Invented by Johnson Wu, Rajendra A. Gopalakrishna, Sreenivas Gukal, Rammohan Varadarajan, Acalvio Technologies Inc
The increasing number of cyber attacks and the growing sophistication of these attacks have made it imperative for organizations to adopt threat engagement and deception escalation solutions. These solutions enable organizations to detect and respond to cyber threats before they cause any damage. They also help organizations to identify vulnerabilities in their systems and take proactive measures to mitigate them.
The threat engagement and deception escalation market is segmented into various categories, including solutions, services, deployment types, organization sizes, and verticals. The solutions segment is further divided into threat intelligence, threat hunting, threat simulation, and threat response. The services segment includes professional services and managed services. The deployment types segment includes on-premises and cloud-based. The organization sizes segment includes small and medium-sized enterprises (SMEs) and large enterprises. The verticals segment includes banking, financial services, and insurance (BFSI), healthcare, government and defense, IT and telecom, retail, and others.
The BFSI sector is expected to hold the largest market share in the threat engagement and deception escalation market due to the high risk of cyber attacks in this sector. The healthcare sector is also expected to witness significant growth in this market due to the increasing adoption of digital technologies in healthcare.
North America is expected to hold the largest market share in the threat engagement and deception escalation market due to the presence of major players in this region. The Asia-Pacific region is expected to witness significant growth in this market due to the increasing adoption of digital technologies in this region.
Some of the key players in the threat engagement and deception escalation market include Cisco Systems, Inc., FireEye, Inc., IBM Corporation, Palo Alto Networks, Inc., Rapid7, Inc., Symantec Corporation, and Trend Micro Incorporated.
In conclusion, the market for threat engagement and deception escalation is expected to witness significant growth in the coming years due to the increasing number of cyber attacks and the growing sophistication of these attacks. Organizations need to adopt these solutions to protect themselves against cyber threats and to identify vulnerabilities in their systems. The BFSI sector is expected to hold the largest market share in this market, while North America is expected to hold the largest market share in terms of geography.
The Acalvio Technologies Inc invention works as follows
Provided is a method, network device, and computer program products for a deception network system. The network deception can engage with a network threat using a deception and dynamically escalate the deception in order to maintain engagement. The system includes super-low-interaction, low-interaction, and high interaction deceptions. The super-low deceptions are able to respond to address requests and require few computing resources. The system can use a low interaction deception when network traffic directed at the super-low deception needs a more complex response. Low-interaction can mimic multiple devices. This can make the low-interaction appear to be a deception. When the network traffic contains an attempt to connect, the system may initiate a high interaction deception. High-interaction can more closely resemble a network device and be harder to detect as a deception. The high-interaction can engage a threat on a network and can only be activated when needed.
Background for Threat Engagement and Deception Escalation
Provided” are methods including computer-implemented or methods implemented by network devices, devices, including network devices, as well as computer-program-products for network threat engagement, deception escalation, and other related activities. Super-low deception methods can be implemented in various implementations that only require a small amount of computation resources and can respond to simple network packets containing specific Internet Protocol (IP), addresses. If a network threat is suspected to be engaging with a super low deception, it can escalate to an interactive deception. This includes a low interaction deception or high interaction deception. Interactive deceptions are able to better mimic a real computing environment in a network. In some implementations, interactive deceptions are configured to respond to network traffic coming from the network threats, in order for the network threats’ desired intent to be met. It may be possible, in this way, to engage the threat and gain intelligence about it.
A network device can be configured in various ways with a super low deception mechanism. Address information can be included in the super-low deception method, including a Media Access Control address (MAC address) and an Internet Protocol address (IP address). The network device may also be configured to accept network traffic directed at the MAC or IP address. The network device may also be configured to determine whether the network traffic is suspicious. The network device may also be configured to activate an interactive deception system, which involves reassigning address information from address deception to the interactive deception system. The network device may also be configured to redirect network traffic towards the interactive deception system.
In various implementations, a network device can be configured to accept a request directed to an address deception mechanism and to respond to that request using address information.
In various implementations, determining network traffic as suspect involves analyzing the behavior of network traffic and determining whether a particular behavior of network traffic corresponds with behavior associated with an attack on a network.
In some implementations, an interactive deception is a low interaction deception, in which a low interaction deception is configured to respond one or more addresses. In some implementations when the interactive deception is a low interaction deception, the network device can be configured to monitor network traffic and determine whether certain network traffic is suspicious.
In different implementations, a network device can also be configured to initiate a high interaction deception mechanism. Upon launching the network device, the address data can be de-assigned from the low interaction deception mechanism. The address data is then reassigned to the high interaction deception mechanism. The network device may also be configured to send the network traffic in question to the high interaction deception mechanism.
In various implementations, interactive deception is a high interaction deception, where high interaction deception is configured with a specific operating system and certain services.
In some implementations the interactive deception is executed on the network device. In some implementations the interactive deception is executed on another network device.
Network deception devices, also known as “honeypots”, are a common form of network deception. ?honey tokens,? Honey nets and honey tokens are two of the many ways to defend a network from threats. Other methods of protecting a network include distracting the threat or diverting it. Honeypot-type deception devices can be installed on a network to deceive a specific site, like a business office. Honeypot-type mechanisms are usually configured so that they can’t be distinguished from the active production systems within the network. Deception mechanisms of this type are also configured to appear vulnerable and/or attractive to network threats by having data that appears valuable. Deception mechanisms may look like legitimate components of a site network. However, they are not a part of normal network operation and cannot be accessed by normal users. Deception mechanisms are not used or accessed by normal site users. Therefore, they are suspected of being a network threat.
