Deception is quickly emerging as one of the most innovative and effective ways to protect a network. It’s an idea that occupies a sensible middle ground in the spectrum of cybersecurity tactics. Instead of merely reacting to an attack in progress, or aggressively “hacking back”, deception allows enterprises to protect themselves by diverting the attack into a walled off zone. When attackers try to use harvested credentials to infiltrate a network, they’re actually being examined and identified.
Implementing deception technology requires the creation of a network that appears real enough to fool attackers. Generating the appropriate level of credibility usually means mixing real network data with markers which allow security administrators to discover and track malicious actors. At a practical level, that requires a certain level of coordination between the security teams implementing deception technology and the network teams which control the network architecture.
The general rule of thumb for deception is that the less people know about it, the better. Since attacks from insiders are a constant challenge, it’s important that knowledge of deception technology is limited to a small group of administrators. The need for network resources to build out a realistic-looking environment unfortunately runs counter to this goal.
The illusion of the real
Illusive’s ersatz networks deploy on endpoints and strategic intersections of network activity. In these places, Illusive will associate a real IP address with a fake Active Directory profile. If a malicious actor sends a DNS query to the deceptive IP address, the query will be directed to a trap server, which then produces a notification for the security team.
Ordinarily, Illusive needs help from the network team to build out these connections. For every endpoint or strategic juncture they protect, they have to request an IP address from the network teams. That’s usually a manual process – one which slows down deployments and prevents timely expansion to newer areas of the network. Even worse, it involves notifying the network team when and where Illusive’s technology is deployed – hardly an ideal situation.
The automation factor
Using BlueCat’s Adaptive DNS platform, Illusive takes advantage of automated IP address provisioning to speed up deployments and minimize the number of administrators who are aware that deception is in use.
Reaching into the single source of truth for IPAM data, Illusive uses BlueCat’s API to automatically provision IP addresses for use in creating deceptive environments. Network administrators know that an IP address is assigned, and ultimately regulate the pool those addresses come from – an essential control which prevents duplicate assignments and network outages. At the same time, network administrators aren’t tipped off to how the IP address will be used, limiting the scope of knowledge to essential personnel only.
By integrating with BlueCat’s Adaptive DNS on the back end, Illusive makes its own deployments more dynamic, flexible, and reliable. It can spin up or wind down deception on the fly, without the need to constantly submit help desk tickets to the network team. Illusive’s customers in turn are ensured that every IP address used for deception won’t cause a devastating network conflict.
How to get it
Illusive’s integration with BlueCat is available now. You can access it within the Illusive solution, either from the dashboard or through the API repository. There you’ll find all the details about how to connect the two platforms.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
Cloud DNS: Benefits and obstacles for hybrid networks
Unsure about cloud DNS services and hybrid-cloud enterprises? Learn more with BlueCat, including why it isn’t so simple for managing networks.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
Sync ServiceNow tickets and IPAM with CMDB Plug-In
With BlueCat’s ServiceNow Configuration Management Database, admins can break the silos between ServiceNow and IPAM to improve IT ticket fulfillment.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.