Unifying Network Security: A Guide to PacketViper's Multi-Layered Deception Enabled Network Security Strategy

November 14, 2023
Download Technical Bulletin

Introduction to PacketViper's Multifaceted Deception Strategy

In today's complex cybersecurity landscape, the challenges are many and varied. Organizations must not only contend with increasingly sophisticated cyber threats, but also face the limitations of traditional security mechanisms. These mechanisms, often reactive in nature, lack the proactive capabilities needed to effectively counter modern cyber adversaries. This is where PacketViper's multi-layered approach to network security becomes valuable. PacketViper's strategy does not merely construct higher walls, rather, it creates a dynamic, responsive, and intelligent defense ecosystem. At the core of this ecosystem are three pivotal deceptive components: Sensors, Deceptive Responders, and Sirens. Each serves a unique function. When combined, they offer an unparalleled level of security:

  • Sensors act as the vigilant eyes and ears of the network, continuously monitoring traffic to identify and flag anomalies.
  • Deceptive Responders go beyond mere detection. They engage with intruders, respond to requests, and immediately add offending assets to blacklist or containment mechanisms to stop the threat, while simultaneously alerting security teams to the action taken for further remediation. 
  • Sirens add another layer of deception, mimicking legitimate network services to further confuse and entrap would-be attackers.

This bulletin aims to provide an overview of how these components work separately and together to enhance security. It will explore their advanced capabilities, strategic advantages, and how these components contribute to PacketViper's deception strategy — a holistic approach to detect, deceive, and deter cyber adversaries.

Deep Dive into Components

Section 1 -  The Role and Advanced Capabilities of PacketViper's Network Sensors

Network Sensors, or network listeners, serve as ears for the cybersecurity infrastructure. They monitor network traffic to identify anomalous behavior indicative of potential threats. When integrated with PacketViper's Deceptive Responders, these sensors become a formidable line of defense, capable of both detecting and containing adversarial activities in real time, providing valuable time for the network security team to remediate. 

PacketViper's sensors enable native prevention and response functionalities that set them apart from other deception platforms. They can trigger a range of actions in response to events, utilizing Deceptive Responders, enabling dynamic traffic control and effective threat containment.

Sensors can perform various actions upon event detection
  • Evaluate based on multiple layers of context, including country, business, time, protocol, port, source, and destination
  • Log the event for further analysis
  • Send mail notifications based on the event
  • Send SMS alerts in real-time
  • Send event details to PacketViper’s AlertBox tool
  • Generate custom blacklist and containment rules based on the event source
  • Throttle offending traffic volume when it exceeds specified rates
Section 2 - PacketViper Sirens: Entrapping Cyber Adversaries with Deceptive Network Traffic

Drawing parallels from ancient mythology, where sirens lured sailors to their doom, PacketViper sirens ensnare cyber adversaries by using real traffic to deceive them. Sirens entrap attackers who are sniffing out network traffic in search of vulnerabilities. With sirens, attackers are not just detected; they are immediately added to the blacklist or containment mechanisms to stop the threat, while simultaneously alerting security teams to the action taken for further remediation. 

How Sirens Work:

Replay of False Network Traffic:
  • Sirens replay deceptive network traffic between the Control and Management Unit (CMU) and the Remote Security Units (RSU).
  • This staged traffic is designed to attract the attention of lurking adversaries without disrupting legitimate network connections.
Utilizing PCAP Files:
  • Sirens operate using PCAP (Packet Capture) files that emulate device-specific network activity.
  • These files are pre-loaded with misleading information, making the deceptive traffic appear genuine and enticing.
Custom Capture for Enhanced Deception:
  • Sirens can use PCAP captures from actual customer traffic to add another layer of authenticity.
  • By blending genuine traffic patterns with deceptive elements, Sirens make it even more challenging for attackers to discern the trap.
Active Defense Mechanism:
  • The network traffic utilized by Sirens deceives deeply embedded threats into believing that new and/or additional assets are now part of the network.
  • Any interaction with a Siren will result in an immediate defensive blacklist or containment response to the threat and alerts the security team of the event. The threat is stopped in place providing time for the security team to respond.
Section 3 - PacketViper Deceptive Responders: A Dual-Layered Approach to Network Deception

PacketViper's Deceptive Responders are not just a security feature; they are a component of a comprehensive strategy. Designed to operate both internally and externally, these agentless, lightweight, software-based tools offer real-time, wire-speed actions that fortify the network's security posture.

Internal Deceptive Responders: Zeroing in on Lateral Movement

Automated Threat Containment:
  • Detects and contains threats moving laterally within the network, without false positive results.
  • Automatically prevents data exfiltration and blocks command and control communications.
  • Creates time for the security team to remediate the impacted asset. 
Dynamic Monitoring:
  • Monitors network behavior outside of pre-approved operating ranges and takes immediate action upon detection.

External Deceptive Responders:
Fortifying the Network Perimeter

Dynamic Perimeter Defense:
  • Creates a moving target at the network edge by automating the timing and nature of deceptive responses to suspicious and malicious network requests.
  • Adds complexity to the network, making it difficult for adversaries to assess vulnerabilities.

A Unified Strategy

Holistic Coverage:
  • Offers both east-west (internal) and north-south (external) detection capabilities.
  • Provides a unified approach to deception, covering all bases.

Key Characteristics

  • No need for additional infrastructure, software, external devices, or agents.
  • Enables unlimited deployment of deceptive capability without licensing restrictions.
Responsive Actions:

Once engaged, PacketViper deceptive deployments take automated actions such as responding to requests, blocking, blacklisting, throttling the source, containing internal threats, generating real-time alerts, and capturing log data

Minimalist Light-weight Approach:
  • Designed to be believable enough to engage potential attackers early in the cyber kill-chain.
  • Resists fingerprinting and advanced probing techniques, by disabling the attacker on contact.
  • Customization:Deceptive Responders can be customized to create enticing and varied responses, adding another layer of complexity for attackers.

Conclusion and Key Takeaways

A Unified Strategy for Holistic Coverage

PacketViper's Deception360 strategy offers a unified approach to deception, providing both internal and external detection capabilities. It's not just about detecting threats; PacketViper deceptive elements engage with intruders, respond to requests, and immediately add offending assets to blacklist or containment mechanisms to stop the threat, while simultaneously alerting security teams to the action taken for further remediation. 

Key Characteristics:
What Sets PacketViper Apart
  • Self-contained: No additional infrastructure needed.
  • Responsive Actions: Real-time, automated actions upon engagement.
  • Minimalist Light-weight Approach: Just enough to engage attackers early in the cyber kill-chain
  • Customization: Easily customized for added believability
Final Thoughts

PacketViper's multi-layered deception strategy uses the attacker’s best offensive weapon against them, by leveraging easy-to-use and customizable deceptive capabilities at every layer in the network. By integrating Sensors, Sirens, and Deceptive Responders, PacketViper actively blacklists and contains threats, providing a comprehensive and proactive approach to network security.