Beyond sandboxes: 'The Truman Show' approach to catching hackers

Deceptive technology has great potential as a counter intelligence tool that can completely turn the tables on the bad guys.

Do you recall the 1998 movie "The Truman Show?" In an existentialist take on reality TV, Truman Burbank lives in an altered, completely manipulated existence as an insurance broker whose every daily act is broadcast to the world as part of a television program – with Truman entirely unaware that this was happening.

When reading about an emerging technology – what some are calling “deception solutions” – I find myself visualizing it as the “'Truman Show' of IT Innovation” – with major implications for how we approach cybersecurity.

Here’s how “deception solutions” work: A hacker breaks into a network environment and starts doing what hackers do, by sniffing around and stealing files. But there’s a catch – the network environment isn’t real. It’s a virtualized replica of a production environment. The new approach enables a targeted enterprise to build a simulated “world” with enough actual, internal files and systems components to lead attackers to believe that it’s the real thing. Based on policy, the enterprise can watch everything the adversary is doing from start to finish, or they can block the traffic immediately at the edge of their network. This allows them to mitigate the threat to their network with no impact to the production environment.

It’s an intriguing extension of what we do with traditional sandbox techniques used by some anomaly detection technologies today. With the sandbox, we route suspicious traffic to an isolated, controlled environment, then examine the traffic more closely to determine whether it’s malicious or not. If it’s malicious, we block it. If not, we let it pass onward to its destination.

The new technology takes this concept several steps further: The attacker is redirected to a sandbox of sorts and – like a lavish Hollywood set – the whole thing looks and feels authentic. They start poking around, stealing stuff and dropping payloads. They have no idea that they’re being watched. And, because the environment is sealed off, they can’t do any damage with the payloads to any production resources.

It would be easy enough to set all of it up. If a major soda manufacturer pursued this, for example, they can assemble a collection of old, now irrelevant documents related to, say, an old recipe which never panned out. They are still stamped “confidential” but are eternally tucked away in the cyber equivalent of a long, filing cabinet. The security operations center (SOC) team with the soda manufacturer can then take these files, remove any references which would date them, make sure they still contain logos and other enterprise-specific details and load them into the simulated environment with unique tags.

Because the SOC team can tag each document, it can require a validation alert for every time a user seeks to access it. (The user here being the hacker, of course.) The SOC team is aware of all hacker requests and, thus, is developing a better sense of what intruders want. Instead of blocking, however, the SOC team approves of the validation and essentially “invites” the hackers to do what they please with the documents.

Here’s where the true value comes into play: Because the SOC isn’t stopping adversaries from doing anything – and the hackers can do no harm – the team is getting real-time intelligence about who the hackers are, where they came from and potentially, provide clues to who’s funding the operation. If I’m a chief information security officer (CISO) for the soda manufacturer, after all, I’m primarily interested in who’s funding the ill-intended operation, whether it’s an enemy state sponsor or an underground syndicate or a competitor down the street.

Deceptive technology has great potential as a counter intelligence tool that can completely turn the tables on the bad guys. It pushes cybersecurity from a reactive state to one of real time intelligence-gathering. Indeed, the technology is very much like "The Truman Show" – but more so as if Truman spent his day stealing things in his make-believe town of Seahaven. We not only would know what Truman is doing every step of the way – we would know who set him up to do so. That’s the kind of “spying on the spy” information which enterprises will find most valuable.

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations