back to article Wowee. Look at this server. Definitely keep critical data in there. Yup

Israel-based Illusive Networks claims that its approach of planting poison-pill servers in a network can detect incoming attacks faster than any other method. At the startup's Tel-Aviv office, CEO and founder Ofer Israeli told a visiting press group that his technology is a post-breach mechanism. It automatically learns the …

  1. Anonymous Coward
    Anonymous Coward

    Deception is good

    Always worth confusing and misleading the bad people. If you think that the column called 'password' on my 'users' tables contains the actual password, salted, hashed or whatever, then think again!

    Although the idea of a 'completely cloud' bank does not fill me with confidence...

    AC obvs.

    1. Mark 110

      Re: Deception is good

      Isn't there a law enforcement angle here? Sort of like the SmartWater/ID stuff where is anyone nicks your physical stuff the police can get it back.

      Have a Law enforcement honey trap available to you with crap security and a load of sniffing tools to suck people in, identify them and then do whatever law enforcement do. Only the sniffing to identifying is hard and likely to just hit the the script kiddies rather than the pros.

      1. Charles 9

        Re: Deception is good

        Plus what if the honeypot itself gets owned to lie about the attacker? Or worse, becomes itself an attack vector? Like instead of slipping past the guards, you bribe or blackmail them and get them to work for you instead.

    2. Anonymous Coward
      Anonymous Coward

      Re: Deception is good

      Funnily enough, that is exactly how my company stores its user's passwords -- in plain text on a database. Financial services company too.

  2. Anonymous Coward
    Anonymous Coward

    Great idea BUT....

    * Didn't Equifax use similar tactics after the early hacks? We all know how that turned out! Fake hacks may also be a tactic employed by hackers to confuse / befuddle the hosting org (pretend to be after database A not B).

    * Honey pots have been alive and well for some time as discussed on the beeb there below. So I think we're going to need to be far cleverer in the future to thwart ever more sophisticated attacks.

    * Look at how sophisticated the early Stuxnet was for example... Sure nation state! But that's no excuse / comfort, because as the prize becomes bigger the motivation of every hacking team does too, no?

    .

    2017: http://www.bbc.com/news/technology-40850174

    2006: http://news.bbc.co.uk/2/hi/technology/6035455.stm

  3. Tom Chiverton 1

    "they are planted deep in a server's system data stores "

    E_PHB.

    What does this thing actually do ?

    1. Khaptain Silver badge

      From my understanding, it will create file links/mapped drives ( probably hidden from normal usage) etc that will point to VMs that don't actually do anything other than inform that they have been accesed.

      No-one in the network would ever need to access these files/mapped drives/servers on a normal basis. Therefore should an attack occur, the hacker's script, which is unaware of the false files etc, would likely lead him to one of these servers. Any access to these servers would therefore infer that the system us currently under attack and "potentially" help the Admin to shut things down before "too much" damage can be done. I presume that the links that they create would simulate root drives in order to gain precedence over simple files.

      At least that's how I understood it.

      Something is disturbing though about allowing third parties so deep into the system though....

      1. TRT Silver badge

        would likely lead him to one of these servers

        Or her.

        1. handleoclast

          Re: Or her

          @TRT

          Except skiddies tend to almost always be male.

          In fact, mostly adolescent males.

          Probably because they can't impress women any other way than by pretending to be 1337 h4x0rs.

          Fortunately, women seem largely immune to thinking with their dicks (for reasons you may care to speculate upon) so are less prone to becoming skiddies.

          In this case affirmative action to increase the number of female skiddies to parity with male skiddies is probably not a good idea, no matter what your views upon equality of the sexes. Reducing the number of male skiddies to achieve parity is probably a better solution.

          1. TRT Silver badge

            Re: Or her

            You think that the only attackers on the internet are script kiddies? We should be moving away from making gender assumptions, but often our unconscious bias leads us to reinforce a stereotype without any cause. Anyway, OK, so the OP mentioned scripts, but that's like saying the internal combustion engine is the tool of the boy racer - it is, but whilst you are building intelligent roads that detect under-body lighting, a panzer division has just rolled over your front lawn. It's no good saying "Oh, when you said build a defence against motorised vehicles, I thought you meant the Top Gear presenters, LOL!"

            Opinions, like mileage, may vary; I stand by giving a gentle nudge to someone when his... her... THEIR unconscious bias shows its face. And I welcome anyone to do the same for me.

            1. Sir Runcible Spoon
              Coat

              Re: Or her

              Or her

              I thought that was a Monty Python quote myself.

              1. TRT Silver badge

                Re: I thought that was a Monty Python quote myself.

                Lol. Yes, it could be. Maybe we should leave the political correctness at that?

                So we are agreed, Europeans can have the RIGHT to data privacy, even if they can't have any actual privacy themselves; which is no-one's fault, not even the Americans.

