[BreachExchange] Security researchers look to deception tools to trick hackers

Destry Winant destry at riskbasedsecurity.com
Fri Nov 30 08:49:45 EST 2018


https://www.consumeraffairs.com/news/security-researchers-look-to-deception-tools-to-trick-hackers-112818.html

Cybersecurity continues to make its way into headlines, as more and
more consumers and corporations are affected by data hackers.

Though it may seem like the problem is only escalating with no end in
sight, a group of researchers from Binghamton University are hoping to
change that.

Inspired by Target’s 2013 data breach, the researchers, led by
Assistant Professor of Computer Science Guanhua Yan, are working to
end the fight against hackers by tightening up current cyber deception
tools.

“The main objective of our work is to ensure deception consistency:
when the attackers are trapped, they can only make observations that
are consistent with what they have already seen so that they cannot
recognize the deceptive environment,” the researchers wrote.

Tricking the hacker

Yan and PhD candidate Zhan Shu explain in their research that cyber
deception works to ultimately trick the hacker. When a device
recognizes a hacker is present, the cyber deception tool creates a
fake online environment to effectively shut out the hacker without
revealing they’ve been discovered.

However, according to Yan, some expert hackers have become keen to
this trick, which is where this new research comes in.

“The issue is that sometimes cyber deception uses what are called ‘bad
lies’ that are easily recognizable by the attacker,” Yan said. “Once
the deception is realized, the attacker can adjust and work around
this form of protection.”

Yan and Shu worked to create a deceptive environment that only shows
the hacker what he/she has previously seen. The goal here is to
disorient and confuse the hacker, and also eliminate any chance of
data being stolen.

To put this theory to the test, the researchers had college students
-- all of whom had recently completed a course in cybersecurity --
pretend to act like hackers, and some landed in the new and improved
deceptive environment.

According to Yan, the system worked as designed.

“It was clear that most students were simply guessing whether they had
entered into the deceptive environment or not,” said Yan. “They
couldn’t quite tell the difference when we used our consistent model.”

However, despite favorable results, Yan warns that this isn’t a
foolproof method, as it “may not hold up against more advanced
attacks.” The researchers do plan to continue to improve these tools
in their quest to crack down on malicious data hackers.

Target’s data breach

The researchers’ study was based on Target’s 2013 data breach that
affected 41 million customers and cost the company $18.5 million in
penalties.

The breach was so intense, and the legal process so extensive, that
Target didn’t finalize the final $18.5 settlement amount until last
May. California got the most out of the deal, collecting $1.4 million,
while Alabama, Wisconsin, and Wyoming didn’t participate in the
lawsuit.

Officials identified several errors in Target’s data storage system,
including the company’s decision to ignore messages from its security
system that data had been hacked.

Following the breach, Target was required to tighten its security
measures in an effort to protect customers’ data, which included a new
hire to monitor the new system.


More information about the BreachExchange mailing list