Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Deception Matters: Slowing Down the Adversary with
illusive networks®
Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost
the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber
rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In
this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection
capabilities to show cyber deception in action.
Copyright SANS Institute
Author Retains Full Rights
Deception Matters: Slowing Down the Adversary
with illusive networks®
A SANS Product Review
Written by Eric Cole, PhD
May 2017
Sponsored by
illusive networks®
©2017 SANS™ Institute
Introduction
Based on the number of system breaches, the frequency of compromises and the amount
of damage being caused, it’s clear adversaries have the advantage over organizations
today. It is also evident that what organizations are doing to prevent breaches is not
working, and that the amount of money being spent on security has little to no impact
on slowing down attackers. One reason they have an advantage is they can easily create
an accurate map of their targets and use it to traverse through sensitive systems, all while
hiding under routine procedures and familiar traffic patterns. In addition, most defensive
approaches are passive, meaning they wait for the adversary to make the first move.
TAKEAWAY:
To go on the offensive, organizations need to use the same stealth and deception their
Deception is a game changer.
adversaries do. Instead of making it easy to find rich targets, what if attackers were
The fundamental benefit of
provided a very realistic but false view of reality, starting with an incorrect road map of
deception technology is that
it creates an illusion of reality
in which the adversary cannot
differentiate between the two.
the network, applications and vulnerabilities? What if there were traps and pitfalls on
every network and every system along that road map? This is the heart of deception:
Provide the adversary a false sense of reality and take back the advantage.
In this paper, instead of just extolling the benefits and advantages of deception, we
explore how to put deception into action with a hands-on review of illusive networks’
deception technology. Using simulated scenarios, we detail how deception works in the
real world to give defenders the advantage.
In testing this product, we knew deception had been deployed and we actively looked
for it. Instead, illusive networks’ technology found us (posing as malicious actors) first
and monitored our every move. No matter what adversaries do or try to do, they will
inadvertently access and trigger an illusive deception and be monitored from the
moment they begin their attack.
SANS ANALYST PROGRAM
1
Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception
If you think you have not been attacked in the past year, you are fooling yourself. Attacks
are happening, as multiple SANS surveys point out,1 but you just aren’t looking in the
right place. This is why organizations can be compromised for two to three years without
detection—adversaries are stealthy, targeted, data-focused and programmed to sneak
past most of the current security technology deployed today.
Deception offers a twofold advantage:
• It provides so many additional targets that it greatly slows down adversaries,
making it harder for them to compromise critical resources.
• It not only gives the defense more time to respond but allows for detailed
monitoring of adversaries to see exactly what they are doing, how they are doing it
and how to stop them.
TAKEAWAY:
With the threat vectors that
These two advantages lead to the ultimate goals of security: detecting threats in a timely
manner and minimizing the damage.
exist today, organizations need
Anatomy of a Typical Attack
to recognize that they are
Although attacks come in many variations and styles, the majority of them start through
going to be compromised and
endpoints—particularly user endpoints—and then spread laterally through systems,
be prepared to quickly detect
threats and prevent damage.
looking to exploit richer and richer targets. Attackers also routinely attempt remote
attacks directly against discovered devices such as DNS servers, web servers and other
critical systems. They then steal data and credentials from the devices directly and also
use them as launch points to spread laterally inside the network.
Phishing and email-based social engineering are the top means by which attacks
penetrate organizations, according to the SANS 2017 Threat Landscape Survey.2 In the
survey, 75 percent of respondents identified their most impactful threats as initially
entering through an email attachment, while 46 percent also witnessed attacks that
started with users clicking email links.
To compromise the user’s system, the adversary must get the user’s password or exploit
a vulnerability or exposure, such as a lack of error checking, an outdated service or
an application vulnerability. After the system is compromised, the adversary usually
performs further lateral movement, targeting other critical assets similarly across the
network to map the network and locate the richest targets, such as Microsoft Exchange
or database servers.
SANS ANALYST PROGRAM
1
“ Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey,”
www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047
2
“ Exploits at the Endpoint: SANS 2016 Threat Landscape Survey,”
www.sans.org/reading-room/whitepapers/firewalls/exploits-endpoint-2016-threat-landscape-survey-37157
2
Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception
(CONTINUED)
Beating Them at Their Game
Deception systems anticipate these movements and follow, log and interrupt them
by turning real endpoints and servers on the network into deception machines when
an attacker, attempting any of the aforementioned actions or others, trips the alarm.
