1 Introduction
To combat modern cyber threats, organizations have been investing in more and more tools focused on threat detection leveraging big data analytics and user behavior modeling―generating massive waves of alerts, which too often turn out to be false positives. Analysts spend too much time chasing benign behavior and consequently, real attacks are slipping through. Behavioral detection solutions powered by machine learning offer better efficiency, yet they are probabilistic in nature, requiring cycles of manual effort to truly track down and confirm if a threat is present. Facing these challenges, further complicated by the growing shortage of skilled security analysts, many organizations started looking for alternative approaches for detecting and responding to threats in real time.
One of the oldest of such alternatives, predating modern IT by at least a couple decades, is using honeypots to lure attackers with strategically placed fake network resources. Similar to police sting operations, this involves deploying carefully crafted decoys within the corporate network, which appear to be a legitimate part of the IT infrastructure and seemingly contain information valuable for hackers. However, these resources are isolated from the real assets and closely monitored; since there is no reason for legitimate users to use them, any access attempt can be considered a reliable sign of an ongoing attack. By monitoring the lures, it is possible to analyze the attacker’s behavior and study their tactics, techniques, and procedures (TTP) to mount more effective defenses.
This deterministic nature of honeypots has made them a useful tool for both academic researchers and security experts. Unfortunately, such solutions are difficult and costly to deploy at scale; they also generate lots of security telemetry which requires an expert to analyze properly. And yet, as the continued deperimeterization of corporate networks makes traditional security tools like firewalls or antiviruses less and less relevant, the interest in deception as a methodology and as an integral part of the overall cybersecurity architecture is growing.
Modern distributed deception solutions differentiate themselves from old-school honeypots by automating the creation and distribution of decoys (real or emulated IT assets mixed into the existing infrastructure to trap and analyze malicious activities) and lures (various pieces of data left across endpoints to attract hackers) at scale with centralized management. This not only makes the deployment much easier, but also ensures that detections are processed, enriched with forensic context, and delivered for analysis as quickly as possible.
Illusive Networks is a cybersecurity company headquartered in New York, NY and Tel Aviv, Israel. Founded in 2014 by a group of Israeli cyber intelligence experts, the company focuses on further expanding deception technology to harden corporate networks preemptively by reducing their attack surface, identify attacks early with deterministic detection, and mitigate incidents quickly through integrations with other security tools. The Illusive Platform is a highly integrated and automated security solution that combines protection, detection, and response capabilities unified by a single consistent UI and powered by an agentless scalable distributed deception technology.
By focusing on the potential attacker’s point of view, eliminating all possible paths for them to reach the “crown jewels” and luring them instead into a web of deceptions, Illusive helps customers detect attacks even before the malicious actor realizes something just went wrong.