Sergey Nivens - Fotolia
People are always going to hack. Some are just jealous, others are curious and some believe it’s the best way to learn about coding.
Why not just recognise this fact and give them a play area? Or better still, have some fun with the little buggers. We might not catch many of them and even fewer will end up in a penitentiary. But if we can waste a bit of their time or give them a virus, then it will all have been worth it.
They’re calling it Deceptive Technology. One research company, Market Analysis, claims this is a twelve billion dollar market. However, some of the major players we spoke to poured cold water on that idea. So the deceptive tech market isn’t everything it seems. Which is exactly how you’d want a smoke and mirrors trapdoor technology market to be.
We spoke to some of the market leaders to see if they’d lead us down an alley and get us stuck there.
TrapX, the de facto market leader, was created originally by members of the Israeli Defence Force. Up to that stage, the idea of a honeypot for IT pest control was rarely developed past the academic project stage. But by necessity the Israelis needed to develop a military grade cyber decoy.
CTO Yuval Malachi co-founded the system with the intention of using the momentum of the attacker against them, like a sort of Krav Maga self defence system. So he created something that would encourage hackers to go for a target (which he’d faked) and deceive them with false information. While engaging them this way TrapX could gather intelligence about the intruders too.
“We create a presence, lure attackers, then try to hunt them,” says Ori Bach, the VP of security strategy for TrapX.
Can there be a more satisfying job in IT? Forget gaming - embedding malware in the baddies is real life cyber warfare. Judging by many of the IDs of the attackers, many of the attacks originate with Iranian state support, according to Bach.
If that wasn’t exciting enough, there are sophisticated criminal gangs from Rumania and Ukraine to take on.
Your job, should you become involved, is to find out how the Cyber-baddies have breached your client’s defences, then study their movements, using special military grade tools. Then you will use your armoury to render their weaponry useless. What a brilliant job - it certainly beats driving up and down the M4 for speculative meetings.
Until he worked at TrapX, Bach said he always struggled to explain to his kids what he’d been doing for 17 years in the IT industry. “Now I tell them I build traps for bad guys,” says Bach.
TrapX has two channels through which you can get involved - VARs and service providers. You need to do two days of basic product training and then four days of more intense high level study - but only if you’re already an IT security expert. You also need a ‘certain type’ of mindset, says Bach.
Meanwhile, more players are looking to get involved. San Francisco based Anomali has a toe in the water, having dabbled with this emerging technology. Anthony Aragues, its VP of product management, is increasingly enthusiastic about discussing types of bait, such as Goats, Tokens and Watering Holes. (They make it sound like a fishing tackle shop).
At the moment Anomali is taking known information and turning it into counter intelligence. The problem most security firms still face is that IT buyers, understandably perhaps, assume when they buy a system that they are getting the complete article. Which is probably what the salesman told them. So they naturally wonder why they should need to have to pay extra.
Anomali’s threat intelligence has exposed some ugly truths about the IT industry itself. The baddies aren’t all North Koreans and Iranians launching demented state sponsored attacked. Nor are they desperate criminals whose genius is frustrated by the lack of opportunities in Eastern Europe. Many of the malicious coders are employed in the IT industry. In security.
One of the cyber-creeps that Anomali tracked was found bragging about his antics on a forum somewhere on the Dark Net. After correlating all his social media posts - such as pictures of himself posing in front of an NSA logo, an image which appeared in several places - they managed to identify the hacker. And he worked for a security firm. “That’s not too uncommon,” says Aragues.
The problem is that many IT security staff become disillusioned and bored. The frustration caused by their lack of motivation is exacerbated when they fail to be acknowledged and rewarded for their work. It’s not unusual for IT companies to put up a bounty for people to solve a glitch, only to rescind on the offer when it comes to paying out. So the security experts end up switching sides.
These are exactly the sort of people we need to be kept onside. Maybe we should conscript them into a Cyber Army. Surely TrapX would be able to advise on that.
It sounds like a great job laying traps? Are you a sort of Pest Control for the IT industry?
Yes and no, says Justin Smith, Senior Director of Product Management at Pivotal.
“We aren't talking about pesky little wood-boring insects, cockroaches, or mice. We wish the problem were pests. Instead, the problem is apex predators. To many, that's what hackers are: apex predators in the digital food chain. We reject that notion,” says Smith. Pivotal says it starves the pest of what it needs most: the time to mount an attack. “We rotate your credentials regularly - our platform lets businesses do this automatically and frequently,” says Smith.