Reviewed by: Michael Diehl & Matthew Hreben
Vendor: Acalvio Technologies, Inc
What we liked Very versatile deployment; supports most mainstream hypervisors and cloud platforms.
Acalvio returns this year with their deception framework, Shadowplex Autonomous Deception. The core of this architecture is Acalvio Deception Center (ADC) which interacts, manages, and projects decoys through its projection sensors. These can be located on premise, in the cloud, or virtualized for VMware ESXI, Hyper-V, or Linux Kernel-based Virtual Machine (KVM). For those systems oriented toward the cloud, ADC sits comfortably in a vendor agnostic, public or private cloud such as AWS, Google Cloud, or Azure.
The on-premise projection sensors can attach to a network’s switch infrastructure, trunk, or access port. Trunk ports are not necessarily recommended given Shadowplex’s unique projection point architecture. But in an environment with a core switch, the topology would require very few projection sensors. Accordingly, more sensors would be required for an organization supporting remote offices.
Acalvio believes that in order for deception to be effective in an environment, it is essential to use a combination of assorted decoys in as high a number as is possible. So-called breadcrumbs divert adversaries away from legitimate targets and lead them to the decoys using fake information that intrigues intruders but doesn’t jeopardize the system. This scheme produces alerts that integrate with the watchlists in a SIEM or other log management tools to validate and correlate events. An example is when certain interactions with the decoy information occur, such as a failed login.
Acalvio’s commitment to this approach is further underscored by Shadowplex’s intent-based breadcrumb theory. Administrators can select from a list of different objectives such as detecting ransomware, lateral movement, database exfiltration, etc. When intending to detect ransomware, for example, Shadowplex puts breadcrumbs on those endpoints that the administrator designates for low entropy files. Later, Shadowplex performs an OS callback to the deception environment, confirming that the file has been modified by the ransomware; its entropy changes from low to high, which is an indication that the file has been encrypted. This event is then flagged as showing a possible ransomware detonation on the endpoint.
Setting up a complete deception environment with Shadowplex is straightforward, beginning with the discovery phase which essentially uses NMAP to find everything on the network. Another option is to upload your own data from asset management tools or a concurrent vulnerability scanner. Both approaches allow Shadowplex to generate appropriate host names, usernames, running services, honey data – the goal being an appropriate vendor ratio that exists in your actual environment. It is important to also generate different operating systems, especially those services on which they would normally run, such as Kerberos or LDAP.
Beyond the streamlined setup process, we continue to be intrigued by the possibilities created by Shadowplex’s service reflection feature. This utility presents the same core OS and applications on different VLANs. The benefit is that the configuration can be a custom application and not a stock image, so the customer can deploy more realistic data in the decoys.
The basic price for Shadowplex is $25,000 and support is available.