back to article Brit infosec firm lets hackers think they've stolen something

Security strategies generally concentrate on keeping the bad guys out, but British security outfit ClearSwift has stumbled upon another approach: if the bad guys get in, let them out with something. But scrub it clean on the way out the door. ClearSwift is the latest home for content-screening technologies first developed in …

  1. Number6

    I've seen the technology in action. Some companies clearly pass their press releases through it.

    1. Destroy All Monsters Silver badge

      Mandatory on the ingress route at the USPTO, too.

    2. Anonymous Coward
      Anonymous Coward

      Where I work they send all corporate emails through it too!

  2. asdf

    sounds nice on paper

    >The redaction happens as a result of policies that describe data forbidden to go beyond he firewall.

    Bet its fun keeping those policies up to date. Bet its also fun dealing with sales or marketing or even legal if any false positives (or even true positives) are triggered on their documents going out to customers, etc.

    1. foxyshadis

      Re: sounds nice on paper

      And I doubt it works too well if someone sets up a VPN for exfiltration, or even a dropbox or encrypted zip. But hey, it's flashy and sounds amazing, and it keeps people from casually emailing Important Stuff to anyone, security theater at its best.

      1. big_D Silver badge

        Re: sounds nice on paper

        My first thought as well. Simply encrypt the data locally, before sending it on its merry way...

        1. petur
          Meh

          Re: sounds nice on paper

          Encrypt?

          Just rename, zip with password. That's how I am forced to mail releases here to get them passed the mail scanners, so it should work with other files too.

          1. foxyshadis

            @petur

            zip-with-password is an encrypted file. Locally, at that.

        2. GuyAtClearswift

          Re: sounds nice on paper

          So the corporate policy should be not to allow the user to send encrypted - but to enable encryption at the corporate level. You can readily detect and block encrypted content. Having corporate encryption also ensures that should the organization be asked to produce email (and attachments) for legal reasons, they don't get caught out not being able un-encrypt it.

  3. Anonymous Coward
    Facepalm

    oh, hell, that'll make it easier

    Why sift through a bunch of randomly named servers (planets, generals, cars, etc) when you can just grab everything from this appliance.

  4. Khaptain Silver badge
    Pirate

    Questions

    How exactly how does the firewall know when an internal machine has been hacked ? The hacker might be simply emailing/ftping/telneting/wputting data to an external address just as someone might be doing this as part of their normal job ?

    Where exactly does this device/sftware sit, between the router and the firewall or between the firewall and the lan ?

    I presume that the internal client machines need some kind of client, what happens when that client is switched off, or do they encrpt all of their inhouse data in advance and the client "simply" unencrpts on the fly ?

    The article is very vague as to what is really going on.

    1. h4rm0ny

      Re: Questions

      It doesn't need to know if the machine has been hacked or if some employee is deliberately trying to email out data (for example). It just knows that matching data should never leave. E.g. it could scan for patterns that match credit card numbers or national insurance numbers, or if the file has certain metadata attached to it.

      This is quite interesting. I'm now envisaging an intruder trying to modify the data on the inside so that they can extract it without triggering the rules. Zipping them up would be the obvious thing to do, I would assume.

    2. GuyAtClearswift

      Re: Questions

      So the answer here is 'it depends'. For most organizations this is on the egress points. However you can also have it on the endpoint as well.

  5. auburnman

    Honeypot

    If you're accepting that bad guys will get in the door and walk out with something, why not have your servers littered with useless files called LOGINS.txt and ADMIN_ID_LIST.xls? Fill them with crap data that looks like real logins, and rig a red alert klaxon to ring whenever these are accessed?

    1. Anonymous Coward
      Anonymous Coward

      Re: Honeypot

      Yup - deception has been a valid security tool from even before when Fred Cohen developed the Deception Toolkit. Personally I'd add tarpits to any unused port so anyone trying to scan a host will get their resources drained.

  6. Phil O'Sophical Silver badge

    "contains nothing of use."

    Sounds like a missed opportunity. Why not use steganography methods to put a unique watermark or other identifier into the data at the same time as the useful stuff is being taken out. Then when it appears on someone's website or social media page somewhere they can trace back to the culprit?

    1. Jess--

      Re: "contains nothing of use."

      Maybe the "nothing of use" means to the hacker, it doesn't say anywhere that what it does contain isn't traceable in some way (and I would be surprised if it wasn't)

      1. GuyAtClearswift

        Re: "contains nothing of use."

        Precisely... it contains nothing of use to the cyber-attacker. For example, if they thought they were getting credit card numbers, then they would have been automatically removed (redacted).

  7. Anonymous Coward
    Anonymous Coward

    Headed for the door?

    I think the magic must be in how they identify the data that is 'headed for the door'.

    My first thoughts were musings on how to spoof the exit door so the software doesn't see it as an exit.

    But then I realized that wouldn't be nearly as much fun as tricking the software into seeing *everything* as an exit door! <evil grin /> Heh. They'll shut that software off so fast it's left bits will continue to twirl about!

    1. GuyAtClearswift

      Re: Headed for the door?

      We can apply this to internal traffic as well... but it is done on purpose. Bringing Data Loss Prevention inside the organization is now a way to further reduce risk. The key thing about Adaptive Redaction is that the communication goes through - even if some of the information has been removed. So the person at the other end isn't left waiting for something that has been quarantined and left for good.

  8. Acme Fixer

    Why doesn't..

    someone do this to the data that NSA is slurping? That ought to be even more fun!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like