 |
| D-Day was aided by a massive disinformation campaign which fooled the Nazi high command |
In World War II, the Allies employed all kinds of sneaky
tricks to deceive their enemies into thinking they had more troops and weapons
at their disposal than they actually had.
The camouflage techniques of one unit active in North
Africa, which on one occasion consulted a stage magician about the way he
fooled audiences, proved decisive in several key battles. And the biggest
deception of all was Operation Fortitude which fooled the Nazis about where the
D-Day landings would actually take place.
The same principles of deception and misdirection, albeit on
a much smaller scale, are now starting to be used by some organisations to
thwart malicious hackers keen to establish a bridgehead on internal networks.
"It's a classic idea of warfare to prevent the
adversary from having a real understanding of your reality," said Ori Bach
from deception technology firm Trapx. "It's just like the Allies in WWII.
They made fake tanks, fake air bases, fake everything."
And just like those ersatz weapons of war, the fakes
implanted on a network look just like the real thing.
"We create a shadow network that is mimicking the real
network and is constantly changing," he said.
The use of so-called deception technology has grown out of a
realisation that no organisation can mount perfect digital defences. At some
point, the attackers are going to worm their way in.
Given that, said Mr Bach, it was worth preparing for their
arrival by setting up targets that are simply too juicy for the malicious
hackers to ignore once they land and start looking around.
"We want our shadow network to be more attractive to
the hackers than the real stuff," he said.
Sweet treat
Deception technology has grown out of work on another useful
cyber-thief tracking technology known as honey pots, said Joe Stewart of
deception firm Cymmetria.
 |
| Seeding networks with crumbs of valuable data can frustrate attacks |
Image copyright GETTY IMAGES Image caption Seeding networks
with crumbs of valuable data can frustrate attacks
A honey pot is a computer that resembles a typical corporate
server to the automated tools that many hackers use to scour the net for
targets. Many large security firms set up lots of individual honey pots, he
said, to gather intelligence about those tools and the malware being used to
subvert them.
But, said Mr Stewart, the problem with honey pots is that
they are passive and only involve a few separate servers.
By contrast, deception technology is generally used on quite
a grand scale so any attacker that turns up has little clue about what is real
and what is fake.
Typically, said Mr Stewart, the spoofed network will be made
to look more attractive to hackers by seeding the real network with
"breadcrumbs" of information that lead to the fake network.
These tantalising chunks of data hint at all kinds of
goodies that hackers are keen to steal, such as payment data, customer details,
login credentials or intellectual property. But, instead of leading attackers
to data they can sell, it leads them down a deep confusing hole that gets them
no closer to that elusive, valuable data they crave.
He added that as soon as they start following the crumbs and
interacting with that fake network, everything they do is recorded. That
intelligence can be hugely useful, said Mr Stewart, because it involves what
attackers do after their automated tools have got them a toehold on a network.
"The initial intrusion was probably done with something
that was just spammed out," he said and, as such, would be spotted and
logged by many different defence systems.
"What's much more interesting is the second stage
persistence tools."
Organisations rarely get a look at these, he said, because
once an attacker has compromised a network they usually take steps to erase any
evidence of what they did, where they went and what software helped them do
that.
Simple steps
Organisations do not have to commit huge amounts of
resources to deception systems to slow down and thwart hacker gangs, said Kelly
Shortridge from the security arm of defence firm BAE.
Instead, she said, more straightforward techniques can also
help to divert attackers and waste their time.
For instance, she said, a lot of malware is now able to
detect when it is being run inside a sandbox - a virtual container that helps
to ensure that malicious code does not reach real world systems. Many firms use
systems that quarantine suspicious files into sandboxes so if they do have
malign intent they can do no harm.
Often, said Ms Shortridge, malware will not detonate if it
believes it has been put into such a sandbox.
By mimicking the characteristics of sandboxes more widely it
can be possible to trick malware so it never fires, she said.
Other tricks include seeding a network with the text and
words that attackers look for when they are seeking a way in. Making them chase
false leads can help frustrate attackers and prompt them to seek easier
targets, she said.
"It's all about making reconnaissance the hardest
step."
Burn rate
It is not just the gathering of information about attacks
that makes deception systems so useful, said Mr Bach from Trapx.
"By engaging them and providing them with targets they
are expending their most valuable resource, which is time," he said.
Instead of spending time cranking through a real network,
any attacker diverted on to the shadow system is, by definition, wasting their
time.
 |
| Emmanuel Macron's election campaign reportedly used fake data to foil hackers |
Image captionEmmanuel Macron's election campaign reportedly
used fake data to foil hackers
In addition, he said, because the shadow system resembles real
world desktops and servers, attackers will sometimes use their own valuable
assets in a bid to worm their way deep into what they think is a corporate
network.
Some of the most valuable assets that cyber-thieves possess
are the never-before-seen software vulnerabilities that they have bought on
dark web markets.
"If they have spent a lot of money acquiring a
vulnerability and they have used it to attack a decoy then that's a huge win
for the defenders," he said. This is because using it reveals information
about a previously unknown vulnerability that defenders will then share with
others so they can properly patch and prepare for it.
Finding and buying software vulnerabilities is a
time-consuming and expensive process, said Mr Bach, and undermining it can have
long-term consequences for the malicious hacker groups.
"Cyber-thieves are financial operations," he said.
"They spend money on R&D and on intelligence on the dark net. If they
do not get more money back as a return then that criminal enterprise will
ultimately fail."
