Company: Acalvio Technologies
Price: Starting at $25,000
Description: Deception network
This system also uses elastic interactions to match the deception to the attacker. It consists of what Acalvio refers to as “deception farms,” physical storage and control for deceptions. They contain or control sensors, tunnels and deceptions. The deceptions can be minimal, low or high interaction, changing as necessary depending upon the attacker's behavior.
Lightweight sensors are deployed as hardware and software, one per VLAN in the real network. When the sensors talk over a tunnel to the deception farm, it builds deceptions on the fly. It is very hard for an attacker to detect and defeat this approach. The attacker has no certain idea of what is real and what is a deception because the deceptions are quite realistic. This deception fluidity is completely automated by the recommendation engine, controlled by advanced AI and without human interaction.
The AI-based recommendations engine performs several functions including blending deceptions, recommending deployment strategies and blending host names, usernames, services, and breadcrumb content and generation.
Another unique capability of ShadowPlex is service reflection, which is the projection of a service from its install point on the real network to the deception network. An attacker seeing what he thinks is a real SQL database, for example, is only seeing its reflection in the deception network. Any interactions are only on the shadow network.
The shadow network is interesting. Suppose that an attacker gets to the real network and compromises a host. The sensor immediately moves the attacker to a virtual version in the shadow network and the attack continues. As the attack touches more devices, they are in the deception network and the level of interaction is adjusted automatically. The attacks to real devices are redirected to a sink to protect them. Meanwhile the affected devices – real and decoy – are instrumented and all interactions are routed through the tunnel restricting actual lateral movement to the deception grid, unbeknownst to the attacker.
ShadowPlex also creates breadcrumbs to draw the attacker, including SMB shares, files, users, credentials, cookies, registry entries such as RDP profiles and URLs.
All the user needs to do is tell the system what he or she wants, starting by deciding where to put the sensors. These go on individual VLANs. Second, the purpose of the deception grid must be specified. The system does the rest.
This is one of the easiest systems to administer. When you drop onto the main page you see all the devices, real and imaginary, in one place. You also see the status of each and you can drill down on any. Alcavio calls this its Deception Mesh. If you take the real machines out of the picture you see only the deception network. On each of the icons representing an individual device, you see what its interaction level is (minimal, low or super low interaction). It also shows the location of breadcrumbs and lures. Incident details also are on the landing page. The configuration page shows a graphical representation of systems in the deception grid. By sliding a bar along the top of the screen, the system either adds or deletes deceptive elements. When we moved the bar along about halfway it told us that it was going to add a fairly large number of deceptions. If you approve, it automatically decides, based upon the network configuration and what you want to achieve, how to set up and distribute new decoys.