KuppingerCole Report

By Alexei Balaganski
EXECUTIVE VIEW October 29, 2020

Illusive Platform

Illusive Networks’ distributed deception platform is a highly scalable,

intelligence-driven security solution that offers unprecedented visibility into
corporate security posture from the attacker’s viewpoint and helps deal with
cyberattacks before, during, and after they happen.

By Alexei Balaganski
ab@kuppingercole.com
Content
1 Introduction .................................................... 3
2 Product Description .............................................. 5
3 Strengths and Challenges ......................................... 8
4 Related Research ............................................... 10
Copyright ...................................................... 11

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 2 of 11
1 Introduction

To combat modern cyber threats, organizations have been investing in more and more tools focused on
threat detection leveraging big data analytics and user behavior modeling?generating massive waves of
alerts, which too often turn out to be false positives. Analysts spend too much time chasing benign behavior
and consequently, real attacks are slipping through. Behavioral detection solutions powered by machine
learning offer better efficiency, yet they are probabilistic in nature, requiring cycles of manual effort to truly
track down and confirm if a threat is present. Facing these challenges, further complicated by the growing
shortage of skilled security analysts, many organizations started looking for alternative approaches for
detecting and responding to threats in real time.

One of the oldest of such alternatives, predating modern IT by at least a couple decades, is using honeypots
to lure attackers with strategically placed fake network resources. Similar to police sting operations, this
involves deploying carefully crafted decoys within the corporate network, which appear to be a legitimate
part of the IT infrastructure and seemingly contain information valuable for hackers. However, these
resources are isolated from the real assets and closely monitored; since there is no reason for legitimate
users to use them, any access attempt can be considered a reliable sign of an ongoing attack. By
monitoring the lures, it is possible to analyze the attacker’s behavior and study their tactics, techniques, and
procedures (TTP) to mount more effective defenses.

This deterministic nature of honeypots has made them a useful tool for both academic researchers and
security experts. Unfortunately, such solutions are difficult and costly to deploy at scale; they also generate
lots of security telemetry which requires an expert to analyze properly. And yet, as the continued
deperimeterization of corporate networks makes traditional security tools like firewalls or antiviruses less
and less relevant, the interest in deception as a methodology and as an integral part of the overall
cybersecurity architecture is growing.

Modern distributed deception solutions differentiate themselves from old-school honeypots by automating
the creation and distribution of decoys (real or emulated IT assets mixed into the existing infrastructure to
trap and analyze malicious activities) and lures (various pieces of data left across endpoints to attract
hackers) at scale with centralized management. This not only makes the deployment much easier, but also
ensures that detections are processed, enriched with forensic context, and delivered for analysis as quickly
as possible.

Illusive Networks is a cybersecurity company headquartered in New York, NY and Tel Aviv, Israel. Founded
in 2014 by a group of Israeli cyber intelligence experts, the company focuses on further expanding
deception technology to harden corporate networks preemptively by reducing their attack surface, identify
attacks early with deterministic detection, and mitigate incidents quickly through integrations with other
security tools. The Illusive Platform is a highly integrated and automated security solution that combines
protection, detection, and response capabilities unified by a single consistent UI and powered by an

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 3 of 11
agentless scalable distributed deception technology.

By focusing on the potential attacker’s point of view, eliminating all possible paths for them to reach the
“crown jewels” and luring them instead into a web of deceptions, Illusive helps customers detect attacks
even before the malicious actor realizes something just went wrong.?

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 4 of 11
2 Product Description

The Illusive Platform is a tightly integrated deception-based cybersecurity solution that extends the
approach beyond just deterministic threat detection to include both preemptive hardening of networks
against attackers and quick response to security incidents after they occur. The main design principle that
differentiates the platform from similar competing products is its fully agentless mode of operation. This
means that it does not require any changes in existing infrastructure or software deployed on endpoint
devices.

A management server (or several servers for a complex distributed environment) is the central point for
configuring and operating the platform. The initial deployment and network discovery take just a few hours;
alternatively, it can integrate with existing endpoint management solutions to speed up the process. Then
the system is ready for managing the decoys and deploying the lures anywhere across corporate endpoints
with a single mouse click.

The lures (called Deceptions in the UI) are various bits of information that imitate real credentials and saved
connection details that are typically found on any endpoint system. These might include Windows
credentials stored by the operating system, Remote Desktop sessions cached by the RDP client, various
passwords and URLs stored in browser caches, credentials for cloud services, and so on – all extremely
valuable for hackers to enable lateral movement within a network.

