Reviewed by: Michael Diehl & Matthew Hreben
Illusive Networks’ offering is a solid deception networks technology that covers the entire network. Rather than aligning itself to simply providing deceptions or traps for the network layer, Illusive focuses on the endpoint deception. This means user workstations and servers in both physical environments as well as virtual.
Illusive’s patented Deception Management System tool floods a company’s entire infrastructure —across every endpoint and server, alongside the network, application and data layers – with information that deceives attackers into interacting with these deception tools.
Combining artificial intelligence and machine learning, Illusive analyzes and comes to understand your network, then automatically designs thousands of deceptions– small pieces of information that are tailored to look authentic in each environment. This approach succeeds when the deceptions appear more realistic and authentic due to the aforementioned network fingerprinting early on in the automated decoy generating process.
The results are deceptions accurately mimicking real data elements such as credentials, files, and file systems normally in the customer environment.
Illusive focuses on showing malicious lateral movement in relation to “crown jewels.” By spreading deceptive data throughout the network, Illusive presents attackers with an artificially inflated range of lateral movement choices and poisons each path, forcing attackers to reveal themselves long before they can reach sensitive data and applications.
When attackers interact with a deception, they trigger an alert, generating event logs that provide a bevy of detailed evidence around that interaction, including from where the attack originated, what IP, what surfaces or object categories were touched, and what type of interaction took place. This forensic data is essential from an incident response perspective.
We are impressed with two features that help organizations proactively harden their networks against lateral movement. Attack Surface Manager seeks and discovers hidden artifacts that do not align with your system’s access policies – think saved passwords in browsers – which are too numerous for security agents to respond, and which tend to obscure malicious activities. By automating detection and remediation, analysts are able to prioritize incidents that require specialized handling.
Hand in hand with this approach is the branded Attacker View. This view is somehow different from what we’re used to seeing from an EDR perspective; we can see fingerprints and how devices are all interrelated. The purpose we are told is to view an intrusion from the attacker’s perspective, to visualize in which direction the attack is moving. However, we believe we found another, equally relevant use for this innovation.
Attacker View allows analysts to concretely see what normal behavior looks like when a workstation interacts with its server using these credentials and through mapping keys. The significance of this is that most end-user behavioral analytics tools will observe system behaviors and not draw attention to something as common as a machine interacting with the server. SIEMs won’t make this distinction either. But with the Attacker View, agents are more familiar with normal behavior and in a better position to assess when something unfamiliar is occurring.
Illusive rewards users with an attractive layout, one of the best we’ve looked at, it boasts the ability to scale consistently through their solution that uses virtualization/containerization technologies. Some customers have as small a system as 200 endpoints, while the upper limit reaches all the way up to 500,000 points. In fact, the higher point is a much sweeter spot to take advantage of high fidelity alerts by finding attackers right after the intrusion point. More end points allow for a larger deception net.