What started as a cyber research project turned into a potential game changer for the Energy Department and all of the federal government.
Sandia National Laboratories combined its expertise of modeling, simulation and cybersecurity to create a dynamic environment to fool hackers and learn their tricks and techniques.
Vince Urias, a distinguished member of the technical staff at Sandia National Laboratories, said the potential of the High-Fidelity Adaptive Deception and Emulation System (HADES) program is great because it lets cyber defenders know in real time the approach hackers are trying to use without putting the organization’s data or systems at risk.
“At the crux, it’s a threat intelligence platform that is tailored to specific environments,” Urias said on Ask the CIO. “Through software-defined network and virtualization, we are able to actually move virtual machines into a completely isolated environment that could have completely synthetic things. Imagine if you had a laptop plugged in one part of the network and we just moved you to an isolated network that may have a full rich set of services that were not real but looked real to you, and let them play the game.”
Urias said the Sandia team took the concept of a “honey pot,” which traditionally has been used to lure attackers into a fake, but static environment to observe them, and applied technologies like software-defined networking and virtualization to create a dynamic honey pot of sorts.
“Imagine if you were an intelligent adversary and you landed in a box and everything looked the same. There is no historical information, and what I call the lived-in feel, the identity of the person, browser history, document history and all the things that define a person. If you landed in a box that has been up for two hours and has the same homogenous infrastructure, you are not really interested in that. You know it looks fake,” he said. “Over the last 15 years, we’ve done a lot of work on emulation and other work. We said could we take all those things to create better, more interesting, more faithful environments where adversaries could land and say, ‘this looks interesting,’ and see if there is better data in here, could they get more user information, can they look throughout the network and see what might be of interest?”
“A lot of what we do is in three components. One of which is making the environment looked as lived in as possible so we have a lot of special sauce around making all the virtual machines within the environment looked like a tailored environment for you,” Urias said. “We can create and tailor those applications, that browser history, that document history, the users’ identities, the domain identities and all the things you’d see in a normal enterprise. We can synthetically create the traffic and the environment to look like that.”
Addressing the big data challenge
A second component is the tools to pull the data from the synthetic environment.
Frank Dimina, the vice president of public sector at Splunk, said the amount of data that comes from cyber defense efforts is astounding and to truly be successful, organizations need to use machines to analyze all that information.
“All the machine data that comes from a network is incredibly messy, unpredictable, and managing the data is hard especially when it’s locked away in legacy technologies,” Dimina said. “Through the use of high precision time stamps, HADES lets defenders sift through logs and funnel that intelligence to real operational networks where they can extract what they need to do production network to harden their networks further. This is a real time use. HADES lets defenders go after new set of attackers maybe that they’ve never seen before. Look at this in another way like physical security, where in legacy environments we try to look at adversaries by looking at photos. HADES provides that real-time information. It’s taking that old process that may have been photos and turning it into a live video feed.”
Another benefit, Dimina said, is HADES flips the cost equation on to the attacker.
“I was a penetration tester previously in my career and we were always looking for low-hanging fruit. So by making the adversary spend a lot of time on fake assets, there is an opportunity cost where they are not spending time on sensitive assets. HADES is showing an economic return-on-investment,” he said. “HADES is next generation analytics to understand adversaries. It has universal applicability to accomplish the cyber mission. It makes organizations more data driven and lets them focus on the most serious events by using other technologies like automation to take care of tier one events.”
Introducing doubt into the adversary
Sandia built out an environment of 70,000 to 80,000 Windows hosts to test this dynamic honey pot concept. Urias said while many of the cybersecurity threats they tested this concept against is sensitive, the one area he can talk about is crimeware.
“I’m guessing at home or at work you are getting weird spear phishing attacks so we started harvesting these things. Instead of deleting the email or putting it our spam folder, we started clicking the links to see how far we could get,” he said. “We had a lot of fun with that. We saw some crimeware. We saw some folks who dropped payloads to try to harvest Gmail information and user names and passwords and we had some attackers trying to look for IRS information,” he said. “It allowed us to prove out the tool chains, the analytics and response pipeline, the synthetic creation pipeline and let us do interesting things without too much stress.”
In the end, Urias said the goal is to introduce doubt into the adversary.
“The future for us is looking for other partners in other spaces to see if we can continue testing,” he said. “We realize each agency is different so we created a flexible platform that can work on a single server all the way to tens of hundreds of servers depending on what you are trying to do. So the cost is for the infrastructure and the analysis.”