ESG Validation

ESG Lab Review: High-fidelity Breach Detection with Acalvio Autonomous Deception


This ESG Lab Review documents hands-on testing of Acalvio ShadowPlex autonomous deception. We focused on how easy it is to deploy ShadowPlex at scale, and how Acalvio’s deception technology provides high-fidelity low-volume breach detection.

The Challenges

The ever-increasing volume and velocity of threats has made cybersecurity one of the top IT concerns. Indeed, according to ESG research, strengthening cybersecurity is a business initiative that the largest percentage of respondents believe will drive the most technology spending at their organizations over the next 12 months (see Figure 1).1

Implementing efficient and effective cybersecurity is often hampered by the increasing complexity of IT infrastructures. According to recent ESG research, more than two-thirds of surveyed organizations said that their IT environment has gotten more complex in the last two years.2 This complexity makes it more difficult to identify adversaries who have penetrated enterprise defenses, increasing dwell time—the amount of time an attacker has access to the network and can move laterally in search of data to steal or ransom. Thus, it’s no surprise that organizations are seeking advanced detection solutions.

Acalvio ShadowPlex

Acalvio ShadowPlex uses deception to detect breaches in the corporate network quickly and accurately, engage with the attacks, and automatically respond. Using ShadowPlex, security analysts can detect attackers that have successfully bypassed defenses, analyze attacker behavior, and prioritize threat hunting and remediation activities.

Acalvio’s deception technology provides:

  • Early Detection of advanced, multistage attacks with high fidelity.
  • Engagement of adversaries using high-interaction decoys to learn behavior, and divert adversaries from critical assets.
  • Automated Response to attacks by identifying routes of attack, latent vulnerabilities, and indicators of compromise (IOC).

ShadowPlex’s Deception Farms technology allows an organization to maintain a centralized catalog of decoys, called an Acalvio Deception Center (ADC), either on-premises or in a public or private cloud. Using lightweight projection point sensors—virtualized or small physical appliances—decoys are projected among a distributed set of cloud or on-premises workloads that need to be protected. Each projection point sensor projects any number and variety of decoys of different system types (e.g., Windows server, Windows desktop, Linux server) with different services. Projection points create a secure tunnel back to the Acalvio deception center (ADC), which provides amplification, making one projection point appear as many different types of systems, each with a different host and MAC address.

Acalvio’s FluidDeception technology dynamically presents attackers with appropriate depth of deception. Low-level network responses to an attacker probing a deception, such as ping replies, are handled directly by the projection point, ensuring network timing responses are identical to real systems on the VLAN. Higher level responses, when an attacker directly engages with the deception for instance, are handled by the higher interaction decoys located in the centralized Deception Farm. This minimizes the resources required to provide pervasive deception throughout large-scale networks.

ShadowPlex uses machine learning to blend decoys into the network in the most realistic way and gives the administrator flexibility and control over the type, density, and frequency of the decoys. Acalvio provides an intent-based breadcrumb deployment: an administrator can specify the goal (e.g., detect ransomware, detect lateral movement, detect AD attack) and ShadowPlex distributes unique breadcrumbs throughout the environment to divert attackers to deception systems.

Acalvio’s deployment engine detects and mimics the characteristics of the environment to prevent detection by the attacker. I.e., if the VLAN only contains Windows servers, a Linux server would stand out like the proverbial sore thumb. The organizations deploying Acalvio ShadowPlex benefit from:

  • Early detection—The moment an attacker engages with a deception is the earliest indication of an actual breach.
  • Accurate detection—Interactions with deceptions are very strong indicators of compromise, leading to high-fidelity, low false-positive detections.
  • Low volume—Acalvio’s Deception solution only alerts on decoy interactions.
  • Comprehensive attack behavior analysis—All interactions with deceptions are recorded for analysis and identification of behaviors, IOCs, and vulnerabilities.
  • Minimal effort—Deployment at scale is accomplished quickly and easily, and requires minimal day-to-day management. Automation and machine learning ensure freshness of deceptions.

ESG Lab Tested

ESG Lab started by reviewing the environment used for this review and the steps required to deploy deception across the environment. This review used a demo environment representing a typical enterprise network with multiple VLANs; some VLANs were configured with multiple desktops and laptops, representing typical end-user VLANs, while others were populated with a mix of Linux and Windows servers, and a smattering of desktops, representing typical core infrastructure server VLANs.

ESG Lab logged in to the web-based management system, and selected Configuration from the menu, which brought up the configuration wizard. The wizard provides step-by-step instructions to deploy deception at scale.