Meanwhile, the attacker cannot see the real machine, and all of the attacker’s activity is
monitored in real time.
For example, the bait might be exposing some connection history, credential data,
adjacent systems and services in the data that is on the machine the attacker is on.
When attackers try to validate the data or connect using the bait, detection turns on,
and more and more deceptions—100 times more machines and accounts than actually
present, for example—cause the attackers to waste cycles while never knowing they’ve
been had.
Whatever adversaries
try, they will
unwittingly access a
The deployed deception comprehensively and strategically integrated with our review
environment (a virtual host and server architecture), greatly increasing the attack surface
for the attacker to fumble around in, as diagramed in Figure 1.
deception—and be
monitored from the
moment an attack
begins.
Figure 1. Deceptive Attack Surface from the Attacker’s Perspective
At any time, security personnel monitoring the actions can lock out the attacker; some
can be handled automatically through policy, while activities are logged and saved for
future detection and response.
SANS ANALYST PROGRAM
3
Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception
(CONTINUED)
The illusive Deceptions Everywhere® Solution
Today, deception techniques are quite different than honey pots of the past, in that
deceptions are now more widely distributed, much more interactive with the attacker’s
actions, and more difficult for attackers to detect. With illusive’s Deceptions Everywhere
solution, deception is fully integrated across the entire network at multiple levels, with
deception so realistic that it fooled us and is almost impossible to bypass.
Intelligent Policy
Deceptions Everywhere is an intuitive, easy-to-use management solution that allows
deception techniques to be deployed in a scalable manner with minimal overhead.
With a few point-and-clicks, we were able to deploy and configure deceptions across
the simulated test environment. The solution also learns about and understands the
TAKEAWAY:
While the power of deception
has always been recognized,
the problem with widescale deployment stems
from three main areas:
environment, and then autonomously creates and deploys deception techniques that fit
within the environment and are adaptive and updatable.
It then automatically deploys deceptive policy on each endpoint and server on the
network, leveraging artificial intelligence (AI) to determine if a certain type of deception
is appropriate or not on a per-endpoint basis.
The result is a deception deployment that is customized to every endpoint and server
on the network to look even more realistic to the attacker. The environment is then
scalability, manageability
monitored for any changes, new deception suggestions are automatically generated,
and believability. With illusive
and with just one click, the new deceptions are applied to the policy. See Figure 2.
networks’ solution, these
challenges have been solved.
Figure 2. User Names Generated for Deception Servers
SANS ANALYST PROGRAM
4
Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception
(CONTINUED)
Architecture
The Deception Management System™ (DMS) is responsible for deploying realistic
deceptions across the network that adapt to the current environment, and the illusive
Trap Server is the server attackers are sent to once alarms are triggered. Because the
solution is agentless, it requires no modification to existing systems or installation of
In setting up the
software for the trap servers to operate.
environment, it
When we (acting as our mock attacker) attempted to use and access a server by trying to
was obvious that
log in and access a share, we were sent to the Trap Server. From there, our mock attacker
Deceptions Everywhere
is not a tool but rather
a solution. In using
looked at connection history from the registry by dumping the browser database or
employing search techniques on disk while using commands built into the operating
system. All this activity, which is not usually detected by other security tools, triggered
more deceptions and so on. See Figure 3.
the product, it was
evident that it is a
preconfigured plugand-play solution.
Network discovery is
automatic, network
analysis is built in,
and it all deploys via a
single mouse click.
Figure 3. Attacker in Action: illusive networks Adapting to the Adversary
The general environment we tested was a virtual machine environment that simulated
a real-world environment. Also, we ran though several real-world case studies and
capture-the-flag exercises to verify and validate the authenticity of illusive networks’
approach to deception.
SANS ANALYST PROGRAM
5
Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
The two areas that cause the biggest issues for CIOs are agent solutions and in-line
devices. The illusive networks agentless solution is not in-line and requires no changes to
an existing infrastructure.
Key Components of Deception
In testing the DMS, we took a four-part approach to deploying deception within our
mock environment:
1.Analysis. For deception to be effective, it must be realistic and comprehensive,
and cover all key areas of a network. If a deception technique is deployed on
TAKEAWAY:
If attackers can avoid and
bypass deceptions, such
measures offer little value to
the organization because they
don’t slow down or catch the
adversary.
only the DMS or open ports that are not being used by the organization, it is not
believable and therefore not effective. When we worked with the solution, the
product adapted to and understood the environment with minimal interaction.
