• United States

Moving picture show for would-be attackers

Oct 21, 20034 mins

* NetBait deceives potential attackers with “projection” software

Recently I had the pleasure of interviewing two executives of NetBait, the maker of an interesting system for deceiving network attackers. Below are edited comments from Ilya Zeldin, NetBait’s president, and Ivan Milovidov, CTO.

In the spirit of full disclosure, I can inform readers that I have no financial involvement whatsoever in this company and that they very kindly offered to help a Norwich University undergraduate research student, Bob Pelletier, in his continuing honeypot research before I had the idea of interviewing them.

* * *

The prevailing approaches towards network security usually involve building barriers. In contrast, we create an infrastructure of deception that we call Disinformation Security. NetBait empowers administrators to create a diversionary picture of the network. NetBait tries to divert attacks in two ways:

* By making any network look busier, more complex and less penetrable than it actually is


* By making complex networks look so simple that they appear to be unappealing and uninteresting to the attacker

NetBait uses multiple technologies to “project” any given network device from a controlled environment to any segment of any network worldwide. By projection we mean the distortion of the characteristics and responses of a real system so that it can appear anywhere and interact with attackers to deceive them into misjudging the overall environment.

In a sense, this is analogous to projection through a film, where one can show an image to one person or a million, with or without sound, on any surface, at any time and for as many times as needed. One can also edit a single frame or all frames of this film; the same images can be either funny or horrific depending on the desired effect.

Similarly, the projections of real systems transformed by NetBait can give radically different impressions to observers or attackers as a function of the configuration used. Following this analogy, you have a frame and a projector, as well as all the knowledge, flexibility and tools to modify and project this frame. NetBait is flexible and adaptive enough for any system administrator to use his or her unique knowledge.

In addition, by offering NetBait Managed Security Service, we serve the untapped market of small and midsize companies that don’t have the budget or human resources associated with this kind of deception technology. With NetBait, these companies can have the security of an enterprise-level organization without any upfront investment. We run the entire back-end infrastructure and take care of all the issues of support and upgrades.

As an example, there might be a reason to think that attackers might be diverted effectively by the presence of specific technology – for example, Linux servers. A small firm might not have any, but with NetBait it would be easy to check off that kind of server on the configuration and we would project those servers for the customer. We already have an extensive inventory of operating systems and services and can easily expand the list based on customer demand without having to alter the NetBait software itself.

Consider an organization that already has security policies in place. NetBait can help verify how the policies are working. It can help evaluate every single active device and rule of the network. NetBait can create a fake network that perfectly reflects the real network infrastructure, which can then be attacked. You can then analyze how the organization responds to the attack and whether the attack gets through. Moreover, you can model possible futures: you can try out different network configurations, test them today, see if your policies can handle various scenarios, and plan to make necessary changes or budget for new requirements.

On the other hand, in the worst-case scenario, imagine a company with no security strategy, no tools, and no security support. NetBait changes the appearance of the existing network and creates a network that raises the bar of knowledge for successful attacks. Attacker tests will generate huge amounts of data – so much that it will overwhelm anyone and extend the necessary time for successful infiltration beyond reasonable limits for ordinary intruders.