Researchers at Sandia National Laboratories have put a new twist on honeypots — isolated networks designed to attract and trap hackers — by creating an entire virtual environment that tricks hackers into sticking around so their actions can be monitored and their secrets learned, all without risking an organization’s real operational network.
The system is evocatively named HADES, for High-Fidelity Adaptive Deception & Emulation System. “The main thrust of HADES is to provide a deception environment and continue a deception campaign to tease out relevant intelligence and signatures of an ongoing attack,” Vincent Urias, a Sandia National Laboratories computational researcher, told GCN.
On the technical side, HADES leverages cloud technologies — in particular, software-defined networking and virtual machine introspection — to quickly move a virtual system that has been compromised from the production network to a high-definition virtual copy of that network that lacks, of course, true copies of sensitive data. “We can move the state of that virtual machine to another part of the network and start emulating the world around it,” Urias said.
While intruders unknowingly probe that sandbox network, analysts monitor them to learn what they are after and what tools they are bringing to bear. “We can watch the adversaries’ behavior, reconstruct our tools from memory transparently to them, enabling us to develop our intelligence on the fly,” Urias told RandDMagazine in May.
According to Urias, even when hackers eventually discover they are operating in a sandbox, they don’t know when they were moved off the real network, so they don’t know how much of the data they have gathered is the real thing. “Our intent is to introduce doubt,” Urias said. “If they get something, is it real or is it fake? The worst horror for an adversary is the identical world, but changed.”
HADES does not, by the way, replace tools designed to detect attacks. In fact, while HADES provides its own intrusion-detection tools, it is designed to take advantage of third-party applications. “HADES remains agnostic on this front and provides a flexible [application programming interface] to interact with such tools,” said Urias.
First deployed in 2017, HADES is still under development and is being tested in selective deployments. According to Urias, it has been deployed at the Florida Institute of Technology and “several facets of the platform” have been deployed at undisclosed location in government and academia.