Attackers have a time advantage over static computer networks because the bad guys can simply hover around the network for long periods, study it and look for an advantage. The computer network is usually just sitting there, dawdling like unfortunate prey silhouetted in a hunter’s rifle scope.
The observing hackers can even disappear for a while, return and find nothing’s changed. The vulnerabilities are still in place. Bang! The perp hits when it’s convenient, and it’s all over.
The best solution to this time-advantage problem are computer defenses that sense malevolent investigations of the network and then squirt the attack over to a fake network that proffers no intelligence about the genuine network, according to some. They were written about as long ago as 2004 in the International Journal of Digital Evidence (PDF).
Penn State information scientists recently created a new prototype dummy network for defending a real network and say their system will only provide information about the dummy network to hackers. The team announced their work at the Honolulu Information Security Conference last month.
The key to it is knowing “a malicious scan is happening," says Dinghao Wu, assistant professor of information sciences and technology, in a Penn State News article. “If it's a large-scale scan, it is usually malicious.”
Hacking the hacker
Once they identify the scan as being potentially wounding, they immediately send the traffic over to the “decoy, or shadow, network.”
That dummy network isn’t visible to the real network, but it gives away just enough detail to bamboozle the crooks. They can’t tell it’s a phony network because the structure is copied, including the number of nodes and so on. The hacker is hacked.
“These shadow networks can be created to simulate complex network structures," Wu says in the article. Not only that, but because it’s not the main network, it’s actually easier to change elements, thus confusing the criminal—he can’t analyze his scan as easily because things have changed.
It’s called a “moving target defense,” Penn State explains.
Reflectors are a prime element. They detect the incoming scanning web traffic without even bothering to try to stop it and then send it to the shadow system.
That “shadow network environment that has the same look as the protection domain” and offers the hacker exactly what he’s looking for, which includes software versions, hardware types and operating system, they explain. It’s all mimicked.
Penn State built its system virtually. That allowed it to simulate both the attack and the reception. However, the scientists say they are ready to deploy in an actual network and that when they do, they will display only the phony network.
Decoy networks gain ground in fight against hackers
Decoy systems, also known as honeypots, are expected to emerge as “frontline technology,” according to a researcher. “We are getting more and more market intelligence that the decoy network technology is quietly gaining ground,” Market Research Media said on its website in January.
That company also, interestingly, came up with a fascinating previous-use scenario for honeypots while writing about its network market projections. It says one of the best decoy network analogies is from the Second World War, where the allies employed film set crews to build fake airfields to fool the enemy.
“Where does a wise man hide a pebble? On the beach,” the organization says on its site. Market Research Media says the decoy market will be valued at $12 billion cumulatively between 2017 and 2022.
This article is published as part of the IDG Contributor Network. Want to Join?