When the Attacker Becomes the Prey: Trapping Hackers in Your Network

A recent webinar by Topspin Security (The Art of Deception: Lure, Confuse, Defeat) explained how enterprises could use cyber attacks to their own advantage. Presenter, Rami Mizrahi, elaborated on a strategy that is based on the premise that nothing will keep a dedicated attacker out of your network. That being the case, it may be possible to use the attack to your own advantage.

Rather than trying to stop the attack from happening at all, which rarely works, perhaps, it is better for a network security team to allow the attackers into the network and deal with them there. In fact, why not just invite them into your network and be done with it? Thus, the concept of the ‘lure’ is born.

It takes 3 to 6 months for most attacks to be identified, which means that, during that time, the attackers are free to wander around your network looking for the data that interests them most. This being the case, they have probably already gotten most of what they want by the time they are discovered. Even if they are then thwarted, the damage may already have been done.

But what if you make them think they are getting important data when they really aren’t? What if you let attackers think they are stealing important information when all they are getting is fake but realistic looking information? This could satisfy them and keep your real data safe. In other words, it wouldn’t matter if they were in your network if you lured them into a network fabricated to appear real.

This may sound similar to the old idea of setting up honeypots to fool hackers. In fact, there are some similarities. The difference is that honeypots are a hit-and-miss strategy. The attackers may or may not try to access them. They are not actually lured into them. Besides, hackers now have ways to detect whether a network contains a honeypot.

The main problem with honeypots is that they tend to be static. Mizrahi pointed out that in order for any deception network to be effective, it must be dynamic. That is, it must continually be updated as your real network is updated. Though this seems perfectly logical, it can also take up a lot of time. Because of this practical consideration, I would guess that these updates would be more of an afterthought than a forethought, meaning that attack vectors could periodically open up. However, to counter this problem, Mizrahi says that these updates should “be as automated as possible”. In an ideally secure network world, that would be the case. However, in the messy world of real life, something will probably be missed by these automatic updates.

The deception system also needs to be visible in order for those operating the network to map the strategy of the attackers. Knowing the strategy may help you build a better deception network and help you interact with the attackers to fool them even more.

The more detailed a deception network is, the more likely it will fool an attacker. Yet, perfectly emulating a real network is impossible because, as Mizrahi points out, some services, like Windows Remote Desktop, cannot be emulated. Besides, detailed emulation would probably not be cost effective. Still, something may be better than nothing.

But the security architecture delineated here requires more than just fooling an attacker. It really depends on luring attackers to their doom. One way to do this is to set up mini traps or “bread crumbs” throughout the network which will lead the attacker in a particular direction. Mini traps can be at all network levels but should begin, logically enough, with endpoint decoys. These must look like true vulnerabilities so as not to cause suspicion in the attacker. Here is a diagram which gives an overview of a typical decoy/mini trap architecture.


The network must also engage with the attackers in the decoy network just as they would during a real attack. This makes the attacker feel they have found the real thing. Not engaging may raise suspicions in an attacker. Things would look just a little too easy. These areas of pseudo-interaction, which can slow down an attack, are referred to as tarpits. Black holes may be dead end addresses that offer no real substance to the attackers. All of the data gained from studying the attack and interacting with the attacker can help network security teams learn about the goals of the attackers and the intricacies of the attack process. This can help enterprises build a stronger network in the future.

There is little doubt that such a deception network may be able to counter many, if not most, cyber attacks. Nonetheless, software solutions are software solutions, meaning that some more novel attack vectors may go unnoticed by the decoy architecture. Sophisticated attackers may also develop more sophisticated tools to detect decoys. They may even learn to exploit decoys to their own advantage. You have to remember that letting attackers into your network is a double-edged sword; after all, they are in your network. Letting an attacker into the network, even into a fake network, may give them certain opportunities that cannot be foreseen by the network operators.

Still, such deception network cybersecurity solutions could be beneficial for stopping medium level threats on small to medium-sized networks. The problem of maintaining such a deception system on a large network, like a government network, may simply prove to be impractical. However, for those who want to take a more proactive stance against hackers, this is certainly one way to go.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s