Why AI is important for deception and how Acalvio uses AI?

Deception has become a core element of cybersecurity strategy. Over the past decade, deception solutions have evolved significantly. Early implementations were largely static, required manual configuration, and demanded deep domain expertise from customers to design an effective deception strategy. In contrast, modern platforms like Acalvio leverage AI as a foundational component, enabling automation and delivering effective deception with minimal administrative overhead.

This blog explores the role of AI in a modern deception platform.

Effective deception relies on strategic placement. Deceptions must align with attacker pathways to maximize detection value.

Modern attackers often use path planning to determine the steps required to reach their objectives, such as compromising critical assets or accessing sensitive data.

Defenders need visibility into these attack paths to place deceptions effectively. Mapping potential pathways enables defenders to deploy strategic traps that provide early detection of adversary activity.

ShadowPlex uses AI to analyze the environment and uncover the exploitable attack surface during the pre-attack phase. This analysis forms the foundation for informed deception placement.

For example, ShadowPlex Active Directory (AD) Insights performs a 150+ point assessment of the AD attack surface. It highlights key misconfigurations and over-permissioned accounts, such as Kerberoastable service accounts and Shadow Admin accounts, which represent viable attacker entry points.

Designing effective deception involves evaluating multiple criteria—such as the type, characteristics, volume, and placement of deceptions. These decisions form the core of any deception strategy.

Manually configuring and deploying deceptions is highly complex. For instance, a single Active Directory (AD) user object can have over 100 attributes. Creating a believable deceptive account requires making accurate decisions for each of those attributes. Some are particularly intricate, involving bitmasks where each bit represents a specific flag or state. Expecting administrators to manage this manually is impractical. This demands deep expertise in deception technologies, threat actor tactics, and environmental context.

ShadowPlex addresses this challenge with an AI- and ML-powered recommendation engine that automates the design of deceptions. During deployment, ShadowPlex first performs an automated discovery phase to understand the characteristics of production assets. This data informs deception design.

The recommendation engine generates realistic values for key deception attributes, such as hostname, OS, services and ports for decoys, and the 100+ AD attributes for honeytoken accounts. Deceptions mirror the naming and structural conventions of the actual environment. For example, if hosts in a specific subnet follow a naming scheme, the corresponding decoys adopt a consistent pattern. This realism enhances the believability of the deception environment and increases the chances of engaging attackers.

Malware and ransomware attacks are fast propagating. They gain initial access to an endpoint and propagate rapidly in the environment. An example is the attempt of malware to propagate over SMB. When multiple decoys are deployed in the environment, each decoy will detect the propagation attempt over SMB, resulting in individual deception events.

From a SOC analyst perspective, the deception is a mechanism of detection and the focus of the incident response actions are on the real assets, the endpoint under threat. To enable efficient threat investigation and response actions, ShadowPlex has a built-in threat analytics engine that leverages machine learning and AI to perform automated triaging of the deception events and surface actionable intelligence for SOC. The triaging process performs automated summarization of the deception events based on an asset-centric pivot point, the endpoint under threat. The triaging also performs correlation with related alerts from endpoint detection and response (EDR) systems and enrichment of the alerts based on context obtained through integrations.

The triaging process maps the attacker actions to the corresponding tactics and techniques in the MITRE ATT&CK framework. This provides SOC teams with a standardized frame of reference for the incident response activity. With MITRE serving as the standard for IR actions in the SOC, the automated mappings enable SOC teams to leverage their existing IR playbooks for incident response actions. The automated mapping process is powered by machine learning, allowing SOC teams to move quickly from detection to action using structured, high-confidence intelligence.

Deceptions can be used for multiple use cases, for primary threat detection, for threat hunting, and to engage with the adversary and collect threat intelligence.

Adversary engagement involves the deployment of high interaction decoys that provide a fully interactive deception environment for the attacker. Advanced attackers are discriminating, engaging with these attackers requires a realistic decoy environment that is believable to the adversary.

Acalvio uses Large Language Models (LLMs) to generate realistic and context-aware content for high-interaction decoys. These models produce content that reflects the organization’s vertical and aligns with the characteristics of actual production assets, making the environment believable and increasing the likelihood of adversary interaction.

Deceptions provide high-fidelity detections that are actionable for SOC teams. The IR workflow for threat investigation and response involves performing investigations to identify the presence of attackers that have established persistence in the environment or have a foothold on multiple endpoints in the environment.

ShadowPlex provides purpose-built capabilities, such as endpoint forensics, that assist SOC and threat hunting teams with the investigation and hunting actions. ShadowPlex endpoint forensics combines targeted observations with post-processing based on machine learning to surface evidence of stealthy attacker persistence in the environment.

Similarly, ShadowPlex includes PowerShell script and log analysis to identify modified PowerShell scripts used by attackers as part of a living off the land (LotL) exploit sequence. ShadowPlex PowerShell script and log analysis applies machine learning to match and rank the attacker’s offensive scripts against a vast library of offensive PowerShell scripts that serve as the training data set. As a result, defenders can quickly identify stealthy or obfuscated scripts that would bypass signature-based detection. Examples include modified variants of tools like PowerSploit and Empire.