By Neal Singer

Monday, November 27, 2017

HADES uses alternative reality to mislead hackers

The novelist Fyodor Dostoevsky once postulated that the devil no longer employs fire and brimstone but instead simply tells you what you want to hear.

 Cyber researchers Vince Urias, Will Stout, and Caleb Loverro move with that second option when it comes to foiling a hacker. Rather than simply excising a discovered intruder, they deploy a recently patented alternative reality, aptly dubbed HADES (High-fidelity Adaptive Deception & Emulation System), which feeds a hacker not what he needs to know but what he wants to believe. HADES has just won a 2017 R&D 100 Award presented annual by R&D Magazine.

 “Deception is the future of cyber defense,” says Vince. "Simply kicking a hacker out is next-to-useless. The hacker has asymmetry on his side; we have to guard a hundred possible entry points and a hacker only needs to penetrate one to get in."

SANDIA CYBER RESEARCHERS Will Stout, left, and Caleb Loverro, along with colleague Vince Urias, have developed HADES, the High-fidelity Adaptive Deception & Emulation System, which has just won an R&D?100 Award.

SANDIA CYBER RESEARCHERS Will Stout, left, and Caleb Loverro, along with colleague Vince Urias, have developed HADES, the High-fidelity Adaptive Deception & Emulation System, which has just won an R&D 100 Award.

Rather than being summarily removed from a data source, a discovered hacker is led unobtrusively into HADES, where cloned virtual hard drives, memory and data sets create a simulation very much like the actual reality.  But certain artifacts are deliberately, and non-obviously altered.

"A hacker informing his boss that he’s discovered a problem doesn't do his reputation much good, he’s discredited."

"So, a hacker may report to his handler that he or she has cracked our system and will be sending back reports on what we're doing.  Let’s say they spent 12 months gathering info. When they realize we’ve altered their reality, they have to wonder: at what point did their target start using deception, at what point should they not trust the data? They may have received a year or so of false information before realizing something is wrong.  A hacker informing his boss that he’s discovered a problem doesn't do his reputation much good, he’s discredited. And then the adversary must check all data obtained from us, because they don’t know when we started falsifying."

 Furthermore, when a hacker finally puzzles out that something is wrong, he must display his toolkit as he tries to discern truth from fiction.

"Then he’s like a goldfish fluttering in a bowl," says Vince, "He exposes his techniques and we see everything he does."

The Sandia work, patented in October, began five years ago with a three-year Laboratory Directed Research and Development grant. 

“It used to be that technologically we couldn’t move a visitor to a different reality without them knowing,” says Vince, “but there’s been a radical change in networking in the last 10 to 15 years, from hardware to software.  With the ephemerality of the network fabric, I can change realities without a hacker knowing.”

Adversaries want data that helps their situational awareness. “But when we change data in our fake world, we devalue information and set up eventual inconsistencies.”

To do this, he says, “We move to another location in the Cloud and build a slightly different world around them. Our intent is to introduce doubt. If they get something, is it real or is it fake? The worst horror for an adversary is the identical world, but changed. Can we introduce more work for them?”

HADES can operate in multiple modes, says Vince, from a small organization without resources to a large company. The Department of Homeland Security’s Cyber Security Division has worked with Sandia on deployment.

Like any technique, HADES has its limitations.  While the simplest deceptive environment can be instantiated on a small private computer, environments of greater fidelity require more CPU and memory resources, and may thereby reduce the number of virtual environments deployable on a single server.

What the IT and cybersecurity communities want, he says, is what he wants: “To stop the [information] bleeding and get actionable intelligence: What is an adversary looking for, what did they get, and how did they get it?”

The technique has allowed the researchers to locate malware an adversary has placed in a system, and is capable of active attack.