Acalvio ShadowPlex Overview and Demo
good day and thank you for joining in this video let me take you through a presentation and demo of a calvios shadow Plex first a little bit of background on Cyber deception back in the day we had emulation based honeypots which were essentially a software you could install onto a server as an example these honeypots could help detect and alert against port scan attempts or requests on unexpected ports which were useful but these solutions could not engage with an attacker and identify the motives or collect forensics organizations then fell the need for honeypots that not just detected but also interacted with the threat hence the creation of honeypots offering depth of interaction these honey pots were deployed as honey nuts a complex network of Honeypot distributed in the Enterprises Network good thing about these systems whether it offered better forensics capture than its earlier form but there were drawbacks associated with these systems first these systems were Standalone and offered no centralized management which meant deployment and maintenance of these systems caused a lot of admin overhead from a security perspective there were causes for concern as these systems did not offer containment an attacker dwelling inside a Honeypot could use the system as a pivoting platform to Target other Assets in the production Network this led to the creation of deception 1.0 which focused on providing the technology as a managed service you could approach a vendor offering deception 1.0 and purchase an appliance the appliance then packed certain number of virtual machines where each VM had a lot of monitoring tools and were designed to work like a Honeypot there were issues related to scalability meaning these Enterprises had to purchase a lot of such appliances to reach the number of deceptive artifacts required to deploy the best practices of deception enter shadowplex aqualview uses Ai and machine learning in Shadow Plex to ensure it takes the minimum of human intervention to deploy thousands of deceptive artifacts in an organization the advanced containment based on software defined networking ensured the adversary would not be able to Pivot and launch attacks against a production environment from a shadowplex decoy let's look at the value Edition shadowplex provides once it's deployed into the Enterprise and let's start with visibility shadowflex provides visibility into an Enterprise from the eyes of an attacker helping our customers understand the assets an attacker could Target once they are in the network we use the visibility component for three major reasons first it helps our customers reduce the attack surface inside the Enterprise second we use the visibility gathered to blend deceptions in and third we use the visibility gathered to create attack Parts which is a graphical representation of how an attacker can move within the Enterprise helping our customers remediate the possibility of an attack before it occurs in the detect part shadowflex provides High Fidelity and low volume nature of alerts this is based on a simple principle that nobody in the organization must interact with a fake asset to get a job done if there is any sort of an interaction on a decar if Shadow Plex High Fidelity alerts are provided real time for analysis shadowplex provides the capability to interact with the threat to collect ttps tactics techniques and procedures of the attacker the tools they use and valuable forensics for further analysis shadowflex can be used to ferret out latent threats a hidden apt or a dominant malware as an example they may be dormant at this point in time because they have not got an opportunity to rise up and act in their malicious campaign shadowplex can provide that fake opportunity to further interact and collect forensics in the response side of things shadowplex can quarantine or isolate the end point sending us attack traffic shadowplex also provides Advanced containment features through software-defined networking which ensures the attacker is contained within the decoy and do not cause harm to the production Network to achieve what we've discussed in the previous slide shadowplex uses a combination of deceptive artifacts decoys are the fake entities that can be distributed within an Enterprise regardless of the type of workloads the customer is running Shadow Plex can distribute deceptions into Cloud workloads on-premise I.T workloads or into an OT environment our customers could also extend the palette of deception through Custom Image uploads proprietary or custom applications from the customer can be deployed as decoys requiring only a VM snapshot uploaded to shadowplex breadcrumbs are pieces of information that would lead an attacker to a decoy think about breadcrumbs as close we live in a real system that points to decoys examples of breadcrumbs are user profiles like RDP SSH browser cache or memory credentials that are injected into the lsas memory of the real system baits are trip wires or self-contained deceptions distributed in a real system that would raise an alert when an attacker interacts with them one example of a bait is a beaconing document which can be distributed in areas where confidential or sensitive information is stored if an attacker attempts at exfiltrating this file and opens it from their command and control center an alert is raised revealing the location of the attacker Lewis make all three of these deceptive artifacts more attractive in the case of a decoy imagine making it vulnerable or misconfiguring it or enabling ease of access by setting default or weak credentials