Baiting hackers

In a previous article, I reported on an interesting (I hope it was interesting) discussion with two experts from NetBait about their disinformation product. In this column, we continue our discussion with a more fundamental question – the role of such technology in a production environment. The speakers are NetBait President Ilya Zeldin and CTO Ivan Milovidov.

Q: How does NetBait discourage the sophisticated attacker?

The Disinformation Security aspect of NetBait does two things: changes the appearance of the network and demands exponentially greater degree of knowledge from intruders. In doing so, we see NetBait as a primary component of any security infrastructure in conjunction with other tools. NetBait can act as the first, second or last layer of defense by wasting the intruder’s time, forcing him to execute unnecessary actions and providing him with false positives on the attack itself.

For a small company, NetBait can make its network “look and feel” like that of an enterprise without additional capital or human resources, and without investments in time for OS and service configuration and maintenance. With NetBait, an administrator is effectively forcing the hacker to spend hours on useless investigative work while staying one step ahead of pending attacks. The same logic can be applied to an enterprise-level network, where any critical production server can be transformed into a black hole by replicating it with thousands of NetBait nodes identical to that server in every possible attribute. On the flip side, an enterprise’s complex multi-tiered network can look and feel like a simple and boring network composed of, say, a hundred Windows 95 machines.

Another side of NetBait functionality allows us to go beyond a projection of an imaginary network. NetBait nodes can stand in front of real network objects and alter their appearance dynamically. For example, a Windows 2000 system can sometimes look like a Windows NT system and then like a Linux system. By changing the appearance of these devices, NetBait forces the attacker to re-evaluate the topology and characteristics of the network over and over. If NetBait nodes are static, administrators can study intruder actions precisely, identify new attack signatures, correlate them with existing intrusion detection systems or firewalls, and so on. For example, every NetBait object and every real computer on the network can positively respond to a specific exploit, creating millions of records for a hacker to verify, which will force him to go through a month-long to-do list that, even if executed, will be a waste of time.

Q: How do you handle threats from attackers who are trying to spot the presence of your product?

You are referring to fingerprinting, or the ability to separate a fake object from a real one. For example there are ways to fingerprint honeypots based on TCP connectivity, default responses from the software data structure and so on. For example, HoneyD has specific scripts or responses that can be spotted by attackers because everyone running HoneyD has the same script by default – it was included in the installation.

NetBait’s distinction here is that it projects real systems based on an inventory, or Server Farm, of real network-based objects (OS, applications, services, etc.). If these systems are installed accordingly to your policy, they look like everything else on your network. So fingerprinting based on emulation is impossible since nothing is emulated.

At the same time, it is possible to detect the presence of NetBait nodes based on a tiny time delay in response from traffic redirection. There are many ways to avoid fingerprinting based on TTL. For example, real computers can be “moved” into the NetBait infrastructure, which would create the same TTL, or different connectivity speed or protocols can be deployed on the network The most important point here is that even if an intruder is able to “guesstimate” that certain network objects are NetBait-based, he will fail applying the same logic to any other network, which makes fingerprinting through a generic exploit obsolete.

Q: How much room is there for creativity with NetBait?

Deception is a great strategy to prevent attacks that cost millions in damage. NetBait makes deception extremely easy and effective to deploy and maintain.

We are constantly working on innovative strategies for implementation. For example, why not create an entire set of multi-tiered networks? Consider this: real objects look fake, while NetBait objects look real. Or this: distribute freeware easy-to-detect honeypots (through NetBait deployment) next to undetectable NetBait targets, and embed real objects within the NetBait infrastructure. Or project huge numbers of identical systems that make it impossible to identify real systems buried in this morass of fluff.

Every network is unique and NetBait has enough scale and flexibility to respond to the specific requirements of a given infrastructure, policy, security demands, or administrator’s imagination. With NetBait, you can protect individual resources or lower the global level of risk networkwide.

* * *

One other quick point: My sincere thanks to Ilya and Ivan for their contribution to Norwich student Bob Pelletier’s research project on deception networks; a summary of Bob’s work will be appearing in this column in the spring.