Scientists have developed a new anti-hacker system, which rather than simply blocking an intruder, deploys an alternative reality – feeding the attacker with false data.
The High-fidelity Adaptive Deception & Emulation System (HADES), developed by researchers at Sandia National Laboratories in the US, feeds a hacker not what he needs to know but what he wants to believe.
“Simply kicking a hacker out is next to useless. The hacker has asymmetry on his side; we have to guard a hundred possible entry points and a hacker only needs to penetrate one to get in,” said Vince Urias, Sandia National Laboratories.
Rather than being summarily removed from a data source, a discovered hacker is led unobtrusively into HADES, where cloned virtual hard drives, memory and data sets create a simulation very much like the reality.
However, certain artifacts have been deliberately, but not obviously, altered.
“So, a hacker may report to his handler that he or she has cracked our system and will be sending back reports on what we’re doing,” Urias said.
“They may have received a year or so of false information before realising something is wrong. A hacker informing his boss that he’s discovered a problem doesn’t do his reputation much good, he’s discredited,” he said.
“And then the adversary must check all data obtained from us because they don’t know when we started falsifying,” he added.
Furthermore, when a hacker finally puzzles out something is wrong, he must display his toolkit as he tries to discern truth from fiction.
“It used to be that technologically we couldn’t move a visitor to a different reality without them knowing but there’s been a radical change in networking in the last 10 to 15 years, from hardware to software,” said Urias.
“With the ephemerality of the network fabric, I can change realities without a hacker knowing,” he said.
HADES can operate in multiple modes from a small organisation without resources to a large company, researchers said.
Like any technique, HADES has its limitations. While the simplest deceptive environment can be done on a small private computer, environments of greater fidelity require more CPU and memory resources and may thereby reduce the number of virtual environments deployable on a single server.
The technique has allowed the researchers to locate malware an adversary has placed in a system, and is capable of active attack.