Xello Deception

2024

Xello Deception 5.6

On October 22, 2024, Xello announced the release of the Xello Deception platform version 5.6. Key changes include recording network traffic to investigate cyber incidents, additional types of false data to identify attacks on the Kerberos protocol, optimized web trap configuration, and auto-discovery.

According to the company, after detecting malicious activity on the network, Xello Deception provides the necessary information to detect a cyber attack: the initial point of compromise, the attacker's chain of actions when interacting with a false data layer and assets, traces of launching tools.

𝓲

Xello

The updated version of the product implements writing network traffic to a pcap file for further analysis using third-party tools. This allows you to receive all data about the commands and actions of the hacker (execution of commands, requests, running utilities and others) when he interacts with the trap.

Today, Xello Deception supports more than 40 types of traps of different interactivity (FTP, SSH, Database, RDP, SMB and others). This version of the platform implements its own technology for emulating web services of devices from various manufacturers (for example, Cisco, HP, Hikvision and others) of a high level of interactivity.

Also, version 5.6 implements RealOS traps on Linux. In developer terminology, RealOS is a type of trap that emulates false services and devices running in a real operating system environment. This allows you to install any software, application, or security on them. Thus, any production system becomes a trap.

The Kerberos protocol (used in domain networks to authenticate users) is often needed by attackers to obtain accounts and elevate their privileges. According to an analysis of pentettas conducted by Positive Technologies in 2022, obtaining credentials through the Kerberoasting attack is one of the five methods (36%) that pentesters use to investigate the internal network. Attacks on the Kerberos protocol are difficult to identify because attackers use a compromised account associated with the Service Principal Name (SPN). This name is a unique identifier that allows users to log in to specific accounts. Using an account, they request numerous tickets from a key distribution center (KDC) and a domain that controls who can access the network. This behavior will be tantamount to that of a legitimate user.

To minimize the risk of compromising the Kerberos protocol, the updated version of Xello Deception implements SPN decoys - false data specific to it. This type of decoy will be the most attractive target for an attacker when conducting a Kerberoasting attack. It can be placed in LDAP and Active Directory (AD) directories - in those places where accounts are most often searched for for further implementation of a cyber attack.

Another way to detect attacks of this type, which is already implemented on the platform, is to integrate with authentication event sources (for example, with Active Directory). This allows you to identify the actions of an attacker when using a false SPN account at the time of its verification (without using traps).

This release implements AutoDiscovery to automatically add LDAP servers and Active Directory (AD) to the system. This is necessary to analyze the features of the company's infrastructure and create relevant false data. Auto-discovery optimizes the system for companies with dynamic infrastructure and a large number of domains. The solution automates the process of monitoring and collecting data about configuration units, as well as optimizes the platform efficiency by eliminating the human factor.

Modern cyber warfare systems or Distributed Deception Platform (DDP) solutions are actively adapting to the ever-changing landscape of cyber threats. For example, after the departure of Western players and their updates, attacks with the exploitation of vulnerabilities in hardware, applications and systems have noticeably increased. We have implemented a separate module within our platform - Xello Decoy Traps, which allows you to emulate false devices, services, operating systems and vulnerabilities in them. noted Makarov Alexey, CTO of Xello

Xello Deception 5.5 with filtering by protected hosts when added to the policy

An updated version of the platform for detecting targeted cyber attacks has been released - Xello Deception 5.5. The developer announced this on July 23, 2024. One of the key changes in the release is the updated licensing model, which divides the platform by functionality - modules (system components). This allows customers to choose the components they need based on their needs and model of information security threats. As of July 2024, the platform has ten different modules.

𝓲

Xello

In each release, the developers pay attention to the web interface of the product and the convenience of working with it. Version 5.5 implements the "dark" theme of the platform interface. Improved flexibility with the system:

• Filtering by protected hosts when added to a policy
• the ability to download audit logs from the web interface is implemented;
• authorization of system users from the Security Group or any other arbitrary filter in LDAP (Lightweight Directory Access Protocol) directories is implemented.

