Deception module and macOS support: BI.ZONE EDR functionality expanded

The Deception module allows you to track down even a professional attacker capable of evading detection at the initial stage of reconnaissance. Key EDR features are now available not only on Linux and Windows, but also on macOS

September 12, 2023

Deception technology allows you to create decoys that are indistinguishable from real infrastructure assets of the client, both on endpoints and in the Active Directory domain. The decoy attracts an adversary as a potential springboard for developing an attack. While engaging with it inside the compromised infrastructure during the reconnaissance and attack development stage, the adversary gets lured into a trap. The decoy could be any workstation or server in a corporate network with the BI.ZONE EDR agent installed.

BI.ZONE EDR captures attempts to communicate with the decoy as well as attempts to use decoy accounts to access corporate network resources or to authenticate in the Active Directory, thus providing high‑fidelity attack alerts. Information about the incident appears in the product interface and can then be forwarded to external IRP/SOAR/SIEM systems for further response.

Therefore, the strategy of deception enables the detection of attacks that cannot be discovered otherwise, or detected before the adversary starts lateral movement.

The Deception module adapts the decoys to the client’s infrastructure so as not to raise any suspicion that the attacker is dealing with a fake object. For instance, the decoys use the official corporate account format while the fake accounts emulate legitimate user activity.

Today BI.ZONE EDR is the only product in the Russian market where EDR and Deception are combined on a single technological platform. The client does not need to install two different solutions, this saves time and resources for the purchase, implementation, and maintenance of the product. Any host with an installed agent becomes a trap automatically, without the need to deploy standalone servers, and EDR receives additional threat detection technology.

Teymur Kheirkhabarov

Head of Cyber Threat Monitoring, Response and Research, BI.ZONE

Domain traps include fake accounts in Active Directory—which are placed in a privileged group with Kerberos pre‑authentication disabled or with reversible encryption enabled—as well as fake service accounts in Active Directory with the service principal name (SPN) attribute.

Local traps include saving fake credentials in a browser or in the OS account manager, injecting fake credentials into RAM, creating OS configuration files and utilities with fake credentials, and creating Windows registry keys with fake credentials.

Another major update is the EDR support for macOS, which extends monitoring, detection, and response capabilities on Apple devices. The agent can collect a wide range of telemetry from macOS devices as well as take inventory of historical data, device and OS configurations on a scheduled basis.

Current activity monitoring combined with historical data inventory and device configuration makes it possible to identify not only ongoing attacks, but also past compromises, misconfigurations, and vulnerabilities that can be exploited by a threat actor to develop an attack. Additionally, BI.ZONE EDR provides effective response on macOS devices.

The macOS agent and Deception module capabilities are already available to BI.ZONE TDR clients. Similarly, they will soon become available to the clients who use the on‑prem version of the product without the SOC/MDR service.