions are planted at every endpoint where attackers need to move towards in order to access critical assets. Post-perimeter detection then prevents the attacker from carrying out reconnaissance and hinders their lateral movement.
The key features of Attack Detection System are:
- 75+ Deception Techniques:
- These mimic credentials, connections, data, systems and more that might seem useful to the attacker. Compromises by insider and outsider attackers can then be detected.
- View from the Attacker’s Perspective:
- The management console shows the following:
– How close attackers are to critical assets.
– Timeline of activity once deceptions are engaged.
– Visibility into how attackers perceive deceptive data.
- The management console shows the following:
- Trap Server to deter Ransomware & other threats:
- The Trap Server interacts with attackers moving them away from real data & critical assets. Instead they are led towards an imaginary attack surface.
Attack Intelligence System
Get actionable, real-time or on-demand forensic attack insight to accelerate blocking and remediation.illusive.com
This product offers rich and precise incident data in a user-friendly format.
The key features of Attack Intelligence System are:
- Forensics Timeline for Alert Prioritization:
- These real-time forensics display all collected artifacts in chronological order. This allows analysts to drill-down and reduce response times.
- Forensics On-Demand:
- Alerts from other systems are given context to help speed up investigations and empower junior analysts. Incident Response teams can harness Illusive’s agentless technology to collect forensics from any targeted machine. This leads to precise threat intelligence.
- Emulations to Protect IoT*, OT** & Network Devices:
- Pre-built images can be used to speed-up and simplify the creation of interactive decoys for IoT, OT, and network devices. This enables malicious activity to be detected.
* IoT – Internet of Things: Internet enabled devices connected to networks.
** OT – Operational Technology: hardware or software used for monitoring or control of devices.
Do you have experience with Cyber Defense solutions using Deception Technologies? Are there any providers or packages that work better than others? Please comment below to share your thoughts.