When it comes to threat detection, distributed deception is still the most effective option available for trapping in-network attackers. High-interaction decoys remain valuable, however, mainly for threat hunting, intelligence and research, with the long-term ability to learn an attacker’s methods, targets, tools and techniques. These decoys are live, network-attached operating systems set up to mimic real assets to lure an attacker into full engagement.
Security teams may also be looking for advanced destination-based forensics and hunting TTPs when analyzing incidents on attack campaigns targeting sensitive production systems, which are prone to targeted attacks or might draw a lot of attention from blackhats. Having managed high-interaction decoys mimicking such sensitive production systems, in addition to relevant breadcrumbs, across all hosts lures attackers into full engagement.
Just over a year ago, Illusive added decoys to our deception and forensics capabilities. These full-OS decoys were available as part of a fully managed virtual environment, monitored by the organization within the Illusive console. It created a fairly easy and scalable method of forming, deploying and managing decoys.
Illusive customers will now have full flexibility for decoys – let’s compare each approach, as well as some of the benefits and tradeoffs of each method.
Fully-Managed Decoys – A Look at the Advantages
The traditional decoy option enables rapid creation and central management of high-interaction, full-OS decoys. Decoys are created from golden images — a scalable method that produces authentic-looking decoys that reflect the standards and practices native to each customer environment. They contain real Windows operating systems and services, and any set of applications or application components that can be incorporated within a golden image
However, this option does have several requirements, including one or more physical machines to act as a Decoy Hypervisor to host the decoys and a connection between the Decoy Hypervisor and the Decoy Center (a Linux-based server [virtual or physical] providing centralized management and operation). This decoy environment is completely isolated from the full production environment, and requires dedicated resources and physical machine(s)
The primary benefits of Illusive decoys in a managed environment are:
- Solid security – Decoys are separated from the production infrastructure in a self-contained environment
- Ease of management – Full control of managed decoys, including editing decoy network settings, starting, and stopping individual decoys using the Illusive Console
Until now, on-premise decoys only have been enabled, as the Decoy Hypervisor can’t run on cloud-hosted machines. For companies that have complex hybrid environments, both on-premise and in the cloud, we wanted to develop and upgrade our decoy coverage options, to meet their needs and empower them with heightened security.
Standalone Decoys – Leveraging Existing Infrastructure for Rapid Deployment in and Out of the Cloud
With the new standalone decoy option, Illusive customers can now turn any host on their network into a decoy. These hosts can include any physical or virtual machine, both in and out of cloud – any of these hosts can be converted into a full-OS decoy. NOTE – these decoys can coexist with any non-standalone decoys, running at the same time.
The primary benefits of standalone decoys are:
- Faster deployment – Enabling turning a host into a decoy in minutes
- No investment in hardware required – A dedicated decoy hypervisor is not required, allowing you to leverage existing infrastructure for creating decoys
- Cloud-Enabled – Both the Decoy Center and Decoys can live in the cloud
In other words, in order to meet the security needs of dynamic and elastic cloud environments, particularly in large organizations, security teams are empowered with a decoy deployment that is immediate and cost and resource-efficient. Standalone decoys help with reaching that goal as any VM instance (e.g. an AWS EC2 instance) can be turned into a decoy immediately without the infrastructure burden dependency. This adds another security layer in the IaaS cyber defense strategy.
There is another benefit to having standalone cloud-based decoys. When looking at forensics, there is no question that combined source forensics and target (decoy) forensics provide a comprehensive picture of an attacker’s location, actions and targets. However, there are cases where collecting forensics from the source host is not possible, such as with a BYOD and any unmanaged or unprotected device. This is especially common when it comes to internet-facing environments and systems, such as DMZs and cloud environments. An attacker can exploit these through any internet-connected device, which can be hidden behind many proxies, making it impossible to be identified and available for collecting forensic from. For such cases in which source forensics are not attainable, having a full-OS decoy for target-based forensics is no longer simply a nice to have.
Reducing SOC Noise Through Decoy Rules
Now more than ever in the new normal that we are experiencing, SOC efficiency in responding to cybersecurity incidents is of utmost importance. In managing decoys with Illusive, whether through standalone decoys or fully-managed decoys, preconfigured rules are needed in order to minimize the number of alerts from the decoys.
Through the Illusive console, it is easy to create and edit a series of Decoy rules for notifications, filtering out unwanted noise to lessen the load on the SOC. These include events to ignore (such as dummy process files), or they can be a rule to notify when a specific user is trying to access a particular decoy, or via a certain port number. This is especially important with standalone decoys, as these are decoys created and managed by customers themselves. Rules can also be configured to detect dormant malware that may reside on the system (e.g. via the golden image or other mechanism). Rules can also specifically pertain to registry, files, processes, and network events.
To learn more about Illusive capabilities in managing full-OS, high interaction decoys, please request a demo.