Glasgow, Scotland-based start-up Lupovis – a spin-out from the University of Strathclyde – has announced pre-seed funding of over £615,000 (just under $850,000). This is almost twice the average amount for pre-seed funding. The funds will be used to further develop a new AI-based deception technology.
Deception is a fail-safe technology. It does nothing to prevent a breach, but instead concentrates on neutralizing any malicious effect from an incursion. It does this by quietly shepherding the attacker away from the company’s genuine assets and into harmless decoy areas. ‘Lupovis’ comes from the Latin for wolf and sheep – it is a wolf in sheep’s clothing engaged in silently hunting the attacker.
Lupovis is unique in its application of deception. It gathers attackers’ TTPs into a database and then uses AI to determine the level of sophistication of the attacker. It can then dynamically change the level of deception to match the skills of the aggressor. The effect keeps the attacker safely occupied on the network while the defender learns more about the aggressor.
“The system responds dynamically to the behavior and skills level of the attacker by using incentives and gamifying the vulnerabilities that engage the hacker,” explains Lupovis CEO, Xavier Bellekens. “The longer the attacker is engaged, the longer the system is blocking malicious actions that would otherwise stop the network functioning.
“Essentially,” he told SecurityWeek, “what we do is leverage machine learning to manipulate actors in a contested environment, and that allows us to gather information about the attacker — motives, choices, techniques, the complete modus operandi. We are able to gather all of this information and infer the attacker’s path in order to more accurately deceive him.”
Like all AI/machine learning systems, Lupovis will improve its accuracy as its data pool of attacker TTPs increases. However, although the company was only founded in July 2021, the system has been in development since 2019 based on academic research into AI that can learn from a smaller than usual data pool – it already works and will get better.
Its operational pool of data is obtained from actual incursions, but it matches that data to existing TTP frameworks. “Lupovis ingests data from all of the decoys deployed across the various infrastructures,” Bellekens told SecurityWeek, “and that data is further matched with the ATT&CK and D3FEND frameworks to provide additional information to the SOC and threat intelligence teams.
“The benefits,” he continued, “are uninterrupted business continuity, while simultaneously gathering information on the hacker’s skills and strategies. This informs security teams of the optimum counter-measure to arrest the breach.”
Over time, the system will become better at deceiving attackers that have gotten into the network, and will be able to recognize the attacker’s TTPs, and recognize the attacker group itself. In the future, Bellekens believes that the product will become a valuable research tool for both private researchers and law enforcement – law enforcement (FBI and NCSC) and intelligence agencies (NSA and GCHQ) will potentially gain increased visibility into which criminal or nation state groups are attacking particular industries or verticals – with attribution.
“We can correlate the information we gather and begin to see different groups targeting different sectors,” said Bellekens. With the help of law enforcement, and a knowledge of the TTPs likely to be used, entire critical industry sectors could get early warning on potential criminal or nation state campaigns, including advice on how to defend against them.
The potential that underlies Lupovis is that it can help its immediate users by nullifying any impact from attackers, and that the lessons learned from its use can go further to help the wider industry.
Related: How Deception Technology Can Defend Networks and Disrupt Attackers
Related: Altering the Cyber Terrain and Shaping the Attacker Experience With Deception Technology