Reviewed by: Michael Diehl & Matthew Hreben
We return this year to TrapX Security’s DeceptionGrid, a deception network solution that uses emulated traps to analyze traffic and respond to an intrusion. No agents are needed as this approach does not require any presence on the devices it is protecting. Much like other players in this space, DeceptionGrid can be installed in all virtualized and cloud environments including Hyper-V, VMware, AWS and Azure.
The Event Analyzer will display information during an event, such as an attack occurring in real-time. From here you can see the attacker’s hostname, the IP, the trap name that sent the alert, the time it occurred, and a lot more. Analysts can click on an event, drilling down with even more details such as additional information on the attacker, the attack vector as well as the number of connections made and logins were attempted.
From a setup perspective, DeceptionGrid can handle any size enterprise, using automation to rapidly deploy across a network, in most cases just a few hours. Organizations that rely on managed security service providers can deploy through their vendors without obstacle. What is important for analysts to consider is how to allocate the tokens and traps among the network’s topology. Token are lures or breadcrumbs that entice attackers and divert their attention, while traps are the decoys that trigger alert events. While there is the potential to distribute more than 500 traps on a single virtual instance, this distribution is unlikely. A better example is a network with 200 VLANs, which would need to run multiple virtual instances to have a good ratio of assets to traps.
Equally important during setup stage is determining what kind of traps are being set. There is some limitation here since the options are standard, preconfigured .ova templates. TrapX has shared with us that they are working on a utility that will allow users to “build your own trap” per specific network requirements.
The overall direction of trap diversity is expansive as DeceptionGrid has recognized in their latest version release, 6.1. With the Internet of Things devices gaining a larger network footprint, it is timely to include these decoys along with other established types. These emulated IoT traps include specialized print/copy servers, smart lighting, security cameras, all of which are on the forefront of new attack vectors that the adversary is exploring.
Along with new trap types, we are intrigued by how DeceptionGrid will further development on its branded Attacker ID feature. This intelligence tool analyzes intrusion behavior to determine if a human attacker or automated attack tools are directing the incident. The significance is apparent: we know what we can expect from automated tools once they are identified, but humans require more attention. Regardless, SOC personnel will have a clearer view and deeper understanding of what is taking place and the requisite response. Adjacent to Attacker ID’s benefits to analysts, TrapX boasts alerts that are more than 99 percent accurate and immediately actionable, cutting into alert-fatigue phenomenon.
Pricing for DeceptionGrid varies per network size/per use mode – the more bought, the lower the cost per subnet. The frequency is an annual subscription and there is no perpetual licensing.