anything that makes a deceptive artifact more attractive than a real system enticing the attacker into choosing a deception instead of real system is what we achieve through the process of luring all of these deceptive artifacts can be fully deployed from our autonomous platform where we ensure that it takes the minimum of human intervention to deploy best practices of deception now let's talk about the architecture shadowplex is a two-component solution on the right of your screen there's the acalvio deception Center or ADC in short the ADC is regarded as the brain of the solution and houses the management UI of shadowplex the threat analysis engine and the AI engine it also has a variety of virtual machines which act as anchoring points for our decoys the ADC can be deployed from the cloud either a calvio SAS Center or from the customers cloud if the ADC is regarded as the brain of the solution the sensor here is the eye of the solution providing visibility into the intended segments within an Enterprise from a form factor perspective the sensor can be a hardware Appliance a VM deployed in a hypervisor like exxi or if you're protecting a cloud workload the sensor can be a cloud native asset like an ec2 instance for AWS workloads once the sensor is deployed shadowplex gains visibility into the network through the automated Discovery scan shadowflex can also use Integrations with active directory or EDR Solutions as additional sources to enhance this discovery information this helps identify the different operating systems running services that are active host naming conventions so we could blend our deceptions into the network a decoy is not going to look any different from a real system in terms of having similar host naming conventions Services active and similar operating systems to talk about the advantages of Shadow plexus patented architecture let's start off with the flexibility and hybrid protection we offer we're flexible because regardless of the kind of workloads that we are protecting be it in the cloud and a traditional I.T on-premise workload or even OT Network we can extend deceptions to all of these different workloads that's because our devices are compatible everywhere and we've got an inbuilt deception palette that can be deployed the second Point here is the hybrid protection to workloads because you do not require separate adcs for multiple types of workloads all you require is a centralized Academy deception Center and we can distribute deceptions to your cloud workloads and on-premise workloads and even OT environments so what's in it for the customer here is first of all the ease of deployment it's all available from one centralized management UI with full functionality and the fact that since we require fewer instances or appliances because you only need a centralized ADC it brings about cost effectiveness shadowplex uses 25 patterns of a calview in order to function and let's talk about one of them which is called as Reflections Reflections ensures that we could have a single anchoring VM inside the ADC projected on a scale of one to many so the Windows Server here could be the anchoring point for multiple SQL databases is web servers so on and so forth so this gives the much required scalability in terms of deploying thousands of deceptive artifacts onto your network the second point is we're also bringing about cost Effectiveness because you do not have to license each and every one of our deceptive artifacts deployed you only need to license a seed VM and have all of these deployed fully licensed we're also agentless which means there is no Administration overhead in terms of deploying those thousands of agents to those different endpoints we are not introducing a new attack surface because every time you introduce an agent to an endpoint it increases the attack surface because agents runs with a lot of permissions which the attacker can use for process injections or privilege escalations and any of those shadowflex is also a faster implementation because that whole phase where we have the agents deployed and monitored functionality of that's basically cut off before we move to the demo let's take a quick look at the setup here so we've got this organization that's being protected by Shadow Plex and we've got an on-premise workload which contains three different networks here each representing a user Network server and DMZ we also have an Azure Cloud workload that's associated with it also having three separate networks here there are two sensors that are deployed to provide visibility to both of these workloads and the sensors are connected to the Accel view deception Center which is essentially running in acalvious SAS and the management UI that you're about to witness would be hosted inside the academy deception Center moving on to the demo now so let's start off with the hierarchy of the solution all the way at the top you see the calview deception Center so as previously stated the management UI of the solution is also built into the ADC itself inside the ADC you've got this logical component called as site so site here could represent a data center or a city of operation or multiple varieties of workloads each site would require a sensor to provide visibility and each sensor would have visibility to multiple different vlans so if you select the site and the sensor you'd be able to see all of those vlans that are currently added in Shadow Plex shadowflex is a two-step program where step number one is about adding all of those vlans where you intend to deploy deception into and step number two is about automating deception deployment