R-Vision Threat Deception Platform (R-Vison TDP)

Main article: Firewall

2024

Compliance with cybersecurity standards of the Republic of Belarus

On July 17, 2024, R-Vision announced that the R-Vision TDP complex of digital imitation technologies for IT infrastructure elements for early detection and prevention of cyber attacks was certified by the Operational Analytical Center under the President of the Republic of Belarus (OAC). Certification was carried out in accordance with the technical regulations of TR 2013/027/BY.

The certificate of compliance with cybersecurity standards of the Republic of Belarus confirms that R-Vision TDP meets the high security requirements for information technologies established in the country. This makes the product more in demand for organizations operating in the Republic or having branches there. Certificate number: BY/112 02.02. TR027 036.01 01394.

The OAC Certificate of Conformity allows the use of R-Vision TDP:

• at critical informatization facilities (CMOI);
• in state information systems;
• in automated control systems of production and technological processes;
• in information systems processing personal data;

In the Republic of Belarus, there is a trend towards an increase in demand for technologies for protection against cyber threats. This is due to the growing number cyber attacks and the need to provide. information security Companies working in various companies industries economies recognize the importance protecting your data and choose reliable system developers, "said cyber securityKamil Baimashkin, Deputy Executive Director of R-Vision. - Obtaining a certificate of conformity of the Operational Analytical Center under the President of the Republic of Belarus (OAC) becomes one of the key criteria when choosing a vendor of information security technologies for companies that are interested in improving their protection. IT infrastructures R-Vision always ensures the safety of its customers in accordance with the best world practices. Obtaining another certificate of the OAC of the Republic of Belarus confirms the maturity and reliability of R-Vision technologies,

R-Vision TDP 3.1

On March 4, 2024, R-Vision announced the release of a major version of R-Vision TDP 3.1, a technology for digital imitation of IT infrastructure elements. In this version, the developer has updated the bait placement mechanism, added an open API and improved support for networks with domestic OSs.

Using R-Vision TDP 3.1, users can configure bait placement policies in detail by collecting basic information about machines: the version of the operating system, its language and installed programs. This method of placing lures makes them even more reliable and realistic even in large networks. In the update, the entire range of tools already deployed on the network for placing decoys on client hosts, including KSC, Microsoft SCCM, Ansible, Puppet, has become available to information security specialists.

In the update, R-Vision expanded the capabilities of the integration product with the customer's information system, taking into account the restrictions that arise in large networks. For example, if the customer is not allowed to write to DNS-, servers then using R-Vision TDP, you can transfer lists of non-existent DNS host names through the API. This function allows the customer to add them themselves. You can also provide a list of false accounts to monitor in the customer's SIEM system.

R-Vision TDP 3.1 provides an intuitive interface. In it, the developer made it easier to interact with the solution through a public API with support for Swagger (Open API). This facilitates product integration while adhering to strict information security protocols. In addition, the presented function allows you to use the product in networks where different departments are responsible for different elements of the infrastructure, as well as automate the exchange of information with R-Vision TDP.

Now R-Vision TDP 3.1 can be integrated into networks that already run on Russian operating systems or only migrate to domestic software to protect information. To do this, the developers made the following changes:

• Improved compatibility with domestic operating systems such as Astra Linux and Red OS.
• Added support for the remote Postgres Pro DBMS.
• Presented emulation of an SSH server for Russian OS.
• Implemented the ability to log on using well-known directory services, including Active Directory, ALD Pro, FreeIPA and Open LDAP. This allows you to use a single login account even on networks after abandoning Active Directory, Microsoft's directory service.

2022

Add APCS and Linux FullOS traps

On December 14, 2022, R-Vision announced the update of the R-Vision Threat Deception Platform (TDP) digital imitation platform for IT infrastructure elements. In particular, the developer added APCS and Linux FullOS traps, expanded the list of used bait templates, and also implemented system support with solutions from domestic software suppliers.

In 2022 cyber attacks industrial Russia , enterprises increased several times on information infrastructure facilities. The consequences of such attacks are very serious: leak confidential, data simple production, financial and reputational losses. Given the increasing number of incidents, R-Vision has supplemented the latest version of the platform with a TP trap ASU designed to identify threats To IT infrastructure in industrial organizations. Users will now be able to create false programmable logic controllers - important elements of the automation and process control system that allow real-time control over industrial facilities. time Thus, now R-Vision TDP will allow you to detect attacks on specific IT assets located in segments of the network of production enterprises.

Another trap added by the vendor to R-Vision TDP is Linux FullOS, which allows you to create emulation in the selected network as a full-fledged emulation virtual machine based on the operating systems of the family. Linux This type of trap can be the basis for creating false network elements customized for various customer-specific environments based on Linux-like systems. In addition, users have become available bait in the form of saved credentials browsers Microsoft in Internet Explorer and. Microsoft Edge Legacy

In addition, one of the important innovations of the platform was the expansion of the list of software products supported by the platform by Russian manufacturers: now the R-Vision TDP management server supports operation on the Astra Linux operating system. The platform was also successfully tested on the domestic zVirt virtualization system.