The Xello team has improved the stability of the platform: support for asynchronous event processing has been implemented, the speed of creating devices in the system has been increased, and the mechanisms for network configuration of the management server and trap creation have been improved. New trap protocols have also traditionally been added.

The functionality of Xello Deception has long gone beyond just a Distributed Deception Platform (DDP) solution. The technologically strong product architecture allows you to scale individual areas within the platform that perform related information security tasks (reducing the attack surface, investigating incidents), - said Alexey Makarov, technical director of Xello.

Use in MTS RED SOC

MTS RED entered into an agreement with the company. Xello Through this technology partnership, the Monitoring and Response Center cyber attacks MTS RED SOC will help customers reduce the risk of damage even if hackers they penetrate the company's infrastructure. MTS RED will act as an MSSP Provider (Managed Security Service Provider) of the Xello Deception platform RED MTS announced this on June 26, 2024. More here.

2023

Xello Deception 5.3

On September 28, 2023, Xello, the developer of the first Russian platform to protect businesses from targeted attacks using cyber warfare technology, presented an updated version of the Xello Deception product. The key changes of version 5.3 were: an updated architecture for flexible control of a false layer of infrastructure at distributed sites, an updated module for hybrid emulation of false assets, the ability to receive authentication events from third-party systems and detect MITM attacks.

Xello Deception 5.3

According to the company, Xello Deception detects targeted attacks using distributed decoys and traps that allow you to emulate various false data and information assets on the network to deceive an attacker. The updated version of the product allows you to connect geographically distributed sites to the system and flexibly manage the false layer of infrastructure on them from a single management console. This architecture is called Xello Satellite or Satellite servers (servers installed on distributed sites).

To ensure maximum coverage of all network segments with a false infrastructure, an updated Xello Decoy Traps hybrid emulation module has been implemented, which allows you to create false assets and data at the level of protocols, operating systems, services and devices.

A feature of the platform is highly trusted indicators of compromise that arise when an attacker interacts with false assets. Xello Deception can send events to incident monitoring and management systems. With the updated Xello Trapless module, a reverse scenario has become possible in which the platform receives bait and trap events from external systems (Apache Kafka, RabbitMQ, SIEM, Windows Event Collector). This allows the solution to be used in non-domain infrastructures .

{{quote 'author
= said Alexey Makarov, CTO of Xello'Ha September 2023 in the conditions of import substitution, customers use various infrastructure management tools and business information security systems. Therefore, we make our platform vendor independent for seamless integration with third-party systems and solutions, as well as adaptive for various infrastructures. Together with the development of the "classic" set of system functionality cyberobman - traps and decoys - we develop adjacent directions. For example, we brought Xello Identity Protection (formerly Credential Defender) into a separate module, which allows you to reduce the surface of an attack by removing various artifacts of users' work on endpoints.}}

Xello Deception 5.3 also allows you to detect Man-in-the-middle (MITM) attacks. A special module in real time detects malicious activity associated with LLMNR, mDNS, NBT-NS protocols (multicast resolution protocols for local names). During the implementation of the cyber attack, attackers fake an authoritarian source to resolve the name, responding to traffic from LLMNR, mDNS, NBT-NS and redirecting the victim to a fake resource to compromise a legitimate account.

Astra Linux Special Edition Compatibility

Xello Deception platform has been confirmed to be compatible with OCAstra Linux. This was announced on September 6, 2023 by Astra Group of Companies.

The updated release of the solution implemented a number of changes that affected almost all components of the software product - a new domain authentications one based on the RADIUS protocol, support for dynamic screen resolution, a mechanism for writing events to the operating systems Windows log and Linux.

The Xello Deception platform detects targeted attacks using distributed decoys and traps throughout the company's network. The solution provides attackers with inaccurate information about the IT infrastructure of the business (false accounts, keys to IT systems, saved connections to various resources) and redirects them to traps. This protects critical information assets, including Linux infrastructure, by spreading false data and assets.