2.Deployment. Deceptions are non-impactful on legitimate users and network
and system operations, but impactful on the adversary. To slow down the
adversary (us), illusive forced us to access multiple deception techniques.
3.Monitoring. From initial compromise to setting up a pivot point to lateral
movement, all malicious activities were automatically monitored so proper
action could be taken to control the overall damage. The illusive interface was
easy to use and allowed us to quickly see the before-and-after analysis of what
was deployed.
4.Adaption. IT environments are always changing and adversaries are constantly
learning, so deception must constantly be changing and adapting. As new
servers are added to an environment, old servers are removed and the network
is redesigned. As we made changes to the environment and deployed new
legitimate systems in our review, the solution automatically adapted and
changed the deception policy that was deployed.
SANS ANALYST PROGRAM
6
Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
(CONTINUED)
Policy Management
The key to this solution is the policy deployment and management, which began with
the DMS deployment, as stated earlier.
First, it used artificial intelligence and various machine learning techniques to
understand the environment, and automatically deployed deception techniques that
mirrored and aligned with our review network infrastructure. See Figure 4.
Figure 4. Overview of Deception Techniques Deployed in the Test Environment
SANS ANALYST PROGRAM
7
Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
(CONTINUED)
Then, it automatically monitored and adjusted the deception techniques for each device
and server so we could focus on monitoring and tracking the adversary, as shown in
Figure 5, and not on installing and maintaining deception patterns.
Figure 5. Deceptions Everywhere’s Adaptive Techniques, Tailored to Our Review Environment
The screenshot in Figure 5 shows the deception that was deployed and the activity of
the adversary.
Machine Learning
DMS uses machine learning to engage each server or workstation and learn the unique
activities of each system on the network. This information was used to generate
deceptive policy reflecting the unique characteristics of the review environment.
While the solution allows an organization to tune and adjust, it can also be implemented
automatically with minimal administrator oversight. Initially we asked illusive’s interface
to make all of the decisions, and it effectively deployed realistic deception measures
across our mock environment.
SANS ANALYST PROGRAM
8
Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
(CONTINUED)
For example, in our review, illusive’s DMS learned the conventions and standards of
the virtual business and generated unique system names and usernames (targets for
attackers) for use with deceptive services and credentials, as shown in Figure 6.
Figure 6. Deceptive Server Names that Were Automatically Created
We could choose to be involved in setup and customization as much or as little as
we wanted. This indicated advancements in maturity of deception technologies
and their uses. The policy was then intelligently deployed and managed across the
environments so that every endpoint and server had deceptive data that was unique
and indistinguishable from the organic data on each machine (so it could not be
guessed or detected).
SANS ANALYST PROGRAM
9
Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
(CONTINUED)
Attacker View
To get a better view of the environment through the eyes of the adversary, illusive
networks created Attacker View™. The following gives an overview of the “virtual”
environment that is created by the DMS for attackers to fall into (see Figures 7 and 8).
Figure 7. Pre-deception Attacker View
Figure 8. Post-deception Attacker View
SANS ANALYST PROGRAM
10
Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
(CONTINUED)
When we switched from our view to the Attacker View, we could see the fake network
from an attacker’s perspective, and the relationships between systems and resources the
attacker would map to. In security, one of the rules of success is offense must inform the
defense. We saw the attack vectors, represented by the blue circles. These represent the
various deception techniques from extraneous servers, fake credentials and deception
shares. The Attacker View shows the deceptive entities deployed in the environment that
the attacker will try to take advantage of.
By combining any mix of deceptive connection information with real or deceptive
credential data, the attacker (us) is attempting to target real servers, but instead we are
covertly sent to the deception that is deployed without our knowing it. Figure 9 shows
the fake vectors used to attract our attacker.
Figure 9. Attacker View Revealing Attack Vectors
Attacker View allowed us to understand the real attack vectors by focusing on the risks
that actually matter to our environment.
SANS ANALYST PROGRAM
11
Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
(CONTINUED)
In Figure 10, Attacker View showed us the threat intelligence to make the right decisions
around our attacker’s changing tactics.
Figure 10. Attacker View Displaying Deceptions While Tracking an Attack
The illusive solution
acted automatically,
adapting with artificial
intelligence to changes
we added to the
environment.
Attacker View also allowed us to make on-the-fly changes to the environment and see
the impact it had on the adversary in real time.
