Using a combination of traps and lures, Defensys TDP detects the presence of a cybercriminal or malware, delays its progress within the network by confusing it with fake objects, and enables cybersecurity specialists to stop the development of an attack before it leads to a significant damage. Traps are hosted on separate Trap Manager servers, while the platform and the entire emulated infrastructure are managed on the Control Center server. Control Center server is the place where security events are collected and processed, interaction with external systems is provided, and traps, lures and Trap Manager servers are managed. For large organization infrastructures, the scaling task is easily solved by adding the required number of Trap Manager servers.
The Defensys TDP platform allows you to automatically deploy traps that simulate an organization’s real IT assets and manage them from a single center. A trap represents a resource of interest to an attacker. Defensys TDP allows you to create traps of various types that recreate a wide range of systems in an organization’s infrastructure, such as:
- Windows/Linux virtual machines
- Virtual appliances, networking devices, industrial controllers
- Basic emulation: SSH, HTTP(s), FTP, Telnet, POP3, IMAP, SMTP, SOCKS5, VNC, RDP, PostgreSQL, MySQL
To make the traps alluring and more believable, they are combined into groups of interacting hosts, services, or applications that work together to mimic a computer network.
To attract an intruder’s attention, lures are automatically placed on nodes of the real infrastructure. The lure represents information that holds value to the attacker who has penetrated the network. Such information can be:
- Configuration files of popular administration tools
- Data files (Word / Excel / PDF)
- User accounts
- Browsing history
- SSH keys
- Credentials for connecting to the DBMS
Traps and lures are designed solely to attract the attention of an intruder and are not used in regular work processes, so any interaction with them is highly likely to indicate an incident.
Defensys TDP collects events when logging interaction with lures and traps, processes them, and sends a detection alert to the cybersecurity expert.
The platform can also send events and necessary context to external systems such as SOAR, SIEM, TIP to respond and prevent the development of an attack.
To create the most realistic traps and lures possible, Defensys TDP allows you to use asset data from Defensys SOAR or Defensys SGRC systems. The Defensys TDP platform detects the interaction of both external and internal intruders with traps and sends alerts to the cybersecurity specialists.
Events can be sent to the Defensys SENSE system for investigation, which will automatically create timelines reflecting trap interactions, providing the necessary context to the SOC analyst. The received incidents can be transferred to Defensys SOAR, so that the playbooks can be used to automate the response process.
Attributes and indicators of compromise collected by Defensys TDP can be automatically sent to the Defensys Threat Intelligence Platform (TIP). The Defensys TIP, in return, will enrich this data, identify correlations with other available TI data, configure automatic monitoring in SIEM events, and export indicators of compromise to cybersecurity tools for blocking.