We are actively working to adapt the Xello Deception platform to various infrastructures and customer requirements: seamless integration with the products of Russian vendors, the ability to connect and collect events from third-party solutions, transfer security incidents to third-party systems (SIEM/IRP). Compatibility with Astra Linux is another important step, thanks to which customers will be able to fulfill the requirements of regulators for import substitution, - said Alexey Makarov, CTO of Xello.

The key task of Astra Group of Companies is to maximize technological cooperation and compatibility with the developer of the Ukrainian IT market and provide technological solutions that ensure maximum security and continuity of organizations' business processes, "commented Kirill Sinkov, Head of the Department for Work with Technological Partners of Astra Group of Companies. - Thanks to the compatibility of the Xello Deception platform with Astra Linux OS, the security functionality already recognized by a wide range of customers is being supplemented and expanded, which allows our customers to get a full-fledged technology stack with a new approach to identifying even complex cyber threats, which is especially important given the current market realities.

Xello Deception version 5.1 with Linux support

The updated platform for preventing targeted attacks using cyber warfare technology Xello Deception version 5.1 supports the installation of a management server on Linux operating systems. Also, the updated version implements the mechanics of managing inactive hosts, support for OpenLDAP and the latest protocols for traps (WinRM and RPC). Xello (Xello) announced this on February 27, 2023.

The implementation of the installation of a management server on domestic Linux systems will fulfill the import substitution requirements. In addition, earlier versions of the platform already support the distribution of decoys to end devices running OS Linux using remote interaction mechanisms (SSH, Ansible, Puppet and others). This gives business the ability to protect Linux infrastructure even on early versions of the product.

Xello Deception provides flexible false data layer management and monitoring on end devices. The platform allows you to centrally distribute decoys at a certain time, select host groups according to various parameters and search queries. To automate this process, the new version implements the ability to run periodic distribution tasks through Microsoft System Center Configuration Manager (SCCM). Also, as part of monitoring, the platform now automatically takes into account decommissioned hosts to which decoys were previously extended.

Support for domestic operating systems is a logical step in the development of any Russian product, "said Alexey Makarov, CTO of Xello. - We are working to adapt our platform for other domestic Linux distributions, simplifying the fulfillment of import substitution requirements. We continue to implement new types of decoys for all operating systems and work on the convenience of the platform for users.

2022

Xello Deception 5.0 Output

Xello, the developer of the Russian Distributed Deception Platform (DDP) class solution, introduced the fifth version of the Xello Deception targeted attack prevention platform on October 19, 2022. Among the key differences of the release are the flexible integration of the platform into the internal infrastructure of the enterprise and external cybersecurity systems, as well as additional opportunities for working with cyber incidents. Improvements allow you to more accurately identify illegitimate actions on the network and improve response efficiency.

To analyze the peculiarities of the infrastructure of any business and generate the most realistic false ones data , Xello Deception 5.0 implements automatic pull-up servers directly from the web interface. Also, thanks to the open API solution, it is capable of flexibility to be integrated with external cybersecurity systems. The updated version provides access to Swagger (a tool that allows you to create to visualize an API description based on the OpenAPI standard). Now you can watch and test integrations through the API right inside the web interface.

The mechanism for managing the types of decoys has been changed, which splits them into categories. Each category defines the area of use of the software to which the bait belongs. The system operator can assign both entire categories and individual types of decoys to hosts through policies. This allows you to more precisely configure their distribution to specific hosts.

For convenient work with cyber incidents, the filter mechanism has been redesigned. Now the system operator always remains in their context, performing operations with several activities (you do not need to open a separate window or scroll). Another innovation of the fifth version is a map with tactics based on the MITRE ATT&CK model in the incident card. This helps the system operator understand the stage at which the attacker is at and learn about the techniques and tactics (TTP) used.

The company is trying to form a standard for DDP solutions in the Russian market, focusing on the needs of users and at the same time improving the platform technologically. This is clearly demonstrated in the updated version of Xello Deception, where they significantly expanded its functionality, completely changed the system interface and simplified work with it for ordinary users, commented on Xello's CTO, Alexey Makarov.

Security Vision Compatibility

Xello, the developer of the Russian DDP (Distributed Deception Platform) Xello Deception platform, designed to provide information protection for businesses against targeted cyber attacks, and the Intelligent Security Vision company, which develops advanced Russian solutions in the field of information security process management and automation, have entered into a partnership agreement. This was announced by Xello on September 19, 2022.

As part of the collaboration, the companies tested the collaboration of the Xello Deception and Security Vision platforms. The integration of these products will enable companies with large and critical infrastructure to quickly identify and prevent complex cyber threats, as well as improve the quality of monitoring and responding to security incidents.

The Xello Deception platform protects infrastructures customers from targeting by attacks detecting illegitimate online activity in the early stages with decoys and traps. They create a layer of false assets (accounting,, data servers applications services and others), when interacting with which malefactor they impersonate. System components are managed and incidents monitored through a single console.

One of the features of Xello Deception is the minimum number of false positives, since the decoys and traps are directed exclusively at the attacker. When integrated with platforms such as Security Vision, it provides only highly trusted compromise indicators without creating background noise, and all the necessary information to work with incidents (host warning), commented on the CEO of Xello , Alexander Shchetinin.

The Distributed False Purpose Infrastructure (DDP) platform market has great development potential. This is a promising and highly efficient technology that significantly contributes to the enrichment of data in the incident management process. The integration of Xello Deception and Security Vision opens up prospects for strengthening customer information security. noted Security Vision CEO, Ruslan Rakhmetov.

Xello Deception 4.8 with VDI support

Xello Deception supports virtual workplace infrastructure, Xello (Xello) announced on February 14, 2022.

The demand for organizing VDI places is due not only to the transition of the business to a hybrid model of work, but also to the trend towards employee mobility. However, the migration process carries serious information security risks.

• Expanding the perimeter of a cyber attack: compromising one end client device can discredit the entire VDI environment.
• Providing cybersecurity to a large number of copies of operating systems.
• Implementation of protection measures taking into account the specifics of the virtualized environment: for example, the implementation of a resource-intensive security solution (classic agent protection) can lead to a decrease in the consolidation rate virtual machines or cause delays in loading operating systems.

Thus, the transition to this model of work requires cybersecurity departments not only careful organizational measures, but also a competent approach to choosing cybersecurity solutions. In a VDI environment, security must have the lowest possible impact on the infrastructure. Shorter wait times for applications to open results in better productivity for your employees.

Xello Deception is an agentless solution that creates decoys on virtual hosts and distributes them across the enterprise network using its own technology. The decoys can be various saved passwords and sessions, keys, false configuration files, databases and others. Their task is to emulate real information assets in order to detect the presence of an attacker inside the perimeter of the company. This increases the security of the VDI environment and helps reduce the risk of unauthorized access to the company's infrastructure.

With each next release, the developers are expanding the number of decoys and how to distribute them. The system carefully analyzes the behavior model of each user. And regardless of the configuration and purpose of the protected host (accountant's computer, data server databases or developer's laptop), the system will select decoys of the type whose software is used on this host.

2020: Inclusion in the Unified Register of Russian Programs

On April 9, 2020, it became known that the Xello Deception platform was added to Unified Register of Russian Programs the computer and. databases Ministry of Digital Development, Communications and Communications of the Russian Federation Inclusion in the register of support, information security Monitoring and management systems took place in accordance with Order dated Ministry of Digital Development, Communications and Mass Media Russia 07.04.2020.

The essence of the Xello Deception approach is to create an alternative reality for an attacker who has entered the corporate network. The system creates and actively lures an attacker into a dense network of false data, minimizing the likelihood of success of the attacker. The decision is valid after the "traditional" means of protection did not cope, and the attacker entered the network.

Building realistic systems that are independent of the real IT infrastructure helps detect malicious activity before they cause serious damage to the organization. Xello experts note that their development is based on a special technology "Dexem," with which you can create the most realistic environment.

Stages of Xello Deception:

• Creating decoys and traps.
• Introducing them into the corporate network.
• Misleading an attacker through decoys and realistic false targets.
• Detection of unauthorized intrusion into the network.
• Timely response to the actions of intruders.