?Normal? Operation of a Network includes, in general, network activity that is consistent with the purpose of the network. Normal or legitimate network activities can include, for example, the operation of an educational institution, a medical facility, a government office or a home. Normal network activity can also include the non-business-related, casual activity of users of a network, such as accessing personal email and visiting websites on personal time, or using network resources for personal use. Normal network activity includes the operation of security devices such as firewalls and anti-virus software, intrusion detection, intrusion prevention, email filters, adware blocking, etc. Normal operations exclude deception mechanisms because they are not meant to be used in casual or business activities. Deceptions are not usually used by network users or network systems, except for perhaps the most basic administrative tasks. “Access to a deception tool, which is not part of routine network administration tasks, can indicate a network threat.
Threats against a network include active attacks where an attacker interacts with or engages systems within the network in order to steal information or harm the network. The attacker can be either a human or an automated system. Active attacks can include denial-of-service (DoS), distributed-denial-of-service (DDoS), spoofing, and “man-in the-middle” attacks. Attacks involving malformed requests to networks (e.g. Address Resolution Protocol (ARP), pinging of death? etc. Other attacks include buffer, heap or stack overflows, format string attacks and others. Malicious software that is self-replicating or self-triggering can be a threat to a network. The malicious software can be innocuous, until it is activated. Once activated, the software will try to steal data from the network or cause harm to the network. Malicious software spreads itself by infecting other computers on a network. Malicious software includes ransomware, viruses and Trojan horses. It also includes spyware, keyloggers, rootkits and rogue software.
In some cases, honeypot deception mechanisms are easily identifiable as decoys. By examining the way a deception device responds to packets, it can be fingerprinted as a fake. A decoy system could be running a Linux OS and presenting a Windows OS to the network. However, the decoy’s response pattern to network packets may reveal that it is a Linux-based computer. Another example is a deception system implemented with a proxy server that presents multiple Internet Protocol (IP), each IP intended to represent a different decoy. The proxy server usually has only one Media Access Control address (MAC), but once an attacker has accessed any of the IP addresses on the network, he may be aware that he found a decoy.
Virtual machines can create more authentic-looking deception mechanisms. Virtual machines are emulated computers that run on the same hardware as a physical computer. A virtual machine executes its operating system which can be different from the one running on the physical computer system. Virtual machines can provide applications that have only access to resources provided by virtual machines. Virtual machines can make all or some of the computer’s resources available to their virtual operating systems and applications. The virtual machine may also present simulated physical resources for its operating system and applications. The physical computer may be able host multiple virtual computers, which share the hardware resources of the physical computer.
A virtual machine that is used to implement a deception mechanism may have a different MAC address in addition to a unique IP address. Multiple virtual machines may be used to create deception mechanisms that are indistinguishable from real systems. Virtual machines require processing resources. Virtual machines can be hosted on a physical machine, but this is usually limited. The number of virtual machines-based deception devices that can be installed on a network could be limited by the available computing resources.
Virtual-machine-based deception mechanism may also be able engage a network attack. Virtual machines can be configured to display data and/or services that are authentic. The attacker will be kept from accessing the real network systems by keeping him engaged. By allowing an attacker to freely use the virtual machine, it is possible to collect information about him, such as his intentions, attack methods, network location and/or identity.
Simpler, less processor-intensive, deception mechanisms may only be able engage an attacker for a brief time. Deceptions that are less processor-intensive, like proxy servers, NAT-based deceptions and servers that emulate services, can attract an attacker’s attention. However, once they begin to investigate these deceptions the attacker will quickly discover that they are just decoys. By exploring the environment created by the deception, an attacker can reveal the true nature of the deception. Deceptions that are less processor-intensive may not be as effective in engaging an attacker at the same level as a real host.
It can be challenging to know which data or services should be configured for a deception. Network threats often target a particular type of system or data and/or seek to exploit a particular vulnerability. It would be possible, if the intent of the threat actor were known, to set up defenses against the actor’s attacks. It would also be possible to create a deception that was a perfect trap for a threat actor.
In general, the exact goal of a threat actor and the way in which he will achieve it cannot be predicted. Deception mechanisms may be configured based on a best-guess at the services or data that would make a good attack target. Even the best threat information may not be enough to predict so-called ‘zero-day’ attacks. Attacks that exploit previously unknown vulnerabilities are called “zero-day” attacks.
A network deception system that dynamically escalates the engagement with a source of threat can be implemented in various implementations. Deception mechanisms can be configured dynamically by the network deception system in response to packets sent from a perceived source of threat. This will make it harder for the threat source to distinguish between real assets and deceptions in a network. It can also be used to keep the source engaged and away. Also, intelligence about the source of the threat can be collected.
In various implementations, a network deception system may include an emulated networking. The emulated network may include one or several very low interaction, network address based deceptions, as well as low interaction deceptions and high interaction deceptions. Low-interaction and network-based deceptions are both effective in attracting and engaging the attention of network threats. The high-interaction trick can keep the attacker involved and contained.
In some implementations, super-low deceptions do not require virtual machines, so they may only require limited processing resources. Low-interaction deceptions may use a virtual computer that can emulate many network devices. When network traffic that is suspicious is received, the network deception system will initiate a low interaction deception. If the network deception receives additional network traffic requiring a more involved engagement the network system can initiate a higher-interaction deception. The communications to the low interaction deception can be redirected thereafter to the high interaction deception. “The high-interaction deception could also be a virtual system, dedicated to convincingly simulating one particular system.
Click here to view the patent on Google Patents.