                1. Sir Runcible Spoon

                  Re: I thought that was a Monty Python quote myself.

                  The biggest change in my lifetime hasn't been technology, it's the loss of the ability for our once great nation to poke fun at itself.

                  The recent RT adverts on the underground seemed to go down well, so there is a ready audience.

                  The sense of humour isn't dead, it's just pining.

            2. handleoclast

              Re: Or her

              @TRT

              I know there are more attackers than just script kiddies. Nevertheless, the OP mentioned them and you inserted a little political correctness with an implied referent of the aforementioned skiddies.

              I have no objection to political correctness as such, but the statistics show the skiddies are overwhelmingly adolescent males. Let's not insult women by implying they are equally likely to indulge in such stupidity because the stats say they're not.

              As for the more technical attacks, usually for financial or political gain, I haven't seen any stats. It could be that women are equally likely to play in this arena, but I suspect cultural influences discourage it. I don't know how organized crime views women these days but I suspect Islamists tend to see women as inferior beings best suited to be suicide bombers rather than elite programmers. I could be wildly wrong about that, but if they're not competent to drive a car...

    2. Dan 55 Silver badge

      You'd think that if fake addresses were left around in config files, then the daemons themselves would try to use them...

  4. Anonymous Coward
    Anonymous Coward

    What if I arping the mac address of one of these spoofed servers?

    1. Khaptain Silver badge

      The servers will probably exist as VMs so I presume that the ARP will resolve correctly..

      1. Anonymous Coward
        Anonymous Coward

        Good point so the best way to mitigate such a defence would be to spoof a shed load of attacks of different types from different addresses leaving it unable to determine who is the actual attacker and what method they are using. You can then concentrate on the one's which aren't fake once detected.

        Spoof attack vs spoof defence.

        1. Khaptain Silver badge

          No it wouldn't make any difference because regardless of the method/address/spoofing that is used as soon as one of them reaches one of these servers it will create an alert.

          The idea is actually quite simple and is just a "honeypot" is disguise, instead of offering HTTP/FTP/Telnet services it is offering files related services..

          1. Anonymous Coward
            Anonymous Coward

            What about arp spoofing? If say, someone spoofed the address of a server they could then detect if any traffic is running through it giving up that it's a decoy.

            These are just hypothetical because I'm curious how these things work in practise.

            1. Anonymous Coward
              Anonymous Coward

              What about 'last accessed' type flags?

              Anything with a really low count could be ignored.

  5. HieronymusBloggs

    The software can work on...Macs, and Linux servers but not Unix ones"

    Huh?

    1. TRT Silver badge

      Kernels.

  6. Mr Dogshit

    Okay, how do you exclude all the fake servers from the backups, monitoring and the users?

    1. JimC

      > exclude all the fake servers

      The end users' front ends simply won't access the fake servers, so no problem there.

      You probably don't want them excluded from backup since in the event of requiring DR fake and live will both need to be restored.

      And of course you do want to monitor them - that's the whole point!

      1. Anonymous Coward
        Anonymous Coward

        "The end users' front ends simply won't access the fake servers"

        "The end users' front ends simply won't access the fake servers, so no problem there."... Front-end must fake it too, otherwise hackers will probe the software and know what to ignore.

    2. LewisRage

      "Okay, how do you exclude all the fake servers from the backups, monitoring and the users?"

      remove the little tick from the box next to the fake server name in the configuration of the backup/monitoring solution.

      And are you really asking how to hide something from a user?

      1. TRT Silver badge

        How to hide something from the user. Put a section about it in the documentation.

    3. Loud Speaker

      how do you exclude all the fake servers from the backups, monitoring and the users?

      Only backup the stuff in the list of stuff to backup? Personally, I have an exclude file to exclude things from backup.

      Honeypots always taste good - Personally, I recommend a sym-link from /dev/random to /etc/master.password (although maybe not on the actual boot drive).

      Don't know how to do this on Windows, but its a non-problem. We have no Windows here anyway.

    4. Peter Gathercole Silver badge

      @Mr Dogshit

      Split horizon DNS or other name resolution service.

  7. Yet Another Anonymous coward Silver badge

    Decoy targets that have no user function

    I think we just found HPE's business model

  8. Fatman

    Interesting....

    Clever concept, next step is to introduce the concept of land mines1 in the fictitious data stores.

    1: """Juicy""" files laced with malware to take out the attacker.

    1. aks

      Re: Interesting....

      only bad actors and state-operators would be capable of building such "safe" malware that only targetted the intruder. simply releasing common malware into the wild would be very "contra-indicated". can you imagine what the press would make of such behaviour once it got known? it's close to the concept of protecting your house, office or factory with biological booby traps.

  9. John Smith 19 Gold badge
    WTF?

    ""We are deployed across a bank which is completely a cloud bank.""