Developing the R-Vision TDP product, we strive to take into account all current market needs, among which support for domestic operating systems is one of the first places, - commented Ivan Shalamov, product manager of R-Vision TDP. In addition, this year was marked by an increase in the number of cyber attacks on industrial enterprises. Therefore, in the latest version of the product, we implemented traps for detecting information security events that can occur, including in the technological segment of the enterprise infrastructure.

R-Vision TDP version 1.5 with automatic incident transmission to R-Vision SOAR

On September 20, 2022, R-Vision announced the release of an updated version of the R-Vision Threat Deception Platform (TDP) 1.5 digital imitation platform for IT infrastructure elements. It expanded the list of trap patterns and decoys, implemented automatic transmission of incidents to the IBR-Vision SOAR orchestration and automation platform, and improved work with security events. In this case, the user can independently set the period during which interactions with traps will be collected in one incident.

In R-Vision TDP version 1.5, the vendor supplemented the list of trap and bait templates. HTTP traps have appeared that simulate the authorization window on network equipment, as well as decoys for Mac OS and Linux OS operating systems. Another change is lures in the form of saved connections to SMB network resources.

In the updated version, R-Vision has improved the process of automatic trap creation: a section has appeared that allows you to customize their filling. For example, to generate accounts, predefined dictionaries of surnames, first names and patronymics are used, the percentage of which can be set manually depending on the territorial location of the company's branches. The system allows you to set the pattern of account generation and password parameters in accordance with the policy of the target organization. For login generators, server names and FTP banners, the system also provides the ability to download your own dictionaries. Thanks to this functionality, all data automatically generated for traps will be indistinguishable from real ones.

Due to the fact that any interaction with the trap is critical, the developer has provided the ability to add exceptions for event sources in the event of legitimate scanning of hosts. For example, users can include in the exception list the IP address of the workstation from which the security scanner will run.

In addition, version 1.5 has a visual representation of the relationship between traps and decoys located on real network nodes. Now, in the "Events" section, the trap on which the trigger occurred is associated with which bait. Timelines of events also appeared, in which the entire chronology of interaction with a specific trap with the ability to filter by time and criticality is recreated.

We are constantly working on increasing the functionality of the product: we are expanding the list of traps and decoys, and also strive to implement in R-Vision TDP both the functionality of the already proven solutions of Western players who have left the market, and to take into account the specifics of the needs of Russian customers "- commented Ivan Shalamov, product manager R-Vision TDP. - In addition, all R-Vision products are part of the ecosystem and are built on the basis of unified integration mechanisms and configurations. Due to this, they interact with each other as efficiently as possible and together provide full information security management.

R-Vision TDP Commercial Release

On March 15, 2022, R-Vision announced the release of the commercial release of the R-Vision Threat Deception Platform (R-Vison TDP) product. R-Vision TDP belongs to the class of platforms for creating a distributed deception platform (DDP) using active deception techniques. This allows you to detect intruders and mislead them, distorting the perception of the corporate network with false elements.

R-Vision TDP Operation Diagram

According to the company, at the heart of all Deception technologies is the concept that any company is compromised by default. Classic perimeter protection and monitoring tools in modern realities lose their effectiveness - sooner or later, attackers penetrate the organization's infrastructure and can study it for months, remaining unnoticed.

Deception technologies are one of the last echelons of defense that can slow down and identify a cybercriminal. With a set of interconnected traps and decoys, the system allows you to mislead a hacker, detect his presence on the corporate network in the early stages, and also makes it possible to prevent the development of an attack before causing significant damage to them.

Screenshot of "Traps"

The R-Vision Threat Deception Platform provides users with the ability to automatically deploy trap and bait networks from ready-made templates. In addition, R-Vision TDP allows you to create traps and decoys based on infrastructure data similar to the customer's specific systems and IT assets. The platform can play workstations, devices, applications, network equipment, servers, as well as simulate network interaction. These traps can be quietly placed in the organization's infrastructure, becoming indistinguishable from real hosts. Any interaction with traps will indicate an incident and create an alert in the system.

To attract the attention of the attacker on the traps and on the nodes of the real infrastructure, lures are automatically placed - resources that are potentially of interest to the attacker. These include configuration files, browser history, drafts, SSH keys, files with passwords and other data. In this case, traps and decoys can be generated based on patterns adopted in the organization. For example, when creating false accounts and generating passwords, data from the directory service will be used.