The first step in deploying deception was to activate projection points, which are the breach detection sensors, and configure the subnets for each projection point. Acalvio ShadowPlex projection point virtual machines were instantiated in the environment. A single projection point can support hundreds of machine decoys across different OS types: Windows desktop, Windows server, and Linux server.

Sensors should be connected to a switch access port with visibility to the VLANs to be monitored. The user can select each VLAN they want to attach to the sensor; the sensors create a separate secure L2 tunnel to the ADC for each VLAN.

The next step was discovering network characteristics. Once attached, the sensors map the networks. The user can direct ShadowPlex to use an nmap-type approach to automatically scan and map the network, or can choose to upload inventory data from asset management and vulnerability scanning tools.

The results of network discovery are displayed, as shown in Figure 2. The left side of the screen provides a guide indicating the current step in the deployment process. The main part of the screen contains a list detailing the characteristics of each discovered network node, including IP and MAC addresses, NIC vendor, and network services provided.

Users are given the option to edit host characteristics, and make other adjustments as necessary.

We proceeded to the next step in the deployment process, reviewing the recommended deceptions for each VLAN segment. ShadowPlex correlates all the network node information and searches for patterns. Host name pattern matching with collision detection attempts to create new hostnames for deception points that match the existing network naming conventions. ShadowPlex also attempts to match the distribution of OS types, MAC vendors, and application services to build deceptions that closely match the existing network, providing camouflage to render it unlikely that malicious actors will discover that the deceptions are not real systems.

The resulting recommendations for the distribution of OS and services are displayed as radar graphs, as shown in Figure 3. Users can quickly and easily adjust the distribution by sliding the control points along the axis of the graph. Regardless of the number of decoys deployed on the VLAN, the distribution of OS and services will be maintained. Users can also adjust the naming convention chosen for the decoys, and can create complex patterns using regular expressions.

Next, we explored some of the many ways that the decoys can be customized. We created a new decoy type to mimic a SCADA industrial control system by configuring a decoy with an open port 502, the default MODBUS port for SCADA systems. The network ports are opened, and the ADC records every network interaction, enabling security analysts to observe and analyze attacker behavior. For more extensive adversary engagement, customers can use High Interaction custom uploads where they can utilize full blown MODBUS or other applications as desired.

We also customized the decoys to resemble the organization’s actual environment more closely, making a decoy look like a file server (share decoy), as shown in Figure 4, providing a custom name and credentials, and selecting from pre-canned share directory structures (engineering, HR, finance, etc.).

The final adjustment to ShadowPlex’s recommendations is the number of decoys to deploy on the VLAN segment. According to Acalvio, organizations have different philosophical approaches to deciding on the number of decoys. One philosophy is to saturate the VLAN with many decoys to act as tripwires. This would be applicable for a user endpoint VLAN where users are often subject to spearphishing or waterhole attacks, and where attackers often create beachheads at the first point of compromise, enabling them to re-enter the network if they’re caught and ejected. Saturating the network with more decoys than real systems increases the odds of a malicious actor attacking a decoy, enabling rapid detection. In this scenario, the user may want to signal an alert as soon as a decoy detects any activity such as a ping or other network probe.

Another philosophy is to set up a decoy for every system type. This would be applicable for VLANs dedicated to servers, where an organization may deploy breadcrumbs to point attackers at decoys. The user may also want to wait until the malicious actor has actively engaged with the decoy before sounding an alert, enabling the ADC to record the attack. Users can analyze attack behavior and other forensic data to identify attacker tactics, techniques, and procedures (TTP), as well as their own environment vulnerabilities.

Adjusting the number of deployed decoys was extremely simple—we just moved the slider to a new value. The effort to configure Acalvio is the same, regardless of the number of decoys deployed.

Another technique that provides greater in-situ realism is the ability to upload data to the decoys. Users can upload entire websites and custom applications to make decoys appear as internal employee portals or other typical internal websites. Users can also upload custom VMs, such as gold master images used for laptops or servers, ensuring that decoys are effectively identical to production hosts.

Next, we configured breadcrumbs—fake information stored on legitimate systems for attackers to discover in the reconnaissance phase—as shown in Figure 5. According to Acalvio, breadcrumbs are an integral component of deception technology—for maximum effectiveness, users must deploy both breadcrumbs and decoys.

ShadowPlex can provide fake credentials—in memory and on the file system—as well as fake profiles, fake browser histories, user files, etc. Acalvio has processes in place to refresh the information so that it doesn’t go stale, such as ensuring that profiles and files have recent access times.

Breadcrumbs can also be used for ransomware detection; ShadowPlex can detect and alert when a breadcrumb file has been encrypted.