User View
In User View, we also explored how Administrative, Domain and Local User credentials
naturally interact with the real environment. This impact analysis enabled us, acting as
administrators rather than as attackers, to understand where concentrations of activity
take place and how credentials are used in order to determine how deceptive and
traditional security controls can be applied to the organization. See Figure 11.
Figure 11. User View Showing Administrator Privilege Abuse
SANS ANALYST PROGRAM
12
Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios
We started with Deceptions Everywhere turned off for our initial testing, and began
exploiting the review environment and moving laterally across systems without being
stopped. Within a short period, we were able to compromise several systems; had it
been a real attack, we could have caused damage—for example, captured additional
administrative credentials, accessed critical systems or exfiltrated sensitive data.
We then performed similar exploitations and movements with illusive turned on and
were easily detected by the system. As the attackers, however, we were unable to
detect illusive—we became completely lost in the deceptive data without being able to
differentiate between what was real and what was deceptive.
Deceptions Reviewed
While there are many variations, the three main deception methods utilized for this
review were:
• Share deceptions. Attackers look for shares as an easy way into a system and
sensitive information. Additional legitimate-looking shares were created by illusive
to slow down our adversary (us), but also provided valuable insight into what the
adversary was doing and attack methods.
• Credential deceptions. In this part of the review, we launched an elevation-ofprivileges attack, to elevate access from a normal user to a privileged account
such as root or admin. When attempting to do this in deceptive accounts, we felt
frustration from the perspective of the attacker because it kept sending us down
rabbit holes to research further. For the deception administrator it provided an
early warning system to show what the adversary (us) was doing.
• File deceptions. We wanted to access critical data, which is in files. With deception
deployed, this became almost an impossible task because it was difficult to
distinguish between legitimate data and fake data, leading us to spend significant
time harvesting fake information of little to no value.
SANS ANALYST PROGRAM
13
Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios
(CONTINUED)
Lost in the Deception
With deceptions now deployed, it was time to repeat our exploitation of the
environment using the fundamental steps to gain access. Along the way, we were met
with various deceptions, as described in Table 1:
Table 1. Malicious Actions and Deceptions
Malicious Actions Taken
Deceptions Deployed
Reconnaissance
All deceptions
Scanning
Share deceptions
Exploitation
• Pivot points
Credential deceptions
• Internal reconnaissance
Share deceptions
• Internal scanning
File deceptions
• Data exploitation
File deceptions
Creating back doors
All deceptions
Covering our tracks
All deceptions
Being a little skeptical, we were overly confident launching our attacks in the new
environment. Convinced we had identified a path to bypass the deception, we spent
time continuing our attack on what we thought were the legitimate systems. However,
when we switched and checked the Attacker View, we were embarrassed: Not only was
our analysis wrong, but we were caught red-handed by the illusive system. See Figures
12 and 13 to view illusive detecting our port scanning activities.
SANS ANALYST PROGRAM
14
Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios
(CONTINUED)
Even though we
knew the system
was deployed and
knew how the system
Figure 12. Illusive User View Detecting Our Port Scan
worked, this advantage
proved no match for
illusive networks.
Figure 13. Illusive Forensic Analysis of Port Scan Attempt
SANS ANALYST PROGRAM
15
Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios
(CONTINUED)
Tracking and Metrics
A common shortcoming of many security solutions is that they promise great things but
lack a way to track overall effectiveness. A valuable component of illusive’s solution is
provision of a variety of metrics to track the benefit of the deployed deceptive measures.
Taking deception to the
See Figure 14.
next level of maturity,
metrics enable largescale management of
deception measures.
The metrics revealed
weaknesses and
needed improvements,
and informed us where
to tune the deception
measures to maximize
the benefit of the
illusive solution.
Figure 14. Overall Dashboard Showing the Metrics for the Deception
The illusive DMS platform revealed that our ability to detect an advanced attacker
improved over time during our review. Attack surface information from the perspective
of the adversary—such as number of lateral movement targets per endpoint or number
of lateral movements to reach domain admin credential—was also provided.
SANS ANALYST PROGRAM
16
Deception Matters: Slowing Down the Adversary with illusive networks®
Conclusion: Future of Deception
With many persistent, targeted attacks, prevention is in many cases postponing the
inevitable, because the adversary will eventually get in. Therefore, security is going to be
all about timely detection and damage control.
Setting up a virtual world of confusion clearly slows down attackers and makes
their job more difficult, but it is often forgotten that deceptions serve no legitimate
TAKEAWAY:
While deception was originally
about slowing down the
adversary, in the future it will
move toward functioning as
an early detection tool.
purpose, meaning no one should be connecting to these deceptions. If that occurs, the
probability of an adversary touching at least one of the deceptive measures is very high,
which allows for early detection capability.
