illusive networks illusive
illusive is a very cool product. This is a deception tool with a bit of a twist. It has as its main purpose focusing on the actors rather than the malware in an attack. That does not mean that it doesn't care about malware, of course. It simply means that it is restating an axiom of ours: In the 52 years we have been in information security, we never have seen a crime committed by a computer. Somewhere, at some point, there was a human involved. Illusive has taken on the task of applying that axiom.
What is especially cool about illusive [sic] is that it follows the theory of "deception everywhere." It places a deceptive layer across the entire enterprise leaving the attacker completely in the dark as to where the real targets actually are. Think back to flying aces who dumped chaff to confuse enemy radar or fired fireballs to confuse heat-seeking missiles and you have a pretty good picture of illusive. The deceptions are deployed based on user policies. These, of course, are based on the environment in which the deployment is operating.
The execution of the "deception everywhere" theory is the three-fold approach of deceive, detect and defeat. The system deceives by using multi-dimensional deception traps - the chaff - to disrupt the attacker. This forces the actor to make mistakes that are easier for analysts to detect. And, once the attacker is detected, actions based on analysis of attack patterns, profiles, context and potential impacts can be undertaken. There is no hard-coded deception. Nothing in the enterprise itself - meaning no actual enterprise assets - is disturbed. Everything is done from the management server.
At a glance
Company illusive networks
Price £42/per user per year with tiered volume pricing.
What it does Advanced deception system.
What we liked We especially like the "deception everywhere" approach.
When an attacker starts probing the enterprise endpoints, the policies in the management server kick in and the attacker is transferred to the trap server. There is no permanent agent on the endpoints. However, at this time, there is a temporary agent deployed for a brief period before it self-dissolves. These agents are vulnerable to give the attacker something with which to interact. Once they have been deceived - and are interacting with a false device that they believe is real - they expose themselves and can be analysed and interdicted.
They are directed to the path to the trap server and analysed forensically in real time so in the unlikely event that the attacker has discovered the error of his ways and scoots out of Dodge, it is too late. The forensic evidence has been captured and actions are taken to prevent the same attack/attacker in the future.
The heart of the system is the configuration. The configuration is simple and lends itself to your creativity and customisation for your environment. Actual IP blocks can be used, DNS, AD and other servers also become part of the deception. The trick, among other things, is to detect lateral movement. So, as you configure, you should keep that in mind.
Another cool feature is the attacker dashboard. This is not quite what it sounds like. Rather than being a view of the attacker as he acts in the enterprise, it is a view of what the attacker would do on the enterprise if there was not deception. This gives the analyst a clear view of where the attack is likely to go. That is a sort of "attacker mind reading tool" and it is, as one might imagine, extremely valuable to the defender.
Setting up the policies on the management server is simple as well. Again, you have the flexibility to craft a deceptive environment - including dummy users and assets - that mirrors your own actual environment. The management server has an excellent dashboard with very good drill-downs, including a detailed view of the forensic analysis. Given that "forensic analysis" has a special meaning - such things as repeatability, auditability, chain of custody, etc. - we were please to see that illusive has all of the bases covered so that in the unlikely event that an attacker is caught and prosecuted, everything that the prosecution needs will be available and satisfactory from a forensic viewpoint.
The web portal is a bit spartan but contains pretty much everything you need, including a logon for support. Support is available as a premium offering provided by illusive networks. There is a good blog with some very informative postings and, overall, the "soft" aspects of the offering are quite good indeed. Pricing is per user per year which is not unreasonable for this type of product.