The Illusive Platform supports over 50 types of deceptions, including fake credentials and connections,
emails, scripts, configuration files, and other artifacts that look authentic and enticing to a hacker actively
scanning a compromised endpoint, yet remain completely invisible and non-disruptive to legitimate users.
The lures are deployed from the central server using the agentless technology based on short-lived
executables pushed to endpoints. Trying to use any of the deployed lures will either lead the hacker to a
closely monitored decoy system or simply trigger a failed login in Active Directory, which immediately alerts
the management server.

The simplicity and fully deterministic nature of these alerts (by design, they cannot be a false positive) is
what allows deception-based security tools to detect attackers much faster than any behavior-based
solution and to deliver precise forensic information to identify an attacker without the need for additional
manual investigation. On top of this foundation, Illusive Networks offers a suite of three individual products
that address the three stages of the cybersecurity framework: Preempt, Detect, and Respond. It is worth
noting that all three products are in fact modules of the single unified platform, which are deployed together
but can be activated by purchasing individual licenses. The user interface across the modules is the same
and they are tightly integrated when operating in accord.

The Illusive Attack Surface Manager is the part of the platform that focuses on the preemptive hardening
of corporate networks against hackers’ lateral movement. The module implements a crucial capability:

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 5 of 11
since the platform can deal with fake credentials and connections, it can detect and analyze real ones just
as well.

By inspecting all existing stored credentials, connections, and applications on endpoints, Illusive can identify
how each machine is used, which other systems it connects to, which users and groups are related to it, and
so on. Powering the detection is the Attack Surface Rules Engine, which provides the interface for defining
discovery rules and detection policies that will then govern the behavior of automated processes.

The discovery focuses on specialized use cases such as identifying domain user credentials, local admin
accounts on endpoints as well as the presence of domain admin credentials on devices. It will also look for
high-privileged users not belonging to admin groups as well as identify stored connections to the Crown
Jewels, the riskiest systems identified automatically or tagged manually according to their business purpose.
Rules can be crafted manually or just accepted from automated suggestions. Each rule can be simulated
first to avoid potential disruptions or high quantities of unnecessary alerts.

The process of discovering changes in the network topologies and comparing them against defined rules is
continuous and fully automated. The findings are presented on a live map of pathways between endpoints.
Systems identified as Crown Jewels are highlighted, and Illusive helps admins identify how quickly an
attacker can reach those endpoints. More information is available by drilling down into each host to identify
the specific risks of each connection and to understand how breaking a connection affects the overall attack
surface.

The Attacker View dashboard supports the centralized elimination of connections violating the security
policies from the central console. The platform supports both manual actions during a forensic investigation,
where certain credentials or other artifacts will be removed from the endpoint or automated remediation
across the whole network according to rules: for example, all local admin accounts can be disabled with a
single click.

It is worth reiterating that this remediation does not deal with ongoing attacks (e.g., does not isolate hosts
from the network). Instead, it applies proactive non-disruptive hardening to endpoints, ensuring that a future
attacker will not be able to reach the Crown Jewels easily. The Attack Surface Manager dashboard provides
constant visibility into the security posture and offers a full log of past violations and cleanup actions.

The Illusive Attack Detection System is responsible for the design, deployment, and management of
deceptions across the network. The Deception Management System is an engine powered by machine
learning that uses the information collected from endpoints to propose the most appropriate design for the
deceptions, tailored to each machine’s configuration, role, and exposure. The process is fully automated
and transparent to end-users; it is also very scalable and can deal with hundreds of thousands of endpoints
in a few hours.

The artifacts pushed to endpoints imitate real credentials, connections, even snippets of network traffic
typically found on endpoints during their normal daily operation. However, removing the real ones and
replacing them with lures ensures that potential attackers will almost invariably step into the trap during their
reconnaissance activities.

The Trap Server is another component that houses the additional resources required by deceptions. For

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 6 of 11
example, if a hacker tries to use a fake credential, his connection will terminate within the trap server, and it
will imitate basic interaction like a traditional honeypot while collecting forensic data from the compromised
endpoint. A single trap server can manage numerous traps across multiple networks.

The information it collects is forwarded to the management server to populate the forensic details for each
detected incident. In addition, the platform supports integrating with third-party tools that can submit their
own alerts via a provided API.

