Deception technology helps to reduce hackers' attacks
The
camouflage techniques of one unit active in North Africa, which on one occasion
consulted a stage magician about the way he fooled audiences, proved decisive
in several key battles. And the biggest deception of all was Operation
Fortitude which fooled the Nazis about where the D-Day landings would actually
take place.
The same principles
of deception and misdirection, albeit on a much smaller scale, are now starting
to be used by some organisations to thwart malicious hackers keen to establish
a bridgehead on internal networks.
"It's a
classic idea of warfare to prevent the adversary from having a real
understanding of your reality," said Ori Bach from deception technology
firm Trapx. "It's just like the Allies in WWII. They made fake tanks, fake
air bases, fake everything."
And just
like those ersatz weapons of war, the fakes implanted on a network look just
like the real thing.
"We
create a shadow network that is mimicking the real network and is constantly
changing," he said.
The use of
so-called deception technology has grown out of a realisation that no
organisation can mount perfect digital defences. At some point, the attackers
are going to worm their way in.
Given that,
said Mr Bach, it was worth preparing for their arrival by setting up targets
that are simply too juicy for the malicious hackers to ignore once they land
and start looking around.
"We
want our shadow network to be more attractive to the hackers than the real
stuff," he said.
Deception
technology has grown out of work on another useful cyber-thief tracking
technology known as honey pots, said Joe Stewart of deception firm Cymmetria.
A honey pot
is a computer that resembles a typical corporate server to the automated tools that
many hackers use to scour the net for targets. Many large security firms set up
lots of individual honey pots, he said, to gather intelligence about those
tools and the malware being used to subvert them.
But, said Mr
Stewart, the problem with honey pots is that they are passive and only involve
a few separate servers.
By contrast,
deception technology is generally used on quite a grand scale so any attacker
that turns up has little clue about what is real and what is fake.
Typically,
said Mr Stewart, the spoofed network will be made to look more attractive to
hackers by seeding the real network with "breadcrumbs" of information
that lead to the fake network.
These
tantalising chunks of data hint at all kinds of goodies that hackers are keen
to steal, such as payment data, customer details, login credentials or intellectual
property. But, instead of leading attackers to data they can sell, it leads
them down a deep confusing hole that gets them no closer to that elusive,
valuable data they crave.
He added
that as soon as they start following the crumbs and interacting with that fake
network, everything they do is recorded. That intelligence can be hugely
useful, said Mr Stewart, because it involves what attackers do after their
automated tools have got them a toehold on a network.
"The
initial intrusion was probably done with something that was just spammed
out," he said and, as such, would be spotted and logged by many different
defence systems.
"What's
much more interesting is the second stage persistence tools."
Organisations
rarely get a look at these, he said, because once an attacker has compromised a
network they usually take steps to erase any evidence of what they did, where
they went and what software helped them do that.
Organisations
do not have to commit huge amounts of resources to deception systems to slow
down and thwart hacker gangs, said Kelly Shortridge from the security arm of
defence firm BAE.
Instead, she
said, more straightforward techniques can also help to divert attackers and
waste their time.
For
instance, she said, a lot of malware is now able to detect when it is being run
inside a sandbox - a virtual container that helps to ensure that malicious code
does not reach real world systems. Many firms use systems that quarantine
suspicious files into sandboxes so if they do have malign intent they can do no
harm.
Often, said
Ms Shortridge, malware will not detonate if it believes it has been put into
such a sandbox.
By mimicking
the characteristics of sandboxes more widely it can be possible to trick
malware so it never fires, she said.
Other tricks
include seeding a network with the text and words that attackers look for when
they are seeking a way in. Making them chase false leads can help frustrate
attackers and prompt them to seek easier targets, she said.
"It's
all about making reconnaissance the hardest step."
It is not
just the gathering of information about attacks that makes deception systems so
useful, said Mr Bach from Trapx.
"By
engaging them and providing them with targets they are expending their most
valuable resource, which is time," he said.
Instead of
spending time cranking through a real network, any attacker diverted on to the
shadow system is, by definition, wasting their time.
Emmanuel
Macron's election campaign reportedly used fake data to foil hackers.
In addition,
he said, because the shadow system resembles real world desktops and servers,
attackers will sometimes use their own valuable assets in a bid to worm their
way deep into what they think is a corporate network.
Some of the
most valuable assets that cyber-thieves possess are the never-before-seen
software vulnerabilities that they have bought on dark web markets.
"If
they have spent a lot of money acquiring a vulnerability and they have used it
to attack a decoy then that's a huge win for the defenders," he said. This
is because using it reveals information about a previously unknown
vulnerability that defenders will then share with others so they can properly
patch and prepare for it.
Finding and
buying software vulnerabilities is a time-consuming and expensive process, said
Mr Bach, and undermining it can have long-term consequences for the malicious
hacker groups.
"Cyber-thieves
are financial operations," he said. "They spend money on R&D and
on intelligence on the dark net. If they do not get more money back as a return
then that criminal enterprise will ultimately fail."
bbc
Comments