Illusive Networks Attack Detection System

Additional Info

CompanyIllusive Networks
Company size (employees)50 to 99
Type of solutionSoftware


Endpoint-based deception is gathering momentum because it promises to detect and support behavior analysis of attackers who bypass traditional security controls. These attackers typically leverage phishing or other social engineering techniques to gain entry to the network via one or more endpoints. From an initial beach head, they begin to investigate their surroundings and move from one endpoint to another in search of high- value data or systems.

Anticipating the attacker’s tactics and motives, endpoint- based (or “distributed”) deception solutions plant false data on systems throughout the network— data designed to appeal to this need to move laterally. Once an attacker activates deceptive information, an alert is sounded. Forensic data is captured to support analysis of the incident and understanding of the attacker’s behavior. Illusive Networks pioneered this approach in 2014.

Illusive’s Attack Detection System blankets the entire network with fake information that forces attackers to reveal themselves.plants featherweight deceptions on every endpoint that mimic the real data, credentials and connections the attacker needs. Designed, deployed and managed through continuous machine learning automation, deceptions reflect the naming conventions and other practices of the organization so that the attacker cannot tell real from fake. Unknown to the attacker, his or her first wrong choice triggers an alert. By covering the entire endpoint inventory, the deception “net” is able to catch attackers at or close to “Patient Zero,” no matter where the attack begins.

Confronted with a distorted view of reality, it becomes impossible to choose a real path forward. Unknown to the attacker, one erroneous choice alerts the security team, who have access to precision endpoint-based forensics to make the right choices to mitigate the attack.

To keep pace with the evolving threat landscape, endpoint EDR vendors have begun to add deception features to their product suites.

How we are different

- To create high odds of attacker detection, there must be deceptions of many types on each endpoint. Deception capabilities bolted on to EDR technologies provide very limited deception types. By comparison, Illusive has 17 deception families, each of which contain many distinct deception techniques. This deception library is continuously enriched to account for new threat tactics, and to provide coverage for new technologies and specialized, high-value assets.

- EDR-based deception approaches are susceptible to fingerprinting for two reasons: One, agents, like any other piece of software are easily identified and enumerated. If exploited they can provide the attacker elevated privileges to the host, and the connections they make to management systems can present opportunities to disrupt the security tools themselves. Illusive’s solution is agentless, leaving nothing on the endpoint to exploit. Two, to look real to an attacker, deceptions must carefully blend in to the corporate environment. They must reflect naming conventions, usage patterns, and other attributes, and must change over time as “native” data on the system changes. Illusive creates a dense, tailored, adaptive deception environment using an automation engine that perpetually discovers and adjusts to changes in the endpoint landscape.

- EDR solutions were not designed to address the advanced attack kill chain, so they lack some essential attack risk mitigation capabilities. Illusive provides: The ability to map and measure the actual attack paths that exist throughout the network to the organization’s “crown jewels”; When endpoints have been compromised, responders can see how far the attacker is from critical business assets and high- privilege credentials that could accelerate access; High-fidelity alerts, triggered only by actual attacker activity, which responders can confidently place in a prioritized queue; and visibility on suspect connections, network segregation violations, and credential policy violations so preemptive action can be taken to reduce attack surface.