The Q5 allows you to capture all operating system activity from a position of complete stealth. The decoys created by the Q5 are complete server environments, yet they exist totally within software running on top of the NeuralOS hypervisor. Decoys are isolated from the host operating system, and have “no idea” they are running inside a virtual machine.
Meanwhile, the hypervisor, which is situated between the decoy and the Q5’s hardware, has aceess to a map of each decoy’s physical memory. By reading these memory maps, our Sentinel introspection tool is able to see everything that’s going on in a honeypot without actually being inside the honeypot itself. Sentinel is truly a vision of stealth.
Introsepction happens in real-time. Sentinel looks at decoy memory to identify regions of interest. Sentinel may also clone the selected traces, inserting code to instrument them. These instrumented traces can be quickly analyzed to obtain low-level system information, which is then passed to the IQCerebrum for signature generation and forensic analysis. Since all data capture occurs outside the honeypot, Sentinel affords the Q5, great stealth and an added measure of containment.
As a result, Sentinel is able to capture instruction-level attack data while remaining invisible to attackers, with no discoverable impact on performance. Working from behind the scenes in the host kernel, Sentinel provides a real-time window into your honeynet, providing the raw data required to reconstruct the “anatomy of a hack.”
Sentinel also provides remarkable control flow—if one of your honeypots is successfully compromised, Sentinel can tell NeuralOS to revert virtualized decoys to a pre-attack state on demand and automatically, so your honeynet won’t become a tool of your enemy.