Screenshot "Events"

Traps are located on separate Trap Manager servers, while the Control Center server manages the platform and the entire emulated infrastructure. For large organization infrastructures, scaling is easily solved by adding the required number of Trap Manager servers.

Deception, or so-called "cyber-warfare technologies," is the next step in the development of security systems to detect various threats at an early stage, including ART attacks and zero-day threats. R-Vision TDP is a product that will identify the start of an attack, collect information about the attacker's tactics and tools, and analyze weaknesses in infrastructure protection. noted Ivan Shalamov, R-Vision TDP Product Manager

To maximize the realism of traps and decoys, you can use asset data from the R-Vision IRP (Incident Response Platform) or R-Vision SGRC (Security Governance, Risk Management and Compliance) systems with which integration is configured. The R-Vision TDP platform detects the interaction of both external and internal intruders with traps and sends alerts INFORMATION SECURITY to the specialist. Further, for investigation, these events can be directed to, R-Vision SENSE which will automatically build timelines for interaction with traps, providing the necessary context. to the analyst SOC Incidents received can be transmitted R-Vision IRP to and automated to respond to them using playbooks.

Screenshot "Dashboard"

In addition, the attributes and indicators of compromise collected by R-Vision TDP as a result of analyzing the actions of an attacker can be automatically transmitted to the R-Vision TIP (Threat Intelligence Platform) threat analysis platform. The R-Vision TIP system, in turn, will enrich this data, identify relationships with other available TI data, configure automatic monitoring in SIEM events, and export compromise indicators to security for blocking.

The R-Vision TDP platform is an element in the R-Vision product ecosystem to identify security incidents that are difficult to detect by other means. As of March 2022, we have already held a number of closed product demonstrations and, based on the feedback received, announce the start of pilot projects. told Igor Smetanev, Commercial Director of R-Vision

2020: Анонс R-Vision Threat Deception Platform

On November 30, 2020, R-Vision, a Russian developer of cybersecurity systems, announced the release of the product - R-Vision Threat Deception Platform. The model belongs to the Deception class technologies, which allow you to detect intruders who have penetrated the enterprise infrastructure and prevent attacks in the early stages.

R-Vision introduced the Deception class product. Photo: news.itmo.ru.

According to the company, Deception technologies (translated from English, "misleading") mean technologies for creating digital imitations of IT infrastructure objects in order to identify attackers who have penetrated the corporate network. With the help of a set of traps and decoys, such systems detect the presence of a hacker, slow down his progress inside the network, confusing among false objects, and enable information security specialists to stop the development of an attack at an early stage. One of the possibilities of Deception technologies is almost zero percent of false positives. Since traps and decoys are only intended to attract the attention of an attacker and are not used in normal workflows, any interaction with them is likely to indicate an incident. According to the 2020 Gartner Hype Cycle for Security Operations report, Deception platforms can be an addition to classic threat detection tools, which also requires minimal effort during the initial configuration phase. According to Gartner analysts, this technology is still poorly used by information security specialists as of November 2020.

Traditional preventive techniques in modern settings are becoming less and less effective, which is confirmed by numerous news about major incidents and research statistics. Sooner or later, attackers find a way to penetrate the perimeter, trying to avoid crude methods and remain unnoticed by classic monitoring tools. The main possibility of Deception class solutions is that they give a serious trump card into the hands of information security services - now an attacker needs just one mistake in choosing a target for an attack so that he gets on the radar of monitoring services. In addition, Deception systems produce fewer false positives, with the proper probability of indicating the presence of an attacker in the infrastructure. narrated by Alexander Bondarenko, CEO of R-Vision

The R-Vision Threat Deception Platform allows you to automatically deploy and manage trap systems that emulate your organization's real IT assets from a single center. Traps can play applications, devices, network equipment, servers, workstations, services, services, and simulate network interaction. To attract the attention of the attacker on the traps and on the nodes of the real infrastructure, lures are automatically placed - information that is of potential value. These can be configuration files, browser history, drafts, ssh keys, files with passwords and other data that are generated automatically, observing organization-specific parameters.

When registering interaction with baits and traps, R-Vision TDP collects and processes these events and sends an alert to the information security specialist. Security events can also be transmitted to external systems such as IRP/SOAR and SIEM for response.

R-Vision TDP supports tight integration with other products in the R-Vision line. Using the product in conjunction with R-Vision IRP will assess the scale of the attack, identify other compromised systems of the organization based on incident data from the Deception platform and automate response. Compromise attributes and indicators collected by R-Vision TDP as a result of analyzing the actions of an attacker can be automatically transmitted to the R-Vision TIP cyber intelligence management platform. The R-Vision TIP platform, in turn, will allow you to further enrich this data, identify relationships with other available information, configure automatic monitoring in SIEM events and blocking by means of protection.

The official release of the product is scheduled for the first quarter of 2021, but the start of pilot projects is planned for the near future.