Leadership Compass

Distributed Deception Platforms (DDPs)

This report provides an overview of the market for Distributed Deception Platforms (DDPs) and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing DDP solutions.

John Tolbert

jt@kuppingercole.com

1 Introduction / Executive Summary

Cyber-attacks are on the rise as we all know from the seemingly constant breaking news stories. Government agencies large and small are under attack. Businesses and non-profit organizations are under attack. Small to medium sized business (SMBs) that at one time felt as if they had no major cybersecurity worries find themselves increasingly targeted by cyber criminals and fraudsters. Ransomware attacks continue to accelerate, abetted by the cyber insurance industry. Ransom demands are jumping. To combat modern cyber threats, organizations have been investing in more and more tools focused on threat detection leveraging big data analytics and user behavior modeling―generating massive waves of alerts, which too often turn out to be false positives.

Analysts spend too much time chasing benign behavior and consequently, real attacks are slipping through. Behavioral detection solutions powered by machine learning offer better efficiency, yet they are probabilistic in nature, requiring cycles of manual effort to truly track down and confirm if a threat is present. Facing these challenges, further complicated by the growing shortage of skilled security analysts, many organizations started looking for alternative approaches for detecting and responding to threats in real time.

One of the oldest of such alternatives, predating modern IT by at least a couple decades, is using honeypots to lure attackers with strategically placed fake computing resources. Like police sting operations, this involves deploying carefully crafted traps within and/or adjacent to the corporate computing environment, which appear to be a legitimate part of the IT infrastructure and seemingly contain information valuable for hackers. However, these fake resources are distinct from the real assets and are closely monitored; since there is no reason for legitimate users to use them, any access attempt can be considered a reliable sign of an ongoing attack.

This deterministic nature of honeypots has made them a useful tool for both academic researchers and security experts. Unfortunately, such solutions have been difficult and costly to deploy at scale, unless deployed as part of distributed deception platform; they also generate lots of security telemetry which requires expertise to analyze properly. And yet, as the continuing de-perimeterization of enterprise networks makes traditional security tools like packet filter firewalls or signature-based antivirus less and less relevant, the interest in deception as a methodology and as an integral part of the overall cybersecurity architecture is growing.

Distributed Deception Platforms are systems that are designed to simulate a variety of computing assets and environments for the purposes of drawing in would-be attackers to clearly alert IT security teams to the presence of attackers, drawing attackers away from real assets, and allowing IT security teams to study the TTPs of attackers in order to better defend against current and future attacks.

DDPs are the logical evolution of honeypots and have been productized for easier commercial deployment and use. DDPs can work well in conjunction with Network Detection & Response (NDR) and Endpoint Detection and Response (EDR) tools for enterprises with high security needs. One of the advantages of DPPs is that when activity is detected within a properly deployed system, it is almost guaranteed to be malicious. This makes detection of malicious activity comparatively easy. On the other hand, Endpoint Detection & Response (EDR) and NDR tools work by analyzing many endpoint events and network traffic, applying machine learning (ML) detection models to probabilistically discover outliers and identify potentially malicious events. DDP solutions have progressed toward common features sets, architectural patterns, and topographies. DDPs are becoming easier to afford, deploy, and manage for both SMBs and enterprises.

EDR solutions operate in areas where software agents can be installed on devices. This can provide coverage for typical office environments, but is not effective in places where agents cannot be installed, such as ATMs, IoT devices, Industrial Control Systems (ICS), medical devices, etc. In these settings, NDR solutions can offer visibility and controls, and DDPs can be an active defensive measure on the frontline with decoys that emulate these devices and through IAM protection (most commonly Active Directory).

The network security industry is moving in the direction of "XDR", sometimes standing for eXtended Detection & Response, which is a union of EDR and NDR. DDPs can be considered an advanced element of XDR solutions, as they aid IT security teams in discovering anomalous and malicious behavior at various layers across the infrastructure.