The Attacker View dashboard shows a graphical representation of the findings, focusing on risk-aware
visibility of the exposed assets and the coverage of the network by deceptions. The Forensic Timeline view
provides a detailed log of detected security incidents, structured by time ranges, alert types, and risk levels.
Each incident can be drilled down for further forensic investigation or forwarded to a third-party tool like a
SIEM platform for centralized processing.

The Illusive Attack Intelligence System is the final part of the platform, which focuses on collecting
advanced forensic information and assisting security analysts in rapid and precise incident response. The
key subsystem of this product is the Decoy module responsible for deploying and managing “high-
interaction” decoys. These decoys differ from traditional honeypots which emulate only partial capabilities of
a real system and are thus limited in both the amounts of forensics they can collect and their ability to fool
an attacker long enough.

Proper Decoys (as opposed to Traps) are virtual machines built from golden images of real endpoints or
servers: they contain real operating systems and applications and can credibly imitate production systems
even to highly qualified attackers. The only Illusive-proprietary software included in these VMs is a Decoy
Rootkit, a highly obfuscated low-level agent that intercepts attacker activities on a decoy and relays them to
the platform for analysis.

The whole decoy orchestration infrastructure comprises a central management server that controls multiple
hypervisors that run individual virtual machines. It completely hides the management complexity from the
users. The only thing a customer must provide is a set of golden images for the decoys, but even this is
optional: Illusive supplies several pre-built images for common use cases.

As mentioned earlier, customers can license and deploy the three Illusive products separately, although a
single platform powers them in any deployment. This approach ensures that new customers can start small
with just visibility and preemptive hardening of their networks and gradually embrace advanced deception
functions at their own pace. The available integration API ensures that the platform fits into existing security
operations centers without increasing the overall operational complexity.

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 7 of 11
3 Strengths and Challenges

The Illusive Platform offers a completely different approach towards defense-in-depth cybersecurity
compared to traditional security analytics tools. Instead of dealing with potential false positives, a distributed
deception solution ensures that each detection is fully deterministic and indicates a real attacker within your
network.

The company goes even further, however, by offering a broad-spectrum prevention, detection, and
response solution built on top of a single scalable and highly automated platform: a solution that supports
you before, during and after a cyberattack has happened. The proactive hardening capabilities alone are
worth serious consideration for every company with a proper security strategy; however, with all three
products operating in accord, the balance of efficiency and scalability reaches its peak.

It is worth emphasizing that deception technology alone cannot replace other security tools like firewalls or
antiviruses. However, when deployed as a part of a Security Operations Center, it removes a lot of
guesswork from the security analysts’ daily job and thus can dramatically improve their productivity and
your company’s overall security posture.

Strengths
Fully integrated distributed deception platform

Massively scalable, fully automated, centralized management

Deterministic findings with rich forensic context improve analyst productivity

Fully transparent for end users, no performance overhead or disruptions

Azure cloud support expands coverage to hybrid environments

Flexible licensing policy enables adoption at your own pace

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 8 of 11
 Challenges
Not designed to replace other security tools

Public cloud integrations currently limited to Microsoft (more to follow in future versions)

Interactive decoys require investments into infrastructure, software licensing

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 9 of 11
4 Related Research

Advisory Note: Real-Time Security Intelligence – 71033

Advisory Note: How to Build a Resilient, Defendable Network – 72163
Leadership Brief: The Information Protection Life Cycle and Framework: Deceive – 80376
Leadership Brief: Find Your Route from SIEM to SIP to SOAR – 80008
Leadership Brief: Do I Need Network Threat Detection & Response (NTDR) – 80296

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 10 of 11
 Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in
any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in
this document represent KuppingerCole´s initial view. Through gathering more information and performing
deep analysis, positions presented in this document will be subject to refinements or even major changes.
KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this
information. Even if KuppingerCole research documents may discuss legal issues related to information
security and technology, KuppingerCole do not provide any legal services or advice and its publications
shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information
contained in this document. Any opinion expressed may be subject to change without notice. All product and
company names are trademarksTM or registered® trademarks of their respective holders. Use of them does
not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and
in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand
vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions
essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in

Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical
relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and
Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We
support companies, corporate users, integrators and software manufacturers in meeting both tactical and
strategic challenges and make better decisions for the success of their business. Maintaining a balance
between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

KuppingerCole Executive View

Illusive Platform
Report No.: ev80426
Page 11 of 11

Powered by TCPDF (www.tcpdf.org)