Reviewed by: Michael Diehl & Matthew Hreben
Price: $150,000 for three-year
What we liked: A secure platform built on BSD; Extends deception to phone/email channels to create “decoy employees”. Very smooth UI with “dark” theme.
The team over at Smokescreen raises some interesting points. First, organizations have all sorts of monitoring around the system’s edge, but no visibility inside the network (VLAN to VLAN). Attackers can get in and security teams are not able to see what they are doing. They typically maintain a presence on the network for close to 200 days. Secondly, security analysts focus on tools hackers use, but it is altogether too easy for a hacker to change out tools for new ones. Finally, false positives are a real burden, as less than one percent of alerts in a SOC are actionable or usable.
Smokescreen’s IllusionBlack is built with these issues in mind. The deception toolset is based on BSD Unix operating system, developed to layer in a secure hypervisor for handling the decoys. Using machine learning, IllusionBlack can blend in these decoys to match what it sees on your network or allow you to build something that you want. We have been impressed that the parameters are configurable in a small number of clicks.
What really sets this solution apart is its Mirage Maker technology, especially the remarkable ability to create in-depth decoys including dynamic email and phone decoys. Creating decoy accounts to trigger when attackers try to utilize credentials or interact with the phone/email channels for social engineering strikes us as an important and effective response to real-world conditions. And when an attacker is detected, IllusionBlack utilizes ThreatDeflect, a mechanism of redirecting attackers to cloud environments and keep them engaged yet contained without their knowledge.
IllusionBlack has invested significant effort to reduce the number of false positives that are created by the everyday impact of end users’ behavior. This is extremely useful as the vast majority of alerts are not true alerts. By reducing this bad data, IllusionBlack allows SOC analysts to take action rather than investigate the “noise”.
The visual presentation is another area where the developers have innovated with small but meaningful details. IllusionBlack takes each specific attacker and assigns an icon to make this attacker stand out in a clear way. This way the SOC analyst can look for a red alien or robot face rather than remembering and trying to read IP addresses to see what the attacker is doing. Likewise, ThreatParse is IllusionBlack’s approach to translating attack data. The utility takes raw attack data and translates it into plain-English for quicker attack analysis.
We believe it is significant how Smokescreen has evolved their professional services. The team originally sought out a different market segment and have slowly switched their focus from military deceptions to a focus on mid-market IT infrastructure. They are exemplary of the security space vendor with a wide range of professional services, ranging from Incident Response to development of runbooks and playbooks, to even managing your entire deception network solution. Smokescreen also has extensive libraries of deception techniques at their disposal that includes: pre-attack foot-printing, spear-phishing, web application attacks, social-engineering, data theft, active directory attacks and more. Threat intelligence can be exported through STIX, JSON and CSV to allow eternal sources to ingest smokescreen’s intel.