[BreachExchange] Beyond sandboxes: 'The Truman Show' approach to catching hackers

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 23 20:45:25 EDT 2017


https://www.csoonline.com/article/3234745/data-protection/beyond-sandboxes-
the-truman-show-approach-to-catching-hackers.html

Do you recall the 1998 movie "The Truman Show?" In an existentialist take
on reality TV, Truman Burbank lives in an altered, completely manipulated
existence as an insurance broker whose every daily act is broadcast to the
world as part of a television program – with Truman entirely unaware that
this was happening.

When reading about an emerging technology – what some are calling
“deception solutions” – I find myself visualizing it as the “'Truman Show'
of IT Innovation” – with major implications for how we approach
cybersecurity.

Here’s how “deception solutions” work: A hacker breaks into a network
environment and starts doing what hackers do, by sniffing around and
stealing files. But there’s a catch – the network environment isn’t real.
It’s a virtualized replica of a production environment. The new approach
enables a targeted enterprise to build a simulated “world” with enough
actual, internal files and systems components to lead attackers to believe
that it’s the real thing. Based on policy, the enterprise can watch
everything the adversary is doing from start to finish, or they can block
the traffic immediately at the edge of their network. This allows them to
mitigate the threat to their network with no impact to the production
environment.

It’s an intriguing extension of what we do with traditional sandbox
techniques used by some anomaly detection technologies today. With the
sandbox, we route suspicious traffic to an isolated, controlled
environment, then examine the traffic more closely to determine whether
it’s malicious or not. If it’s malicious, we block it. If not, we let it
pass onward to its destination.

The new technology takes this concept several steps further: The attacker
is redirected to a sandbox of sorts and – like a lavish Hollywood set – the
whole thing looks and feels authentic. They start poking around, stealing
stuff and dropping payloads. They have no idea that they’re being watched.
And, because the environment is sealed off, they can’t do any damage with
the payloads to any production resources.

It would be easy enough to set all of it up. If a major soda manufacturer
pursued this, for example, they can assemble a collection of old, now
irrelevant documents related to, say, an old recipe which never panned out.
They are still stamped “confidential” but are eternally tucked away in the
cyber equivalent of a long, filing cabinet. The security operations center
(SOC) team with the soda manufacturer can then take these files, remove any
references which would date them, make sure they still contain logos and
other enterprise-specific details and load them into the simulated
environment with unique tags.

Because the SOC team can tag each document, it can require a validation
alert for every time a user seeks to access it. (The user here being the
hacker, of course.) The SOC team is aware of all hacker requests and, thus,
is developing a better sense of what intruders want. Instead of blocking,
however, the SOC team approves of the validation and essentially “invites”
the hackers to do what they please with the documents.

Here’s where the true value comes into play: Because the SOC isn’t stopping
adversaries from doing anything – and the hackers can do no harm – the team
is getting real-time intelligence about who the hackers are, where they
came from and potentially, provide clues to who’s funding the operation. If
I’m a chief information security officer (CISO) for the soda manufacturer,
after all, I’m primarily interested in who’s funding the ill-intended
operation, whether it’s an enemy state sponsor or an underground syndicate
or a competitor down the street.

Deceptive technology has great potential as a counter intelligence tool
that can completely turn the tables on the bad guys. It pushes
cybersecurity from a reactive state to one of real time
intelligence-gathering. Indeed, the technology is very much like "The
Truman Show" – but more so as if Truman spent his day stealing things in
his make-believe town of Seahaven. We not only would know what Truman is
doing every step of the way – we would know who set him up to do so. That’s
the kind of “spying on the spy” information which enterprises will find
most valuable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171023/4e654ee6/attachment.html>


More information about the BreachExchange mailing list