Why you need Deception Technology deployed on your networks.

So, after waking up and smelling today’s cyber security reality, you have finally decided to assume breach and that the enemy is already creeping around your networks. Taking an Active Defense stance is a good first step but one tempered by the sobering thought that intruders often have years of evasion experience and have perfected the art of bypassing IDS/IPS systems and defensive solutions. Many of them live off the land, using your own commonly deployed tools like Windows PowerShell against you, hopping around your network fully undetectable.

But why passively accept that you may only detect an intruder at the end of the kill chain when your data is being ex-filtrated?  Wouldn’t it be better if you could actively detect them early on, regardless of their years of evasion experience? Well it turns out that you can, thanks to a whole new breed of Active Defense tools known as deception technology (DT).

First things first: DT is not your Granddaddy’s honey pot or honey net – but a fully extensible solution that allows you to deploy decoy systems that look and feel just like your production systems. More importantly, these decoys act like real systems, allowing full interaction with the attacker. A stale decoy that never changes its configuration state is a detectable decoy - DT mitigates staleness by emulating the life cycle of a production system including routine patch maintenance.

Most importantly, DT implements high-fidelity attacker detection - from reconnaissance port scanning to decoy system login attempts – keeping the intruder ignorantly happy while the decoys send out intrusion red alerts. Where the fun really starts however is when DT automatically responds and quarantines the unknowing intruder to a deception network far away from your important data, bogging the intruder down while simultaneously recording all their nefarious activity for forensic and behavioral analysis.

Deploying deception technology essentially forces your attacker to play the old Microsoft game of minesweeper, but on your network. If the attacker makes just one bad choice of which square to land on, or in this case which decoy system they initially attack or laterally move to, it is detection game over. Just like in minesweeper, the bigger the matrix, or in DT parlance, the greater the density of decoys deployed, the more difficult it is for your attacker to remain undetected.

Acalvio ShadowPlex

I attended Black Hat 2019 in Las Vegas where I met up with DT provider Acalvio who set me up with a full-blown Google cloud-based deployment of their flagship DT solution ShadowPlex 4.0.0 to review. ShadowPlex supports other cloud providers as well as on-premise deployments options.

The first question that probably comes to mind is how good are ShadowPlex decoys at pretending to be real systems? In the classic deception scene from Quentin Tarantino’s Inglorious Bastards, a group of Allied spies pretending to be Nazi soldiers are huddled in a cellar bar among real nasty Nazis. The spies are dressed in authentic Nazi uniforms and speak flawless German – but make one fatal mistake that gives them away - one of the soldiers holds up his counting fingers in a way that no German ever would.

Similarly, DT decoy systems require incredible attention to every emulation detail to avoid giving itself away to a seasoned Blackhat. If a decoy is pretending to be an Ubuntu server running Apache and MySQL, it should look, feel and smell no differently than the real system configured with the same set of services - down to transmitting the exact same server to client responses and packet signatures.

To avoid detection, ShadowPlex employs an interesting technique called fluid deception, which dictates to what degree of emulation perfection a decoy can dynamically evolve to in order to fool attackers. Low interaction decoys emulate the physical to the transport layers, showing appropriate MAC addresses and proper response to port probing. Medium interaction decoys emulate all the way up to the application layer, offering user login interaction, but denying access and alerting the intrusion. High interaction decoys allow an attacker interactive login and lay of the land discovery. If a decoy printer, it allows remote http access to view printer configuration and jobs in the queue. If a decoy IOT camera, it allows remote http login and a view of an emulated video feed. The graphic below shows how you choose a decoy’s deception fluidity level.

Emulation aside, the ultimate decoy is one that behaves exactly like a production system because it is essentially a production system, minus your sensitive company data. It runs a real operating system with real services that have real, but not important data, on them. The attacker however does not know that. ShadowPlex offer ready-built high-interaction Linux and Windows decoy VMs to deploy or you can upload and deploy your own custom decoy VMs and bogus data.

ShadowPlex works based on sites, subnets and sensors. A site is a geographical or organizationally logical collection of subnets. ShadowPlex sensors listen in on one or more subnets and project to those networks available decoy hosts. When an attacker attempts to reach out and touch a decoy, the sensor redirects them across a secure tunnel to an isolated deception network where the decoy really lives. At that point, the attacker’s allowed interaction depends on that decoy’s assigned deception fluidity level (low, medium, or high). The beauty of decoy projection is that a small number of decoys can be force multiplied to several different subnets.

The ShadowPlex hardware or virtual appliance is called the ADC (Acalvio Deception Center) and controls and manages the sensors, decoys and alerts. As seen below, the ADC dashboard gives you a birds-eye view of your deception deployment:

It is important to deploy an appropriate density of decoys in relation to the number of production hosts so that there is a greater chance of an intruder stepping on a decoy. In my test, there were six corporate hosts I wanted to protect and my ShadowPlex sensor was projecting fifteen decoys on the corporate network, an almost three to one ratio that creates a literal minefield that external or even internal users could step on.

When running a NMAP scan of the 172.25.107.0/24 network, the projected decoys are indistinguishable from production hosts. For example, please review the following two servers and their corresponding Nmap scans: one which is a decoy and one which is a production host. Can you tell which one is the decoy? I can’t.

