Intellectual property can be as valuable as gold for some companies, and state-of-the-art cybersecurity can be as valuable as a precious metal for them.
As a result, Altera Corp., a California-based maker of programmable logic chips used in a wide range of electronic devices, has turned to an old idea – a honeypot to lure online attackers – with a new spin.
Altera — just bought by Intel Corp. — is understandably highly protective of its designs and processes. “My group is constantly looking for new (security) technology,” CSO Mukul Kumar explained in an interview. “We keep updating very frequently and we are constantly improving.”
So when they saw a presentation from startup Attivo Networks of its threat detection solution that deploys honeypot-like deception lures across multiple networks, they were caught. “We liked the concept and thought it would a good addition to our toolkit,” said Kumar.
Now, after deploying the Attivo Deception Platform at Altera’s four biggest offices (including Toronto, where it has a large software development office) Kumar believes the investment was worthwhile. “It gives us more visibility before things can go wrong.”
Attivo is one of a number of solutions from suppliers that use deception as a key weapon to protect networks including Allure Security Technology, CyberTrap, Cymmetria, ForeScout, GuardiCore, Hexis Cyber Solutions, Illusive Networks, LogRhythm, Percipient Networks, Rapid7, Shape Security, Specter, TrapX Security and TopSpin Security.
Gartner analyst Lawrence Pingree calls the new solutions distributed deception technologies because they span multiple layers within the stack, including endpoint, network, application and data.
Ideally, he wrote in a report last year, they can be used across the entire kill chain to lie, misdirect, divert, disrupt and delay an attack. Attackers look around a network they’ve breached for vulnerabilities, he said in an interview. “But if you can deceive them and create deceptive elements that you as an enterprise can control, you can raise detection.”
Honeypots for defence and intelligence gathering aren’t new in IT security. They date back at least 15 years and are aimed at deflecting attackers into a container instead of the real network. There were some commercial honeypots, but today many are based on open source solutions and include Snort, Dionaea, Conpot, Shiva, Nepenthes, The Honeynet Project, and ThreatStream’s Modern Honey Network (MHN) management software.
The problem with standard honeypots, say critics, is they are hard to manage and difficult to scale.
Companies like Attivo and others can not only place lures on the endpoint — perhaps including a fake URL in a browser cookie that when clicked on triggers a silent alarm — some also place decoy hosts with fake data adjacent to real hosts to deceive attackers searching laterally through the network. Some use live operating systems on these decoy hosts, other use emulators. One injects deceptive content and URLs into a Web page to entice the attacker.
Many run on virtual networks. Some are sold as hardware/software appliances, while others allow customers to supply their own servers. Usually they integrate with SIEMs.
But they aren’t inexpensive, with costs starting at US$25,000, plus an annual subscription.
“It’s early days for this market,” says Pingree, “but we do advise our clients to leverage these capabilities if they feel their programs are mature enough and they have to resources to dedicate to it.”
The resources will likely be people to do in depth analysis of the software’s reports and do to customization. But four providers we talked to said even small IT staffs can handle the alerts their solutions give.
Launched last fall, TopSpin Security’s DecoyNet is sold as a Dell hardware appliance or virtual version for VMware for protecting endpoints and applications. Its honeypot runs on multiple VLANs or subnets within the enterprise, and also looks for suspicious behaviour in network protocols. Events are correlated to reduce the number of reported incidents.
“At the end of the day you get a more unified detection system that looks at different angles of the attack and is able to identify the attacker activity inside and outside the org before damage is caused,” CEO Doron Kolton said in an interview.
Price is based on the number of protected assets plus bandwidth used, and starts at US$35,000. There is also enterprise pricing.
TrapX’s DeceptionGrid is installed on go on a VLAN, and after scanning creates a mirror network that emulates all devices (PC, servers, IoT devices), including creating similar file structures, and, if the customer wants fake data. It issues alerts only when they are touched; if malware or other tools are injected, the software does static or dynamic analysis including where the attack might have come from.
“Because its not an endpoint agent and its not a perimeter-based security technology it’s rather easy to deploy, so it plays very well downmarket (small companies),” CEO Gregory Enriquez said.
Attivo’s platform has three separately sold components: Endpoint Deception (software for each endpoint); an Engagement Server with the honeypot (an appliance that sits on the trunk port of a switch or a virtual server for VMware and AWS. US$30,000 and up); and a Central Manager (not required; an appliance for running multiple devices in multiple environments).
Carolyn Crandall, Attivo’s chief marketing officer, said the company we use real and not emulated operating systems, which, it argues, can be detected by attackers.
That means, she says, customers can upload gold images of their servers onto the deception device so they look identical to the production environment.
Last week the company announced it has upgraded the platform to detect reconnaissance, stolen credentials, phishing, and ransomware.
GuardiCore’s Data Security Suite focuses on protecting the data centre from attacks, says vice-president of marketing David Burton.
The solution adds a distributed component to hypervisors and servers to monitor east-west traffic, looking for blocked or uncompleted connections that could indicate a breach.
“We keep the connection alive and then we re-route it to our deception technology, where we give opportunities to progress forward so we can quickly evaluate in real time whether this is a real attack or not.” If it is everything in the session is captured including uploaded tools and how access was gained etc.
“One of things that makes our deception technology different is we use real machines, real IP addresses, real services, so it’s designed for high interaction.”
The attack is “fingerprinted,” which can then be used in a scan to see if other servers have been compromised. The suite also has visibility into what applications and processes talk to each other for suspicious behavior.
Deception techniques aren’t foolproof, says Gartner’s Pingree. To be effective they have to be convincing. They may also require skilled infosec staff for interpreting reports. Still, he believes they improve detection at a time when many organizations are still focusing on prevention at the network edge.
The greatest potential for leveraging deception, he adds, is for security vendors to link it to other threat detection solutions to improve attack disruption.