What is Decepto?

Decepto is a system that creates decoys as clones of existing services in a cloud native environment.

Given an application graph (sets of micro-services and data-flows across them) Decepto decides the services to clone as decoys and where to deploy them based on optimization metrics such as the availability of resources.

As shown in the below picture it runs in a Kubernetes cluster and could use multiple external algorithms to take decisions and perform actions.

Decepto offers notification and monitoring mechanisms to identify the behaviors of an attacker.

By default it targets Kubernetes environments by extending its default API using CRD (Custom Resource Definitions). In more detail it offers four main features: Cloning, Isolating, Monitoring and Alerting.

Features

Cloning of a generic microservice into a decoy

The ability to clone a microservice at Pod level taking into consideration the resource-aware algorithm directives. The new decoy Pod is instrumented to control alerting and monitoring features.

Isolating communication flows across the application microservices

The ability to programmatically control the communications flows across legitimate microservices and/or decoys. Implementation through activation/deactivation of proper network rules and service discovery entries.

Monitoring the adversaries behaviors

The ability to collect all relevant data in order to identify as much as possible the attackers’ behavior patterns. Collects system-calls, cluster audits, application logs and microservices in/out traffic.

Alerting when a decoy receives unwanted traffic

The ability to discover potential malicious communications and notify them to start other relevant actions. A background process listens in promiscuous mode to the connections to the decoy which should never receive incoming traffic.