PacketViper Strategy for Using Unified Multi-Layer Deception for your Network Security

Download Technical Bulletin

Introduction to PacketViper's Multifaceted Deception Strategy

In today's complex cybersecurity landscape, the challenges are many and varied. Organizations must not only contend with increasingly sophisticated cyber threats, but also face the limitations of traditional security mechanisms, such as firewalls, intrusion detection systems, intrusion prevention systems, and SIEM tool event correlation to improve real-time visibility and defense. These mechanisms, often reactive in nature, lack the proactive capabilities needed to effectively counter modern cyber adversaries. This is where PacketViper's multi-layered approach to network security becomes valuable. PacketViper's strategy does not merely construct higher walls, rather, it creates a dynamic, responsive, and intelligent defense ecosystem. At the core of this ecosystem are three pivotal deceptive components: Sensors, Deceptive Responders, and Deceptive Transmitters. Each serves a unique function. When combined, they offer an unparalleled level of security.  

Sensors, Deceptive Responders, and Deceptive Transmitters

  • Sensors act as the vigilant eyes and ears of the network, continuously monitoring traffic to identify and flag anomalies.
  • Deceptive Responders go beyond mere detection. They actively engage with threat actors, respond to requests, immediately enable containment mechanisms and blacklist offending assets to stop the threat, while simultaneously alerting security teams to the action taken for further remediation. 
  • Deceptive Transmitters inject another layer of deception, mimicking legitimate network services to further confuse and entrap would-be attackers.

This bulletin aims to provide an overview of how these components work separately and together to enhance security. It will explore their advanced capabilities, strategic advantages, and how these components contribute to PacketViper's deception strategy — a holistic approach to detect, deceive, and deter cyber adversaries.

Deep Dive into Components

The Role and Advanced Capabilities of PacketViper's Network Sensors

Network Sensors, or network flows, serve as ears for the cybersecurity infrastructure. They monitor network traffic to identify anomalous behavior indicative of potential threats. When integrated with PacketViper's Deceptive Responders, these sensors become a formidable line of defense, capable of both detecting and containing adversarial activities in real time, providing valuable time for the network security team to remediate. 

PacketViper's sensors enable native prevention and response functionalities that set them apart from other deception platforms. They can trigger a range of actions in response to events, utilizing Deceptive Responders, enabling dynamic traffic control and effective threat containment.

Sensors can perform various actions upon event detection
Context Analysis and Threat-Characterization
  • Evaluate based on multiple layers of context, including country, business, time, protocol, port, source, and destination
Auditing and Recording
  • Log the event for further analysis
  • Send mail notifications based on the event
  • Send SMS alerts in real-time
  • Send event details to PacketViper’s AlertBox tool
  • Generate custom blacklist and containment rules based on the event source
Traffic Throttling
  • Throttle offending traffic volume when it exceeds specified rates
PacketViper Deceptive Transmitters: Entrapping Cyber Adversaries with Deceptive Network Traffic

PacketViper Deceptive Transmitters ensnare cyber adversaries by using real traffic to deceive them. Deceptive Transmitters entrap attackers who are sniffing out network traffic in search of vulnerabilities. With Deceptive Transmitters, attackers are not just detected; they are immediately added to the blacklist or containment mechanisms to stop the threat, while simultaneously alerting security teams to the action taken for further remediation. 

How Deceptive Transmitters Work:

False Network Traffic:
  • This staged traffic is designed to attract the attention of lurking adversaries without disrupting legitimate network connections.
  • Deceptive Transmitters replay deceptive network traffic between the Control and Management Unit (CMU) and the Remote Security Units (RSU).
Utilizing PCAP Files:
  • Deceptive Transmitters operate using PCAP (Packet Capture) files that emulate device-specific network activity.
  • These captures are pre-loaded with misleading information, making the deceptive traffic appear genuine and enticing to thrat actors.
Custom Capture for Enhanced Deception:
  • Deceptive Transmitters can use packet captures simulated to authentic non-sensitive traffic to add another layer of authenticity. 
  • By blending genuine traffic patterns with deceptive elements, Deceptive Transmitters make it even more challenging for attackers to discern the trap if they gain network traffic access. 
Active Defense Mechanism:
  • The network traffic utilized by Deceptive Transmitters deceives deeply embedded threats into believing that new and/or additional assets are now part of the network.
  • Any interaction with a Deceptive Transmitter will result in an immediate defensive containment or blacklist response to the threat, alerts the security team of the event, and can eliminate further lateral movement if Packetiper is integrated into the switch fabric. The threat is stopped in place providing time for the security team to respond.
PacketViper Deceptive Responders: A Dual-Layered Approach to Network Deception

PacketViper's Deceptive Responders are not just a security feature; they are a component of a comprehensive strategy. Designed to operate both internally and externally, these agentless, lightweight, software-based tools offer real-time, wire-speed actions that fortify the network's security posture.

Internal Deceptive Responders: Zeroing in on Lateral Movement

Automated Threat Containment:
  • Detects and contains threats moving laterally within the network, without false positive results.
  • Automatically prevents data exfiltration and blocks command and control communications.
  • Creates time for the security team to remediate the impacted asset. 
Dynamic Monitoring:
  • Monitors network behavior outside of pre-approved operating ranges and takes immediate action upon detection.

External Deceptive Responders:
Fortifying the Network Perimeter

Dynamic Perimeter Defense:
  • Creates a moving target at the network edge by automating the timing and nature of deceptive responses to suspicious and malicious network requests.
  • Adds complexity to the network, making it difficult for adversaries to assess vulnerabilities.

PacketViper Strategy for Using Unified Multi-Layer Deception for your Network Security

Holistic Coverage:
  • Offers both east-west (internal) and north-south (external) detection capabilities.
  • Provides a unified approach to deception, covering all bases.

Key Characteristics

  • All PacketViper deceptive elements are projected from the PacketViper instance into a network segment.
  • No need for additional infrastructure, software, external devices, or agents.
  • Enables deceptive saturation in network segments with no cost impact.
Responsive Actions:

Once engaged, PacketViper deceptive deployments take automated actions such as responding to requests, blocking, blacklisting, throttling the source, containing internal threats, generating real-time alerts, and capturing log data

Light-weight Approach:
  • Designed to be believable enough to engage potential attackers early in the cyber kill-chain.
  • Resists Attacker Network Fingerprinting and advanced probing techniques, by disabling the attacker on contact.
  • Customization:Deceptive Responders can be customized to create enticing and varied responses, adding another layer of complexity for attackers.

Conclusion and Key Takeaways

A Unified Strategy for Holistic Coverage

PacketViper's Deception360 strategy offers a unified approach to deception, providing both internal and external detection capabilities. It's not just about detecting threats; PacketViper deceptive elements engage with intruders, respond to requests, and immediately add offending assets to blacklist or containment mechanisms to stop the threat, while simultaneously alerting security teams to the action taken for further remediation. 

Key Characteristics:
What Sets PacketViper Apart
  • Self-contained: No additional infrastructure needed.
  • Responsive Actions: Real-time, automated actions upon engagement.
  • Light-weight Approach: Just enough to engage attackers early in the cyber kill-chain.
  • Easily tailored for added believability.
Final Thoughts

acketViper's multi-layered deception strategy uses the attacker’s best offensive weapon against them, by leveraging easy-to-use and customizable deceptive capabilities at every layer in the network. By integrating Sensors, Deceptive Transmitters, and Deceptive Responders, PacketViper actively blacklists and contains threats, providing a comprehensive and proactive approach to network security.