through the concept of Playbook so let's move there A playbook can be defined as a collection of deceptive artifacts decoys breadcrumbs Bates and lures which are packaged with an intent in mind now that intent could be for user environment protection or active directory protection or for key asset protection it could be any of them but from the customer's perspective all that is required is two clicks meaning clicking on actions here and importing The Playbook file and you'll have the Playbook ready in front of you but from a design perspective by a calview careful thought goes into creation of each and every one of our playbooks for instance we take into account the kind of vertical that the customer belongs to the workloads that we are protecting the type of key assets that are part of those workloads and the thread groups that might be targeting this customer so each of our playbooks are unique and custom created for each of our customers and their workloads but that being said it's extremely simple to create or tweak A playbook so let me show you an example here if I need to introduce another decoy which is a server type all that is required is drag and drop the server icon here click on this drop down and multi-select all of those different operating systems that is required we could choose between Windows Linux Solaris and AIX we would also be able to choose the interaction type of the decoys shadowplex offers multiple interaction types of low medium and high and it's a patent of a calview that lets us do this which is called as fluid deception so let me take a moment here and explain what fluid deception is fluid deception is a patent of a calview wherein we ensure that at time 0 when there is no no interaction happening on any of our decoys all of these decoys are dormant or consuming zero resources or embryonic or in sleep mode let's say now when there is any sort of an interaction on a decoy typically we find that attackers would start off with some sort of a light request like ARP ping or icmp based request so we do not immediately wake the decoy up from its dormant State and then make it a high interaction decoy we instead move it to something called as low interaction mode wherein it can respond back to these lightweight requests that are coming in now we find that the request or the interaction has progressed further and it requires sport Intelligence on these decoys to respond back that's when we move it from low to a medium interaction and when we find that the interaction has progressed all the way further and we require full depth of interaction to be provided to the attacker that's when we move it from a medium to a high interaction State wherein it can respond back to all sorts of incoming requests from the attacker if I were to play out this slide let's say the attacker is sitting on eight two and if there is any sort of a lateral movement to a projected deception of A3 then it's deflected to the sensor and hooked up on a VM inside the ADC wherein the interaction State depends on the type of level of interaction that is required in order to respond back to the attacker Shadow plexus decoys can be fully customized in terms of having custom host names usernames and passwords so for instance if you select system generated host names what that essentially means is we would look at the existing set of host naming conventions and use the same on our decoys as well it requires zero human intervention in order to achieve this we could also tweak the content that is placed on these decoys so if you select upload data for instance then you can upload a bunch of fake folders and files onto the share instance here or share decoy here in order to be delivered out and if you select system generated shadowplex provides a curated set of contents depending on different types of vlans that we normally find in an Enterprise like engineering or Finance or sales vlans for example and you can have those populated as well once you go ahead and click on apply changes this D this Playbook would be ready for deployment and with a single click of a button we can have this Playbook Associated to several different vlans where we ensure that it's the best practices of deception that gets deployed to each and every one of these vlans so once you have a Playbook Associated into a VLAN that's when we can start seeing decoys appearing and in deception mesh we'd be able to track the entire deployment so up here you see the sites and we also have the vlans or the subnet information here once you go and click on this user info user VLAN for example it takes you straight into this deception firm where it shows you all the different types of decoys that exist including what are the host names and the other attributes that are associated with this decoy the end points tab will keep track of all the different real assets that are part of this network and we also have an endpoint deceptions tab which will keep track of all the real endpoints with endpoint deceptions essentially breadcrumbs and baits that are deployed onto it so we'd be able to understand the host names of those real endpoints the type of breadcrumbs that are placed this is fully interactive so you can click through and understand what are the type of breadcrumbs and where they are pointing to once you have the deception mesh ready you can monitor for all the incidents on this screen here so we've got a timeline view at the top and a tabular view at the bottom we also have a slider with which we could either have more events populated on screen or slide it to an area where we look for a for all sorts of incidents that are