Deception technology is also a constituent of the KuppingerCole Information Protection Life Cycle (IPLC). The IPLC and Framework describes the phases, methods, and controls associated with the protection of information. The IPLC documents three stages in the life of information and multiple categories of controls which can be applied to secure information. The "main sequence" of information is Active Use Life. Active Use Life is a concept borrowed from the field of archaeology, defined as the period when a human made artifact is actively in use. Information is a human construct, with a beginning and often an end, thus the definition works well for the IPLC. Deception technologies fit into the Active Use Life phase of the IPLC.

Information Protection Life Cycle
Figure 10: Information Protection Life Cycle

At a high level, DDPs are composed of traps, lures, misdirection, and management systems. Some vendors use the term "decoys" synonymously with traps. Others call lures "breadcrumbs", "baits", or "honey tokens". Given that digital identity is a primary vector in attacks, DDP vendors provide deception assets for IAM, which are specific combinations of traps and/or lures. Identity Detection and Response solutions add the ability to show potential attack paths, and they can hide legitimate credentials and Active Directory objects, which prevents credential theft and privilege escalation. Attackers can also be identified when they conduct unauthorized queries against identity data stores. Disinformation can be provided as a response to those unauthorized queries, which will redirect the attacker to a decoy for the monitoring and analyzing their TTPs.

  • Traps: servers, virtual servers, or appliances that host simulated assets for the DDP. Trap servers can be Windows servers or desktops, Linux machines, Macs, cloud instances or containers (in either public or private clouds), VPNs, industrial control servers, sensors, meters, specialized manufacturing and medical equipment, etc. In cloud computing environments, traps can be access keys, storage buckets, serverless functions, databases, and containers. Trap servers should run applications that are typical in the reference or production environment, such as web servers, mail servers, content management systems, collaboration services, file shares, financial applications, remote desktop "jump boxes", industrial control applications, IoT device management applications, etc. Application and service simulation detail can vary between vendor solutions, and devices or applications simulated; the range of simulation runs from listening on standard ports, session establishment, full protocol responses, and customizable interactions.

  • Lures: objects that are designed to appear interesting to attackers in order to get them to interact with the full DDP. Lures can take many forms, examples of which are listed below. Lures can be hosted in many locations, depending on customer preferences.

    • Services
    • Files
    • Credentials
    • x.509 certificates
    • SSH application configurations and keys
    • Scripts
    • RDP sessions
    • Database content
    • DNS entries
    • Beacons
    • Cookies
    • Shortcuts
    • Network shares

Lures should be placed on endpoints and servers within customer organizations as well as in SaaS apps where appropriate.

  • IAM deception: given that credential takeover and escalation are critical vectors in most cyber-attacks, DDPs offer a variety of techniques for creating and managing fake IAM infrastructure and credentials. Most vendor solutions support to differing degrees the deployment and management of Microsoft Active Directory (AD) components, credentials, and objects. Some DDPs deploy parallel AD components with trusts back to the customers' production AD domains. Other DDPs create fake accounts and other objects in customer production AD infrastructure. A few vendors interoperate with generic LDAP and IDaaS. In order to make sure that attackers do not bypass fake credentials and use real credentials, full IAM and AD monitoring and PAM should be in place.

  • Management consoles: interfaces for customer and/or MSSP administrators to deploy, configure, manage, and monitor traps and lures. DDP solutions often have facilities that perform automated analysis of customer assets to suggest and create traps and lures that appear realistic to attackers. These interfaces also allow customers or their MSSP delegates to modify configurations as needed, monitor activities within the deception environment, and conduct investigations on in-progress attacks. Management consoles can be deployed on-premises, in public or private IaaS, in the vendor's cloud, or at MSSPs.

Management components should adhere to pertinent standards and offer API integration. DDPs need to be able to interoperate with other parts of the security architecture, especially SIEM and ITSM systems.

