TrapX: Use of Deception Technology for active threat hunting

Mastering Active Threat Hunting: Leveraging Deception Technology for Enhanced Cybersecurity

Use of Deception Technology for active threat hunting

Ori Bach, VP of Product, TrapX

The question posed by our customer was simple. "Can deception technology help me better understand the risk to my enterprise network?"

In order to answer this question we employed a tactic called "Active Threat Trapping". It involves the deployment of DeceptionGrid™ Traps camouflaged as devices that exist in the customer's network to the DMZ.

This simulates a situation where attackers have been able to gain access to the device either through a breach, physical access, network error, or intentionally exposing the device to the internet to accommodate remote management. Since the Traps are emulations and not real operating systems there is no true risk involved

Physical Security devices emerged as the main risk

The hunt provided immediate results with several Traps being infected within minutes. Attacks ranged from automated botnet scans and malware infections to human-driven attempts to connect via TELNET, SSH, MSSQL, FTP, RDP and HTTP.

While all devices exposed were attacked, the customer felt their security program had a good set of practices to deal with most attacks they witnessed against their IT network (workstations and servers), such as patching, password enforcement, and endpoint protection and perimeter defenses. The area that emerged as the highest risk was their growing IoT infrastructure and specifically the physical security devices deployed throughout the corporate network.

The customer, a global enterprise was undertaking several initiatives to adopt IoT technology across its business. Devices already deployed or evaluated ranged from environmental sensors, smart lights and network-connected cameras to alarm systems and card/badge scanners.

In evaluating the threats to IoT devices, it became clear they were lacking visibility into these devices and the associated traffic they generated. Network-connected cameras were particularly difficult as they produce high volumes of image data in which can hide attacker command and control data streams and related botnet activity.

For example, a single Trap camouflaged as an IoT device using the Linux BusyBox OS was attacked over 9000 times from 3385 distinct IPs using the HTTP and Telnet protocols.

Attack methods varied with most exploits related to the MIRAI malware and attempted use of factory or weak passwords.

Understanding Mirai and Other IoT Malware

Mirai (Japanese for "the future") spreads to vulnerable devices by continuously scanning the Internet for IoT systems. The Mirai scanner process runs continuously on each bot using the telnet protocol (TCP port 23 or 2323) to try and login to IP addresses, when a login is successful the identity of the new bot and its credentials are sent back to the Command and Control (C2) server. The comprised device is now fully controlled by the attacker and can be used as part of a criminal botnet in large-scale network attacks.

Results and Recommendations

The number of Internet of Things (IoT) devices continues to increase exponentially. Gartner recently predicted the worldwide use of IoT devices will grow from 6,381 million devices in 2016 to over 20,415 million devices in 2020.[1]

The great majority of these devices are designed with little thought to the security of the end customer. To make matters worse, many end-user organizations still do not use best security practices in the deployment or life cycle management of IoT devices.

Organizational physical security is often not well coordinated with information technology or cybersecurity as these organizations have grown in separate silos of the organization. The physical security team procures the required equipment, from things like the home security camera angles, software, consoles, alarm systems, and card/badge scanners and views the IT infrastructure as a corporate user, just like any other, that will be supported by the IT organization.

Standard cyber defense software, which works well in most instances for workstations, servers, and other standard IT platforms, doesn't have any visibility into network-connected IoT devices or the network traffic they generate. As was discussed earlier with cameras, this can create camouflage for malicious activity.

This blog post and the associated tests put a spotlight on the use of IoT devices such as security cameras by the physical security team as a substantial risk to the organization. Unless they are managed according to absolute best practices, these new physical security "front doors" will become the cyber attacker's best opportunity to establish multiple "back doors" into the organization. As we noted earlier, during just one test of potential exposure to these attacks, the customer's deception technology defense was able to identify literally hundreds of attacks targeting the corporate network during a relatively short period of time.

Industry best practices that are evolving rapidly to meet and defeat these threats still lag behind the pace of adoption of IoT technology.


Cybersecurity is national security, and we're a D.C.-based venture capital firm on a mission to find cutting-edge startups that help us make an impact. We go beyond the check to help our founders win by leveraging our industry connections and experience as cybersecurity veterans to fuel their companies from inception to exit.

To learn more about our investment strategy and portfolio, explore or connect with us on X @SCV_Cyber to be part of our mission in shaping the future of cybersecurity.