Smokescreen Technologies IllusionBLACK accurately and efficiently detects targeted threats in real time. IllusionBlack creates decoys deployed in the network alongside legitimate assets. For attackers who have reached the point of breach, there is no way to differentiate decoys from reality. Interacting with a decoy raises a silent alarm while systems begin collecting information on an attacker’s actions and intentions. It provides decoys for the entire kill chain, yielding unparalleled coverage and maximizing the probability an attacker will engage with a decoy. It even identifies privilege escalation.

Smokescreen Technologies conducts its own vulnerability research and Red Team work, which feeds into its deception research. The vendor views deception as a strategy akin to threat hunting and takes a unique stance that deception is not low false positive. The mere triggering of an alert from a deception system is cause from investigation. Smokescreen Technologies has done extensive work to help organizations understand there are no false positives in deception.

A central management console displays individual icons for all attacks with a lot of information, providing a quick high-level overview. Smokescreen Technologies created a console that is easy to use and provides information quickly. It calculates a risk score for everything that has triggered deception in the network.

ThreatParse impressed us with its reconstruction of threats into English to provide descriptions within a couple of clicks to help analysts understand what the attacker is trying to accomplish. They can further delve into events for more information, all the way down to the packet level.

A full query language built into the system is human as well as machine consumable and accessible. This allows organizations to build complex queries. Pre-built queries also are available.

This solution offers orchestration with a variety of configurations, including “Out of Office,” which is triggered if something hits a decoy after a certain time of day.

Miragemaker makes realistic-looking decoys scalable. Hundreds of customizable, built-in applications are designed to look real. Keywords are mixed into machine naming, files, etc. for realism by leveraging a semi-intelligent system. Miragemaker provides scalability without static content. Flexibility of the platform ranges from straight out-of-the-box to creating custom protocols, honey pots and decoy values. Deceptions are even created within Active Directories where those trying to find deception even will be detected alongside enumeration detection.

Standout decoys are designed to be realistic but look slightly different than the rest of an environment. If everything looked uniform, attackers would be less likely to bite because it is pointless to repeatedly attack the same thing. Decoys can be customized to desired granularity. 

Teleport decoys create new network interfaces so that decoy can be deployed into a remote location where a lightweight agent is installed, taking lateral movement detection down to the smallest branch location with even one agent on one box or a super lightweight VM.

Starting price is $150K. Support offerings include Offensive Security Training, Deception Strategy and Incident Response.

Tested by: Tom Weil