    Do the customers know?

    AFAIK this is setting up various "trip wire" devices throughout the network.

    All actual apps will ignore them and never access them (not quite sure how) but an attacker mapping the network will touch everything. At which point someone's in the hen house and, depending the order and locations triggered it can identify a "track" which may locate the node it entered by.

    A kind of System Intruder Detector, so to speak.

  10. Anonymous Coward
    Anonymous Coward

    Seems a little...weird

    There must be more to this, methinks. If I am an attacker, isn't my first task upon gaining entry to *observe*? For example, watch the network to see where people go, which resources they access, etc. And since, by definition, legit employees are not accessing the hidden honeypots, I will not see them as interesting targets. And if I should stumble across \\server\e$\immensely_secret_secrets by myself, one quick check against the traffic pattern I collected previously would tell me that no employee had ever been there, and therefore it was probably a honeypot.

    1. activereachmax

      Re: Seems a little...weird

      The number of users accessing a resource is not necessarily proportional its importance/value to an attacker. Fewer people have access to a company's payroll and salary information in an HR server than a company's intranet servers and they probably access it less frequently, but the information contained therein is probably more valuable. If the information, rather than pwning the computing power, is the objective.

      Total absence of traffic might be pertinent to a smart, diligent and cautious criminal - but then you are testing these systems regularly aren't you? There shouldn't be /no/ traffic.

      Any system that can make overconfident hackers look like chumps is OK by me. I just wish it was less expensive and complicated. It doesn't sit very high up on most company budget lists.

  11. Tezfair

    excuse my ignorance

    I already use file resource manager to monitor various folders for ransomware activity, why not have a dummy file that's monitored and any attempt to open or change pings off an email.

  12. Anonymous South African Coward Bronze badge

    Why not make a honeypot which will deliver a _really_ nasty payload back to the hacker?

    Oh wait, NSA etc.

  13. mikie

    Canary Tokens

    yay honeypots with extra attack surface :)

    Why not use canary tokens from Thinkst - they are free, their hardware honeypots are excellent and also proven through extensive use as well.

    We really need to stop re-inventing the wheel over and over again.

  14. TrumpSlurp the Troll
    Windows

    Permissions?

    I think this is set up so that a normal user who can run a search through filestore* (e.g. using find) cannot see it therefore permissions.

    So all sysadmin level peeps would have to know about it to avoid it. Unless standard search tools have been modified in which case how does the attacker find it? It must be visible to a compromised user id to work? Puzzled.

    *Bootnote. Why does my tablet spell checker on the keyboard keep trying to substitute vibrators for filestore? Has my device been porned?

  15. Florida1920
    Black Helicopters

    Nothing new under the sun

    Back in the 90s I inserted macros in Word .doc files I'd created and stored on our company's server, such that anyone who opened one sent me an email without knowing it. The idea was to confirm the people who were supposed to review them were at least opening the files.

    One day I got a call from the IT manager, wondering why she was seeing a bunch of emails she'd sent to me in her Sent folder. I explained it was because she was opening Company Confidential engineering docs in a directory she wasn't authorized to view.

    <CLICK>

  16. Pu02

    Advanced honeypots are security by obscurity as they assume that the attacker is behaving like an attacker, and that users behave like users.

    Attackers these days hide in plain sight, and explore the network using the same hosts, methods, credentials, applications and queries that normal users use. Hidden canaries and activity tracking on every host are effective tripwires and provide a way to learn and reports abnormal behaviour. Deploying multiple fake honeypots that do this in obscured ways may be more effective in some situations, but it really depends on what the attacker expects, and how carefully they tread.

    Clearly Illusive is focusing a sales spiel and isn't keen to spend any time working with big FinTech companies to map out what is good and bad traffic across all those segments prior to them spending money on some (no doubt dirt-cheap) roll-out of their 'honied-up hosts'. After all, such networks are already compromised, not to mention full of more tangible, internal threats (employees and contractors).

    Ironically, FintTech companies have their design and architecture already mapped out and controlled, and need to understand they are very good candidates to collect and report such heuristics- indeed they are closer than almost any other organisation. It's just that they also have so many formalities and gatekeepers that they so often end in failure.

    Illusive are onto a method that delivers a most effective way to invite management to an particular approach which 'just happens' to demand investment up-front and demand on-going loyalty from every engagement.

    Buyers as always, beware ;-)

    1. Anonymous Coward
      Anonymous Coward

      In other words, a VERY careful attacker wouldn't trip the honeypots as they'll first get in through a push attack initiated by an actual user, so they have a known starting point, then they'll only extend themselves to other hosts the user actually contacts (via traffic sniffing). Doing this means they never learn about the honeypots and thus never trip them. Plus the smurfing approach makes them less likely to be detected until they actually attack, by which point it's already too late.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon