Thinking of a counterattack? Deception is better, say experts

There is no such thing as a bulletproof firewall against digital attacks. And it's risky, and probably illegal, to "hack back," or try to launch preemptive strikes against attackers who are trying to steal your intellectual property or the identities and confidential information of your customers and employees.

But it's not illegal, and it is much less risky, to practice the traditional art of deception -- that is, to lure attackers into chasing fake data into places where they can't do any damage, and where you can monitor their activities and possibly their location.

The so-called "honeypot" defense is not new. It has been around for at least two decades and is regularly used by law enforcement and intelligence agencies. But the Washington Post reported this week that the tactic is becoming mainstream in the private sector as well.

The story profiled Brown Printing, of Minnesota, which has planted bogus user log-ins and passwords and phony configuration files in its system in an effort to lure hackers into "rabbit holes." Any hacker drawn to the phony data "was being watched by Brown, their computer locations tagged and their tactics recorded," the Post reported.

This kind of digital deception falls under a group of tactics called "active defense," since they involve engaging the attackers instead of simply trying to block or get rid of them. But it is probably the least aggressive of any active defense, because it is not a counterattack.

Most security experts say counterattacks are simply asking for more trouble, since they could promote an escalating series of attacks, and it is possible to attack the wrong villain because of the attribution problem. It is still almost impossible to know for sure where an attack came from.

[See related: Should the best cybercrime defense include some offense?]

And then there's the law. "Reaching into a person's computer to delete stolen data or shutting down third-party servers ... probably would violate federal law, FBI officials said," the Post reports.

Chester Wisniewski, senior security adviser at Sophos, said companies trying to counterattack generally have much more to lose than the attackers. He compares it to trying to go after car thieves by finding and stealing their car. "They don't have a car -- that is why they are trying to steal yours," he said.

Matt Johansen, threat research manager at WhiteHat Security, said Digital deception, by contrast, "is a great practice for companies to get into that isn't at all asking for more trouble."

"The idea of a honeypot and fake data allows a company to buy some time in detecting an intrusion and dealing with it effectively before any real compromise is made to the customer or sensitive information," he said.

Attribution is not a problem because the company is not going outside its own digital walls to plant the fake data -- it's not attacking anyone, but only monitoring those who are illegally inside its own walls.

"The fake information 'rabbit holes' will only be stumbled upon by people who aren't supposed to be looking there and will obviously just set off alarms for a company to identify a threat," Johansen said.

Some experts say really good hackers will be able to recognize deception, and will be more determined than ever to break into a company. But both Johansen and Wisniewski said smart companies can avoid that.

"If companies start using open-sourced or commercial-level honeypots, hackers will most likely be able to recognize certain signatures that appear the same to those solutions," Johansen said. "If a company wants to make sure their rabbit hole is successfully disguised as real data, they will likely need to design it themselves."

Wisniewski said the right technique can make it very difficult for an attacker to discern the good from the bad. "I have seen many banks use a canary-in-a-coal-mine-style approach," he said. "They sprinkle fake credit card details and accounts here and there. If there is any activity they know they have been compromised and can take action."

However, both also said deception is not enough on its own. "The better way to deal with these breaches is to spend your time addressing the root causes," Johansen said. "The majority of breaches we saw last year used SQL Injection as the exploitation method, which has been a solved problem for over a decade."

Wisniewski added: "Rather than worrying about whether someone is stealing your unprotected information you could just protect it. Encryption isn't rocket science any more."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | Malwarelegalhoneypotswashington postsoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place