News
HCI

Opening the Doors of Deception

Posted
Hunting decoys.
IT managers increasingly have access to a variety of deceptive tactics as part of their protective strategies.

"All warfare is based on deception," according to Chinese general Sun Tzu. Computer security experts are increasingly applying this ancient wisdom in their war against hackers.

"Deception has been around since time immemorial," says Fred Cohen, a computer-virus pioneer and security consultant. "What is changing to some extent– but I’m not sure how much–is the willingness of people to use deception as part of their protective strategy."

One relatively old technique for tricking hackers is to attract them to "honeypots," which usually refers to complete computer systems, sometimes connected into "honeynets," to see what they do and devise countermeasures. However, "attackers today know how to identify if they’ve been captured by a honeypot," says Salvatore Stolfo of Columbia University.

Another strategy seeds databases with false data known as "honeytokens," such as bogus social-security numbers or logins that can later be identified. Stolfo and his Columbia colleague Angelos Keromytis have extended this technology to create files they call "decoys," that contain erroneous information and can also notify users when their information is compromised.

"What we did with deception is to automate it in scale" Stolfo says, generating a wide variety of types of documents and other files. Automatically generating many files that look genuine make the real files much hard to identify. The team has also studied "under different threat models, strategies for how to deploy decoys, how to name them, how to make them appear conspicuous, how to make them appear enticing, and so forth."

A key feature of their decoy technology is "beaconizing" the files, so that accessing them generates a message back to the legitimate document owner. "You get to see what document actually leaked, when it leaked, and where it went. That’s a very, very powerful tool," Stolfo says. He contrasts such "data-loss alerting" with traditional "data-loss protection" that can only study file transfers within a system. "Once anybody makes a copy and puts it on a thumb drive and walks out the door," he says, these systems are blind to the loss.

Embedding a beacon within the files themselves makes it possible to detect theft even by trusted users. Yet Cohen cautions that "if the deception is effective against insiders, then the insiders will accidentally encounter it and believe it. You need enough space between what’s real and what’s deception so that it’s not accidentally encountered, and at the same time you need the deception to be good enough so that when it is encountered, it’s not obvious deception."

Stolfo admits that for internal threats, "deception is a lot harder to deploy and to use appropriately." However, he says that decoys can be implemented so that legitimate users rarely touch them, but "if the insider tries to determine which are the real files and which are the safe ones, we could monitor for that kind of activity."

With encouragement from their sponsors at the Information Innovation Office at DARPA, the Columbia researchers started Allure Security to commercialize the technology. Curious readers can test the beacon technology on their own documents. Companies offering similar alerts include ReadNotify and Doc Chaser.

Of course, knowing about a breach is not as good as preventing it in the first place. Networking-equipment providers like Juniper Networks have traditionally used "signatures" comprising IP addresses and other attributes to block attackers from continued web access.

Signatures are like a vaccine, explains Juniper’s Kevin Kennedy. "They’re great after you’ve had time to develop them, but there’s always a Patient Zero" who has to get the disease, to make the vaccine possible. "Especially in the data center, when you’re talking about high-value data, it’s very, very expensive to be Patient Zero." Signatures can also yield "false positives" that block legitimate users, for example, if they are using the same Internet service provider.

That is why Juniper also uses deception techniques to try to identify attacks even before they begin, while the attacker is still exploring potential vulnerabilities. Its recently announced WebApp Secure product builds on work by Mykonos Software, which Juniper acquired in February 2012, and inserts diverse "tar traps" that allow a web server to identify a user who is probing for weaknesses.

As one example, the software can refer to URLs that include fake variables among the query parameters that guide the server’s interaction with the underlying database. Hackers will frequently modify these variables to see if they can reveal internal features of the system. "What we’re looking for is any change at all in that parameter, because it doesn’t exist. When a legitimate user is interacting with the website, they’re never going to change it. There’s nothing in the application that would change it," says Kennedy. "There are no false positives." In addition, unlike a honeypot, "it’s the real web application," he says. "You have to come through it." Thus, there is no need to make the site especially attractive to hackers.

The deception can continue even after an attacker is identified, by providing bogus responses to their queries. By keeping the attacker engaged in what seems like a successful attack, Kennedy says such deception "changes the economics" in favor of the defender.

Without deception, Cohen agrees, the attacker has the advantage, because all the data they get is correct. "You need to find something that gives you computational leverage," he says. "You’re trying to drive up the cost of attack as far as you can with minimal resources on your part." However, he adds, whatever the specific techniques, "what’s going to happen is people are going to counter it. It’s going to become the eternal battle between one side and the other."

Don Monroe is a science and technology writer based in Murray Hill, NJ.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More