Hackers have demonstrated time and again that they’re capable of breaching almost any firewall. Attacks on Sony Pictures, Home Depot, and PlayStation last year put both consumers and corporate executives at risk. Even the White House networks – presumably some of the most secure in the U.S. government, if not the world – were compromised in early October.
“On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system,” a White House official said at the time. “This is a constant battle for the government and our sensitive government computer systems.”
But new cyber security firms, like Israeli start-up TrapX, are bringing age-old battle tactics into the digital world.
Carl Wright, executive vice-president and head of sales at TrapX, said their goal is to “bring back the doctrine that has existed since the beginning of warfare: deception.”
TrapX has developed the DeceptionGrid. This system essentially sets up dummy computers with false software and decoy information. Once lured inside these fake computers, hackers are easy to spot, since the artificial networks should not show any activity at all.
Also known as “honeypot” defense, the idea of planting digital decoys is nearly two decades old. But the latest technology being developed by companies like TrapX and GuardiCorps allows most of the security work to be done through software, and doesn’t require the kind of hands-on approach needed with early honeypots.
“It took an expert and there were only a few of them at the time,” said Allen Harper, executive vice-president of commercial cyber security at Tangible Security. “You had to watch that thing closely and if it got taken over and you didn’t plan for the way it got taken over it could be used against you – or even worse, against others.”
Decoy servers also offer a unique opportunity for private corporations to defend themselves without breaking the law. So-called “hack backs,” a retaliatory attack on hackers, can be risky, potentially illegal, and often ineffective.
Chester Wisniewski, senior security adviser at Sophos, compares the strategy to preventing car thefts by stealing the thief’s own car. “They don’t have a car – that is why they are trying to steal yours,” he said.
Still, many worry that it’s only a matter of time before hackers learn to navigate this honeypot software, or to spot telltale signs of decoy computers.
“If companies start using open-sourced or commercial-level honeypots, hackers will most likely be able to recognize certain signatures that appear the same to those solutions,” said Matt Johansen, threat research manager at WhiteHat Security.
To prevent this, many companies already using some level of deception take time to carefully plant company-specific information within their fake networks.
“I have seen many banks use a canary-in-a-coal-mine-style approach,” Wisniewski said. “They sprinkle fake credit card details and accounts here and there.”
TrapX claims its software could have prevented the cyber attack on Sony Pictures last month.
It could be that allowing hackers in is the only way to keep them out.