captured during that particular time frame so if you hover on top of an incident it will tell you the minimum that you need to know further details are provided in this tabular column and you do not have to open up an incident to understand the face in Kill chain the attacker is basically it because that's available right here um and it would show under the tactics so if you want to quickly understand what phase in Kill chain the attacker is basically at that's available here once you click on the info button it takes you to the screen where it shows you where the attack is coming from what's the port of interaction it also keeps track of the credentials that the attacker is using so here you'd be able to understand if the attacker is more of informed meaning they are using names of the employees or employee codes because they've done social engineering or could be a malicious Insider a disgruntled employee that or is this is more of an attacker trying to search in the dark using native or generic usernames and passwords like root or admin to gain access to it we would keep track of all the files that are currently used or modified inside the decoy so you could click on this radio button and detonate it with an integrated sandbox or even export it to a location where you can look for a known strain of malware inside it we would also keep track of pcap captures and Z clocks which are essentially Network level logs and indicators of compromise in multiple different formats the host intrusion detection system of Shadow Plex shows you the entire incident in a in three different data analytics model so we're going to start off with cameras here which will show you all the network connections the process events it also comes with a key logger that will capture all the different keystrokes that the adversary is typing in all of this raw data is filtered through our AI algorithms and we show you a notable screen which shows a crisp and concise form of representation of what the attacker has done in the decoy so this is a sock friendly form of representation because it takes very minimal time to quickly read through and understand what the attacker has done within the decoy in addition to that these mini screens represent miter tactics so if you're interested in in seeing why the shadowflex think it's a host reconnectivity you could just click on the info button and we'll tell you these are the different commands that has been executed in order to perform host reconnaissance in this decoy sometimes a sock analyst would like to see this view which is more of like incident by incident in some other instances it should be like a comprehensive form of representation or View and that's what we address using link analysis so here it shows you attacker movements in the entire network you could also filter a time frame so if you provide a start date here let's say we go back a few months here and all the way till today so it shows you the entire sight and attacker movements in it and in this screen you could zoom in you could pan if you'd like to look at it from another angle and you could play it and it shows you actual adversary movements in the network it's fully aimed at providing situational awareness for you where is the attacker at this point in time in what direction is the attacker moving towards and what's the proximity of a critical asset to where the attacker is at this point in time all of this would be understood in the screen now the question is what do we do with this information so there are few remediation steps that you can take within the product itself so moving on to the threat investigation screen so you could deploy decoys from The Playbook you could also deploy it from the threat investigation screen the difference is the Playbook is built for scale you want to strategize deception at one place and have that Associated enterprise-wide and like I said it's fully manufactured or it's used for scalability here it's more of for precision so if you want to surgically place a decoy at a particular segment within your network for a certain reason that reason could be hypothesis confirmation you saw something in your third party solution and you want to have a decoy deployed in order to interact with the threat and gain more information or it could be that in link analysis you saw how the attacker is progressing in the network and you want to put decoys in the path of the adversary and slow them down or inject breadcrumbs onto a system that they are sitting on at this point in time so that they are moved or you facilitate that movement of the adversary onto a decoy where you make them waste their time and at the same time you're buying time for your defense team to remediate this situation shadowplex can also export actionable intelligence that we gather onto several different types of third-party Solutions CM solutions for example can benefit our sock centers can benefit from The High Fidelity alerts that we are exporting um and you the sock essentially do not have to go after false positives generated by other Solutions because they can Center or anchor their threat hunting or research on that particular alert that shadowplex is delivering we could also integrate with other third-party Solutions soar platforms where we can be part of orchestration platforms and EDR Solutions where we could use agents of an EDR to distribute endpoint deceptions we could also use an EDR solution to enhance our Discovery data and we could also use sandbox of the EDR for detonating captured files as well so that's a quick overview of Shadow Plex thank you for your time
2022-12-27 03:31