1.1 Highlights

Top Ten Findings in the Leadership Compass on Distributed Deception Platforms:

  • Deception is an established and growing specialty in cybersecurity. Years ago, enterprises outside of cybersecurity may have considered deploying and running honeypots to be exotic and not cost effective, but modern vendor implementations and managed services bring these capabilities within reach and affordability of many kinds of organizations.
  • DDPs can be thought of as extensions of detection technologies.
  • By design, DDPs have a far lower false positive rate than IDS/IPS, SIEMs, and some other tools, which can improve efficiency in SOCs. This is not to say that other detection tools and security data repositories are obsolete; rather, DDPs can be good adjuncts to the standard security suites.
  • DDPs will become core parts of XDR platforms in 3-5 years.
  • Properly deployed and maintained DDPs deliver highly specific and actionable cyber threat intelligence.
  • Traps and lures are foundational components of DDPs, but identity deception is essential because attacks leverage user and admin credentials.
  • OT and ICS environments often lack security tool instrumentation, leaving NDR and DDP technologies as the few means for detecting attacks within.
  • The Product Leaders in Distributed Deception Platforms are, in alphabetical order, Acalvio, Attivo Networks, CounterCraft, and Zscaler.
  • The Innovation Leaders in DDP are, in alphabetical order, Acalvio, Attivo Networks, CounterCraft, and Zscaler.
  • The Market Leaders in DDP are, in alphabetical order, Acalvio, Attivo Networks, Fidelis Cybersecurity, and Zscaler.

1.2 Market Segment

The Distributed Deception Platform market is a small segment of the cybersecurity market but is actively growing and still evolving. Some vendors offer full-featured solutions providing deep functionality addressing most of the major environment types described above. As will be reflected in this report, the solutions in this space are quite diverse. The most basic set of capabilities for these products allows customers to simulate traditional office networks with Windows, Mac, and Linux endpoints, servers, and basic applications.

Other solutions can simulate Operational Technology (OT) systems, which include Industrial Control Systems (ICS), and Industrial Internet of Things (IIoT) devices, and medical environments; complete with virtual machines running emulations of Programmable Logic Controllers (PLCs), power substation components, IoT sensors, pipeline sensors, medical monitors, MRIs, ATMs, etc. These OT environments face significant risks which are not adequately covered by other types of security solutions such as EPDR, since many of the devices in these environments cannot run endpoint agents. Thus DDP, along with NDR, are two of the only solution types available for these locations.

The Operational Technology hierarchy
Figure 11: The Operational Technology hierarchy

Furthermore, KuppingerCole research indicates that the particular market segments that vendors choose to target often have a direct effect on the type of features available in their DDP solutions. Some vendors build for the mass market and thus concentrate only on creating realistic simulations of traditional IT infrastructure. Other vendors have support for mainstream IT as well as these more diversified capabilities, offering their services for manufacturing, aerospace, defense, government, oil & gas, power generation, electrical distribution, and critical infrastructure.

1.3 Delivery Models

Several different deployment models exist for the components of DDP systems. Trap servers can be deployed in customer data centers, parallel to customer networks, or in the cloud. Cloud options include customer private cloud, public IaaS, and vendor/MSSP facilities. Trap servers can be fully licensed versions of operating systems and applications, or on-demand VMs with loadable applications designed to save licensing costs. Trap servers can be standard builds of OSes or customer configured "gold" versions.

Lures can be placed on endpoints, trap servers, on production servers, on cloud properties, or left in places not directly associated with the customer. For example, some DDP implementers leave lures in publicly available sites. Others even seed the dark web with lures.

The deployment models for trap servers and deception assets vary considerably between vendors. All deployments require some on-site components, even if only virtual resources that redirect attackers to cloud hosted assets. Examples of deployment configurations:

  • On-site parallel deployment: Customer creates VLANs outside of their normal production environment to host trap servers. Lures can be places on the trap servers and/or inside the production networks. Deception environment should be relatively invisible to regular users. Any activity on the VLANs with trap servers or usage of lures indicates malicious activities in progress.
  • Parallel Microsoft Active Directory (AD) deployment: Customer creates separate domains with deception credentials for lures but establishes trusts between deception and production AD instances. Credential types include normal user accounts, admin accounts, and service accounts. Any use of credentials from the deception AD indicates malicious activities in progress.
  • In-situ deployment: Customer places trap servers and lures on production networks. Trap servers are generally invisible to the enterprise user population but are discoverable by attackers using Command Line Interface (CLI) tools.
  • Deception credentials in production AD: DDP system creates fake credentials within the production AD. Credential types include normal user accounts, admin accounts, and service accounts. Advanced DDP solutions also have Active Directory data cloaking, which prevents attackers from accessing information from within AD by effectively concealing the real AD objects and returning false information when an attacker queries AD to discover critical assets in the network.
  • Virtual trap servers: DDP solution creates "pointers" or "projections" of servers and applications running on customer networks that redirect to virtual servers in the DDP vendor's cloud. In most cases, the virtual server instances are not kept running, but are spun up when malicious actors try to engage the DDP "pointer" asset. This keeps costs down. Customers can provide approved images that mimic real servers in their production environment.
  • Projection for scalability: Some products in this space project images of trap servers across hundreds or in some cases thousands of remote locations by running trap server projections on VMs, desktops/servers, network devices, or cloud containers.

The deployment models listed above are merely representative and are not mutually exclusive. In some cases, the customer may choose to use different elements of the various deployment models to better suit their own requirements in alignment with vendor product capabilities. For example, an organization may choose to build logically separate VLANs to host trap servers but place fake credentials in their live AD.

Management consoles can usually be run either on-premises or in the cloud. DDP systems can integrate with enterprise infrastructure, to an extent. The level of integration and interoperability should be determined by the customer depending on their balance of risk appetite and administrative convenience.

1.4 Required Capabilities

  • Deployment, maintenance, and monitoring of deception assets that are configured to mimic customer assets in traditional office environments, including
    • Desktops/laptops with customizable application inventories
    • Servers running common applications such as web, email, databases, security tools, and others
    • Network devices, segments, and access points
    • Protocol and service emulation such as DNS, HTTP, ICMP, LDAP, RDP, REST, SMTP, SNMP, SQL, TCP and UDP, and application specific protocols
  • Deployment, maintenance, and monitoring of deception assets that are configured to mimic customer assets in IoT, medical, and industrial controls environments, such as
    • IoT: Environmental sensors, meters, appliances, building automation, surveillance and security devices, etc.
    • Medical: Patient carts, patient monitors, CAT scanners, MRI machines, etc.
    • Industrial: ATMs, SCADA HMIs and PLCs, manufacturing equipment, electrical generation and distribution equipment, pipeline controls, warehouse logistics, fleet logistics, etc.
    • Protocol emulation such as BACnet, CANbus, CIP, IEEE 11073, LonTalk, ModBus, MQTT, OPC, S7, XMPP, and others. Device-level emulation can often be configured.
  • Deployment, maintenance, and monitoring of simulated IAM system credentials and components, including
    • Standard user accounts with entitlements mirroring production users
    • Privileged user accounts with server and domain admin privileges
    • Service accounts required by common business applications
    • LDAP and/or Microsoft Active Directory servers
  • Cloud
    • Common SaaS applications
    • Mirror of applications in customer IaaS/PaaS environments
  • Deployment, maintenance, and monitoring of lures across the DDP, including
    • Office documents and data files on virtual desktop, servers, and content management systems. Most solutions can create .docx, .pptx, and .xslx files as lures and beacons. Some vendors offer more flexibility with lures and beacons, including the capability to generate .bin, .dat, .dll, .exe, JSON, XML, and various media file types.
    • Processes that routinely update data creation, file access, and modification times
    • Some lures can be created as beacons, with the ability to alert the DDP when opened. This is generally accomplished by embedding HTTP calls within the files.
  • Console for admins and analysts. The console should support the creation and configuration of trap servers and lures; support monitoring of all deployed deception assets; and reporting and alerting mechanisms. Advanced DDP solutions support network and asset discovery, from which the results are used to suggest and automatically create/configure trap servers and lures. The asset discovery and automated trap server and lure creation features are often guided by AI (Machine Learning, or ML) functions that extrapolate patterns from customer inventories and generate configurations and names for deception assets that are similar to the ones found in production. These facilities are usually accessed via the admin console.
Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.