After configuring the ShadowPlex sensor (hardware appliance or a VM) that listens in on the production network and defining the network that the decoys will live on, the next step is to create a deception playbook. This is a four-step intuitive process where you pick the decoy types to deploy and define which services (ftp, telnet, ssh, etc.)  they will emulate; you associate the playbook with a network; you review the summary of your choices and then you approve the playbook for deployment.

The selection of decoys to choose from is shown in a left pane palette and it is a simple drag and drop and configure process from there.

For example, you can deploy a high interaction web server that simultaneously runs Microsoft IIS server with Jenkins, a Tomcat server with a simulated payroll system and an Apache server. The decoy web server can also be domain joined to your own Active Directory environment and configured with an assigned vulnerability like Heartbleed. The decoys spin up rapidly and report in for deception duty to the ShadowPlex ADC.

After approving a deception playbook and the decoys are generated, you can review their status and any alerts triggered via the Deception Mesh view:

Decoy Testing

For my test, I deployed 15 decoys on to a single subnet. This included three different decoy printer models, a Cisco router, an  Apache web server, an IOT camera, a SMB share, two Windows 10 desktops, a Netapp SAN appliance, a MySQL database, a Windows 2016 server, a Debian Linux server, a  web server that was Heart Bleed vulnerable, and a share that was Eternal Blue vulnerable. Nmap scans against each of these decoys are shown at the end of this article along with the triggered alerts that were generated by my scans and higher interactions.

Tempting Hungry Hackers with Breadcrumbs

So, what happens if your attacker gets lucky and initially lands on a production system? You can still redirect them to a decoy by placing breadcrumbs on the production system. A breadcrumb is a juicy morsel like a .RDP file or an ARP cache entry that the attacker is tempted to connect to, believing it to be another production system, but which is a decoy instead.

Adding breadcrumbs to Windows and Linux production systems is as easy as running the provided breadcrumb creation scripts. For example, here is a production Windows system that has .rdp and ARP cache entry breadcrumbs on it.

The graphic below depicts breadcrumbs being generated on a production Windows Host via PowerShell that creates hidden .rdp files in user profiles and adds static entries to the arp cache. When an attacker runs the .rdp file or connects to a decoy IP address that is in the arp cache, the corresponding decoy generates a ShadowPlex incident indicating lateral movement.

One word of caution about static arp cache entry breadcrumbs. An adept hacker may view these entries with suspicion as the arp cache is normally built dynamically.

Blue Team/Pen Test Options

What happens if you normally run a vulnerability scanner like NESSUS or Rapid7 Nexpose and you don’t want the decoys to trigger false positives? You have two options: you can blacklist the decoys in your scanner so they are omitted from the vulnerability scans or you can blacklist them by source IP in ShadowPlex so that sensors ignore the scanner traffic. If you need to disable the decoys during penetration testing, you can globally mute the decoys during that time. Muting decoys in ShadowPlex is done at the playbook level as seen below:

The following test shows a decoy being pinged successfully; communication dropping when the decoy is muted and then communication resuming when the decoy is unmuted.

3rd Party Integrations

ShadowPlex also integrates with major SIEM (Security Integration Event Management), SOAR (Security Orchestration, Automation and Response) and Network Management solutions such as Splunk, Phantom, McAfee ePO, Cisco pxGrid/ISE, RSA NetWitness and Google Cloud Security Command Center (CSCC) to provide automated response. Configuring integration with an existing Splunk deployment is shown below:

 ShadowPlex Incident Response Actions are automated directions on how to respond to potential attacks scenarios. For example, you can configure an automated response when credentials have been compromised, including sending an email notification, logging an incident in Splunk and isolating the attacker to only decoy systems.

ShadowPlex Theater

One of the most useful features of ShadowPlex is being able to visualize incidents as they relate to the cyber kill chain. For example, the following graphic shows several execution phase incidents that triggered high severity alerts.

Clicking on an incident shows you the attacker and resources involved:

High interaction decoys have as special option called HIDS which lets you playback the attack, including the logged attacker keystrokes and resources they touched (files, registry entries, PowerShell scripts, etc.).

The Skinny on ShadowPlex

ShadowPlex is a must have for every organization that is truly serious about cyber security and preventing unwanted cyber breach headlines. It allows you to catch intruders early in the kill chain and handle them as you see fit. With DT, you can finally adopt offense and not just passively rely on defenses that intruders are often adept at evading. It takes only one bad user choice of opening a phishing email or surfing a compromised website for an attacker to bypass all your expensive defenses. Once an attacker is inside, DT allows you to shift the bad choice burden to them, as they blindly must navigate your DT minefield of deception decoys.

In my humble opinion, DT offers far more bang for the buck than the defensive measures and applications you already employ on your network and organizations should carve out a percentage of their security budget for deception technology. Whereas old-school honeypots and honey nets were difficult to deploy and manage, DT offers intuitive, user friendly and dynamically managed and evolving decoys that are easily deployed and integrate well with many of your existing defensive measures.   

DT is only as good as its ability to flawlessly emulate production systems, so as attackers learn and evolve new evasion techniques, DT must evolve as well, keeping one step ahead. ShadowPlex with its fluid deception model is already well ahead of the emulation curve. I would encourage Acalvio and all DT vendors to make their decoys publicly accessible so they can be prodded and probed by the Whitehat community for emulation flaws as this will only strengthen their products over time. You can learn more about ShadowPlex at https://www.acalvio.com.

Click here for ShadowPlex decoy testing results.