This is another deception technology application but, as in all of the tools we looked at this month, it does its work somewhat differently than the others. The founders are former military (one was a Marine and there is no such thing as an "ex-Marine") and the whole focus of TrapX is based on operationalising deception as a defensive activity.
The company refers to its approach as "adaptive defence" and they apply the approach through several pieces of infrastructure, including automated build-out of their DeceptionGrid, malware traps integrated with a sandbox, real-time detection of zero days, APTs and bots, integrated threat intelligence and multi-tenant cloud management. The key components are the malware trap engine and the botnet detection engine.
The core of this product's success rests - at least in part - in its ability to emulate just about any environment you can imagine. In addition to the usual Microsoft and Linux emulations, it includes Cisco, databases, industrial control systems, medical devices, VoIP and storage arrays. The system deploys as a device - physical, virtual or cloud - and is extremely reasonably priced for all that it does.
This is a sort of next-generation, medium interaction honeypot. Its trick is to co-mingle real and emulated assets through its DeceptionGrid using VLANs. The sandbox always is watching and when something triggers it, the tools extracts indicator of compromise (IOCs) and updates in real time with new signatures. The user interacts with the system through the TSOC, or "TrapX Security Operations Console."
At a glance
Company TrapX Security
What it does Deception technology application.
What we liked Ease of deployment and use; extensive support for many different operating environment.
The DeceptionGrid consists, mainly, of the TSOC, the TrapX appliance that contains the malware trap and the botnet detector, and the sandbox. The appliance can be virtual or physical and the sandbox can be onsite or in the cloud. The DeceptionGrid is a virtual appliance that creates emulations on VLANs and intermixes them with real assets. It is run through the TrapX appliance which installs inline with a span port or a tap just inside the egress point - usually a firewall - of the enterprise. The TSOC talks directly to the sandbox.
Deception operations are dynamic and integrate with the organisation's workflow. Of course there is forensic analysis and this occurs as events are unfolding. The system overlays the attacker kill chain and analyses in that context. A PCAP (packet capture) is created for after-event analysis as well. This results in a complete incident timeline operating as the attack is in progress.
The operator's dashboard is exactly what you'd expect to see in a SOC so analysts will be comfortable with it and there is a fast learning curve as a result. Drill-down is excellent, everything on the various menus is neatly tabbed at the top of the menu. Getting to the point you want - event analysis, for example - is just a click away and each major menu item generates its own sub-topic tabs.
Detailed event timelines aid investigation and remediation in the unlikely event that the attack actually succeeded - usually at the decoy, however, rather than the actual asset - and there is an excellent visualisation of exactly how the attacker is interacting with the decoy. At all times, the attacker feels as if he is interacting with the actual system and he can do some functions that he would like to do in a real system, such as generating a Metasploit session. However, even with that he cannot do any damage.
Reporting is extensive and detailed and the management of the tool is very straightforward. Deployment is relatively easy and, as you would expect, one can get quite creative in setting up the DeceptionGrid environment. Decoys are easy to set up and deploy with screens for setting the operating system and other environment components.
Overall, we liked this product. Its military heritage is evident in its simple deployment and straightforward approach to operationalisation of the deception process. It interoperates with just about any SIEM so a key part of its operationalisation is getting actionable data to the SIEM so that the SIEM can take appropriate action.
The website is extensive and the support options are clearly explained. If you want to get a feel for how TrapX Security works, you can download a free product called Threat Inspector that analyses memory dumps for sophisticated malware. It runs in VMware. We recommend downloading this tool as it not only gives a feel for the quality of TrapX's primary tool but it actually is useful, unlike many free "try-me" tools.