To configure breadcrumbs, we selected the intents—the outcomes of the breadcrumbs, such as detecting ransomware, detecting lateral movement, or providing credentials. We also selected the production hosts where breadcrumbs were to be placed. ShadowPlex created the breadcrumbs and provided scripts for distributing the breadcrumbs to the hosts.

We accomplished the final few steps in the process with a few mouse clicks, accepting the configuration and deploying the decoys.

Next, we selected Deception Mesh from the main menu to display the status of the currently running environment, as shown in Figure 6. At the top of the window is a coverflow-type interface, enabling the user to quickly scroll through and select from the list of configured VLANs. The main portion of the window displays a mesh representation of all real hosts and configured decoys in the selected VLAN, and the bottom of the window displays a key to the graphics.

We hovered the mouse over an icon, which displayed a popover providing additional information including node name, O/S type, network, MAC address, and NIC vendor. We then clicked on the icon, which displayed the host or decoy details in a pane on the right side. Using this pane, we explored various aspects of the decoy configuration, including services provided, the breadcrumbs, and the file shares, as shown in Figure 7. Hovering the mouse over a breadcrumb file displayed a popup with the location of the breadcrumb on the host.

Acalvio designed ShadowPlex to provide telemetry data gathered by its sensors to a comprehensive SOAPA or other enterprise security system, such as SIEMs and EDR systems. ShadowPlex provides telemetry that can be analyzed by ArcSight, Splunk, and many other solutions. SIEMs enable cross-correlation between ShadowPlex telemetry and other telemetry so that users can quickly identify malicious behaviors, entry points, vulnerabilities, and vulnerable systems.

ESG next reviewed the ShadowPlex incident review window, designed for those organizations that don’t have a SIEM, or other external analysis system. The main part of the display, shown in Figure 8, contains a graphical timeline, with each incident indicated by an icon above the date of occurrence. Icons represent the incident type, such as a file folder for access to a share, or a globe for access to a website.

Below the timeline is a table listing each incident, with observations about the stage in the cybersecurity kill chain (reconnaissance, observation, lateral movement, etc.).

We hovered the mouse over an icon, which displayed a popover with additional information, including incident start and end times, source address information, and port or service accessed by the attacker. Then we clicked on the icon, which popped up a new window with comprehensive details. From this window, we could download PCAP or BRO packet captures, and IOCs in openIOC or STIX formats. This information can be used to stop additional attacks based on this internally sourced threat intelligence.

Once we reviewed the incident, we were given the option to suppress the incident from the incident display or delete the incident from the incident database.

Why This Matters

The global cybersecurity skills shortage is continuing unabated. According to ESG research, 56% of organizations said that they have a problematic shortage of cybersecurity skills, up from 45% in 2017.3 CISOs need to invest in solutions that make their existing staff more productive, effective, and efficient.

ESG Lab validated that we could use Acalvio ShadowPlex to deploy deception sensors across the network with just a few mouse clicks—the effort was the same to deploy one or thousands of decoys. The automation and flexibility of the system made it quick and easy to configure deceptions to mimic the characteristics of existing hosts on the network.

Once deployed, ShadowPlex provided low-volume high-fidelity alerts: a network probe or connection to a sensor indicates an attack in progress with extremely high confidence. Using ShadowPlex provided another layer of security without requiring significant resources or skills.

The Bigger Truth

Among the numerous challenges that CISOs face are the increasing sophistication of malicious actors, increasing volume and velocity of threats, increasing global cybersecurity skills shortage, and increasing complexity of IT infrastructures. Improving the security of their organization requires CISOs to implement effective solutions that increase the efficiency and productivity of the cybersecurity team.

ESG Lab validated that Acalvio ShadowPlex is quick and easy to implement at scale. With just a few mouse clicks, we were able to deploy hundreds of deception points across numerous network segments. We expended the same effort to deploy one or hundreds of deception points.

ShadowPlex automatically scanned the network and made configuration recommendations. This enabled us to match the deceptions to the characteristics of the network, reducing the possibility that a malicious actor could differentiate between a deception and a production host. The flexibility of the solution, including uploading custom data, enabled us to create even more realistic deception points.

ShadowPlex proved to be a low-volume high-fidelity breach detection system—any probe or network connection to a deception point indicates with high probability that an attacker has breached the environment and is actively expanding throughout the network. With little effort, users can manage these incidents using the ShadowPlex console, or ShadowPlex sensor data can be integrated with SOAPA, SIEM, and other security management systems, enabling cross-correlation and analysis of breach points, attacker behavior, and system and network vulnerabilities.

Organizations seeking to enhance their security posture with a highly efficient, easy-to-deploy breach detection system should take a close look at Acalvio ShadowPlex autonomous deception.

1. Source: ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017.
2. ibid.
3. ibid.
Topics: Cybersecurity