L A B Y R I N T H

Loading

Comparison of two approaches to simulations implementation in Deception solutions: Full OS vs OS/Service emulation  

Many IS professionals unequivocally state that Deception systems are “must-have” part of modern enterprise IS infrastructure. For example, Gartner’s Senior Director Analyst Pete Shoard (https://www.gartner.com/analyst/72567/Pete-Shoard) says: “Deception Should Be Part of Your Threat Detection Strategy”. Deploying detection infrastructure based on Deception across the entire stack, security specialists may achieve effective detection of all cybersecurity vectors at all threat lifecycle stages. Utilization of Deception infrastructure equalizes forces of both sides in cyberspace stand-off and influences decision making by cyber criminals directing them to a wrong direction by delays and disinformation which helps to understand attack methods and deliver information necessary to determine adversary strategy. Deception also provides security engineers with the time required for threats analysis, identification and elimination that can exploit internal vulnerabilities of operating systems and applications. 

Key elements of Deception systems are traps and decoys - imitations of real services and clients which are involved in active interaction and disguise important resources within the enterprise information network by creating ambiguity and uncertainty when perpetrators are trying to establish situational awareness. Thus far, the most widespread approaches in creation of these imitations in Deception systems are Full OS и OS/Service emulation. 

In this article we will try to understand the main differences between these approaches and determine their advantages and drawbacks. 

Full OS 

Full OS approach is based on deployment within a hypervisor (MS Hyper-V, VMware, KVM, etc.) of one or several virtual machines utilizing sensors on multiple IPs (IP aliases) to support advanced monitoring, which includes detecting of such activities: 

  • Running commands within VM 
  • File operations 
  • Inbound/outbound network activity 

Advantages of this trap creation approach are high scalability and fuss-free imitation of network services and agents. This method is often presented as optimal for creation of most realistic and attractive decoys while omitting certain inconvenient side effects: 

  • High hardware requirements per one imitated unique system 
  • Complicated deployment and tuning 
  • Ease of system presence detection 
  • Cost of additional OS licenses (OS Windows, Cisco IOS, etc.) 

This approach also makes it difficult to implement simulated Web applications / services. In this case, the operator needs to completely clone all the Web application modules: 

  • Databases - filling these manually with trustworthy data 
  • Create middleware-software copy if necessary 
  • Webserver (including configuration) Additionally, Deception systems, which utilize Full OS approach, require significant time commitment at following stages: 
  • Deployment of Hypervisor which will support Deception-VM’s 
  • Installation of virtual machines which will act as full-OS-honeypots 
  • Connecting configured VMs to Deception system which acts as monitoring center and VM manager 
  • Setting up every VM parameters to fulfill Deception functions 
  • Creating and spreading breadcrumbs among real hosts 


As you can see from this list, the trivial deployment of the system in the enterprise infrastructure requires the IT / IS department to spend far more than one day. Also, Full OS implementation is not suitable for rapid deployment when there are reasonable suspicions of the presence of an attacker / insider on the company’s network. 

Deception systems of this type have significant drawbacks: they are easily detected by experienced attackers. For cost optimization Full OS Deception is typically built using multiple IP addresses (IP aliases), which allows to create visibility of many systems with minimal costs for operating system licenses. While scanning the network, an attacker will get information about the presence of multiple nearly identical systems, which will only differ in IP- and MAC - addresses. Some solution providers are stressing the ability to change MAC-address for every IPalias, while it does not affect the probability of Full OS imitation detection. Changing of MAC-address does not hide completely identical network services setup, their service banners, software versions and SSH-fingerprints (in case of SSH-traps). 

The situation is getting worse if an attacker manages in some way (for example, using an exploit and remote code execution) to get into at least one of the virtual machines of a Deception system. A host with dozens, or more often hundreds, of IP addresses, and with little or no data of interest for the attacker, will be clearly identified as a honeypot. 

Another weak point of Full OS Deception systems is the lack of the ability to quickly reconfigure the entire Deception network. System operators must spend no less time to re-configure the system compared to what is necessary to set it up, particularly in case when creating own custom-VMs out of standard images. 

OS/Service emulation 

The OS/Service emulation method is based on creation of limitations which recreate certain services or service combinations as separate instances within a single VM. This allows to significantly reduce costs of used resources compared to the Full OS approach, since there is no need to create a separate VM for every imitation which allows creating significantly more unique imitations (honeypots). Another significant advantage of service-based Deception solution is the absence of license costs for third-party operating systems. 

Such implementations also avoid using multiple IP-aliases. Instead of that every imitation is a separate instance with a unique set of attributes which makes it increasingly difficult for an attacker to determine the presence of a Deception system inside a company’s network. Every limitation will have a unique set of features: IP, open/ closed/filtered network ports, set of available services, service versions, hostnames, service banners, internal file system, list of users who exist within the imitation. Using unique parameters for every imitation makes it nearly impossible for an attacker to determine the presence of a Deception system within a company’s infrastructure at network scanning and recon stages. 

In addition, imitation of services on separate instances is more flexible, both in terms of the speed of deploying the system in the enterprise infrastructure, and in terms of the speed of reconfiguring all already generated imitations. 

Conclusions 

Deception systems were initially created on the premise that a software of this class must be deployed rapidly by an engineer without special training (or even by someone who is not an engineer). Company management, when faced with the possibility of insider/attacker presence, cannot wait while IS/IT professionals read through hundreds of pages of manuals or figure out features of an overloaded interface. One cannot waste precious time for numerous VM setups and wait until necessary additional licenses are purchased. Deception systems must be deployed within one day - including time needed for creation of quality WEB service/application imitations and must immediately increase “visibility” inside the company’s infrastructure. 

Therefore, when choosing a Deception solution, it is crucial to pay attention to the choice of approach used by the manufacturer to traps and decoys implementation. This feature will determine how effective the solution will be, what the maintenance costs are going to be and how much time and effort will be spent on implementation and maintenance.