The illusive solution provides a comprehensive way to deploy deception across an
environment with minimal to no human interaction. The deception is highly effective
and covert, making it virtually undetectable when deployed within an existing
environment. Even the most skilled adversary would access a deception technique,
allowing for early detection of an attack.
Expect deception technology to gain wider use and become more tailored to and
focused on an organization’s critical assets. If the databases’ servers, the applications
themselves and even the tables in the databases all have deception, it raises the
difficulty of attacks to a whole new level of complexity.
SANS ANALYST PROGRAM
17
Deception Matters: Slowing Down the Adversary with illusive networks®
About the Author
Eric Cole, PhD, is a SANS faculty fellow, course author and instructor who has served as CTO of
McAfee and chief scientist at Lockheed Martin. He is credited on more than 20 patents, sits on
several executive advisory boards and is a member of the Center for Strategic and International
Studies’ Commission on Cybersecurity for the 44th Presidency. Eric’s books include Advanced
Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible and Insider Threat. As
founder of Secure Anchor Consulting, Eric puts his 20-plus years of hands-on security experience to
work helping customers build dynamic defenses against advanced threats.
Sponsor
SANS would like to thank this paper’s sponsor:
SANS ANALYST PROGRAM
18
Deception Matters: Slowing Down the Adversary with illusive networks®
Last Updated: July 31st, 2017
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Hyderabad 2017
Hyderabad, IN
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MAUS
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Prague 2017
Prague, CZ
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS New York City 2017
New York City, NYUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Salt Lake City 2017
Salt Lake City, UTUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Chicago 2017
Chicago, ILUS
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Adelaide 2017
Adelaide, AU
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Virginia Beach 2017
Virginia Beach, VAUS
Aug 21, 2017 - Sep 01, 2017
Live Event
SANS San Francisco Fall 2017
San Francisco, CAUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Tampa - Clearwater 2017
Clearwater, FLUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Network Security 2017
Las Vegas, NVUS
Sep 10, 2017 - Sep 17, 2017
Live Event
SANS Dublin 2017
Dublin, IE
Sep 11, 2017 - Sep 16, 2017
Live Event
Data Breach Summit & Training
Chicago, ILUS
Sep 25, 2017 - Oct 02, 2017
Live Event
SANS Baltimore Fall 2017
Baltimore, MDUS
Sep 25, 2017 - Sep 30, 2017
Live Event
Rocky Mountain Fall 2017
Denver, COUS
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS SEC504 at Cyber Security Week 2017
The Hague, NL
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS London September 2017
London, GB
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS Copenhagen 2017
Copenhagen, DK
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS DFIR Prague 2017
Prague, CZ
Oct 02, 2017 - Oct 08, 2017
Live Event
SANS Oslo Autumn 2017
Oslo, NO
Oct 02, 2017 - Oct 07, 2017
Live Event
SANS AUD507 (GSNA) @ Canberra 2017
Canberra, AU
Oct 09, 2017 - Oct 14, 2017
Live Event
SANS October Singapore 2017
Singapore, SG
Oct 09, 2017 - Oct 28, 2017
Live Event
SANS Phoenix-Mesa 2017
Mesa, AZUS
Oct 09, 2017 - Oct 14, 2017
Live Event
Secure DevOps Summit & Training
Denver, COUS
Oct 10, 2017 - Oct 17, 2017
Live Event
SANS Tysons Corner Fall 2017
McLean, VAUS
Oct 14, 2017 - Oct 21, 2017
Live Event
SANS Tokyo Autumn 2017
Tokyo, JP
Oct 16, 2017 - Oct 28, 2017
Live Event
SANS Brussels Autumn 2017
Brussels, BE
Oct 16, 2017 - Oct 21, 2017
Live Event
SANS SEC460: Enterprise Threat
San Diego, CAUS
Oct 16, 2017 - Oct 21, 2017
Live Event
SANS Berlin 2017
Berlin, DE
Oct 23, 2017 - Oct 28, 2017
Live Event
SANS Seattle 2017
Seattle, WAUS
Oct 30, 2017 - Nov 04, 2017
Live Event
SANS San Diego 2017
San Diego, CAUS
Oct 30, 2017 - Nov 04, 2017
Live Event
SANS San Antonio 2017
OnlineTXUS
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced