While Federal agencies race to migrate to the cloud, security concerns seem to multiply by the hour. This month alone, Russian hackers penetrated the U.S. power grid; cyber attackers got into the network of a petrochemical company in Saudi Arabia in hopes of triggering an explosion; and North Korean hackers apparently “blitzed” Turkish banks and government organizations to gather intel for a future heist.
The cloud will undoubtedly help reduce IT expenses for many organizations. That said, it’s not a risk-free endeavor, most notably because Federal agencies lose some visibility and control when they outsource to cloud service providers.
“It’s the good and the bad of the cloud,” said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. “When you use someone else’s infrastructure, they handle a lot of your headaches. But the downside is that you don’t have all the administrative access that you would in your own system. Some cloud providers are good about this. But some aren’t.”
Equally problematic is the fact that during any technological transition–whether it’s a merger, acquisition, cloud migration, etc.–networks may be left with security holes. A good offense may be the best defense, but a solid decoy has proven an effective defensive strategy, too. Ideally, Federal agencies would successfully keep all bad actors out. But at a time when global warfare is fought virtually, over vast data networks, it’s not enough to just aspire to keep hackers out–it’s equally important to outsmart them once they’re in.
“In a very broad sense, the world has understood that yes, we want to control our perimeter, but if that’s no longer feasible, we need to detect hackers and respond as efficiently as possible,” said Ofer Israeli, founder and CEO of Illusive Networks, a deceptive technology company based in Tel Aviv and New York City. “If you think about a burglar coming into your home, there’s a lot of learning he has to do when he gets there. He doesn’t have a map. He’s looking for a safe and he sees two doors. What we do is build multiple doors in each room. The burglar no longer sees two doors, he sees 10 doors, and if he tries one of our eight, he’ll be detected.”
The decoy concept is not new–it goes back thousands of years. Decoys were used extensively by the U.S. military in World War II, and as recently as the 1980s, in an effort to outwit the Russians during the Cold War. The decoys used in data security are a fairly natural evolution from the honeypot–fake networks set up in an effort to lure, observe or catch hackers. In previous decades, a honeypot was an expensive, labor-intensive endeavor. In today’s technological landscape–given the advances and affordability in machine learning and cloud computing–deceptive technology is not necessarily a cumbersome undertaking or expense.
The cost of a decoy strategy varies, but subscription-based models are fairly common. Both Illusive Networks and TrapX, a San Jose, Calif.-based deceptive technology company, offer annual subscription-based services, with varying rates, depending on the size of the network and the extent of the work. Illusive, which concentrates on laying decoys around network endpoints, uses AI-based automation to modify existing traps as the customer’s needs evolve.
Do the decoys actually work? TrapX offers some fairly jarring case studies as clear evidence that they do. In one example, a government weapons manufacturer, whose IT staff was personally targeted by (presumed) state-sponsored hackers, inadvertently allowed the hackers network access through sophisticated emails that included legitimate software patches. The hackers, according to Ori Bach, vice president of product at TrapX, had researched individual staff members and knew which software tools they used.
“Not only were [the hackers] detected, but we have recordings of the social engineering they used to get into the organization,” said Bach.
In another example, TrapX deployed traps that looked like medical devices (since they’re considered soft targets) in three separate healthcare organizations. Alarmingly, they almost immediately identified attackers in all three organizations. In one case, it took less than an hour before a hacker was caught in one of their traps.
Although there are no hard and fast numbers on the adoption rate of decoy technologies in the cloud, Reavis speculates that it could reach 100% in a few years’ time.
“It’s a no-brainer,” Reavis says. “If you, as an individual, could change your physical address and phone number, you would be hard to track down. Having that same sort of cyber defense is pretty obvious.”