honeypot with HADES analytics in background

Sandia digs deeper into its cyber deception sandbox

Sandia National Laboratory is expanding its virtual cybersecurity sandbox environment and evaluating how it might be used to blunt attacks.


Beyond honeypots: HADES tricks hackers into giving up their secrets

The simulated virtual environment lets network defenders deceive, interact with and analyze adversaries in real time. Read more.

Turning the tables on hackers

The High-Fidelity Adaptive Deception and Emulation System uses cutting-edge deception environments where operators can run sting operations on those trying to break into Sandia National Laboratories’ systems. Read more.

The High-Fidelity Adaptive Deception and Emulation System (HADES) attracts potential cyber attackers with a supercharged honeypot that features an entire virtual environment and tricks them into sticking around by automating responses at machine speed. The system ultimately allows Sandia analysts to deceive, interact with and analyze adversaries in real-time. The project won a 2018 Government Innovation Award.

Because Sandia develops, engineers and tests non-nuclear parts of nuclear weapons, its  IT infrastructure is a magnet for cyber bad actors. The lab has been working with Splunk's Enterprise software to widen and deepen the program's ecosystem, said Vincent Urias, distinguished member of the technical staff at Sandia.

HADES maps and time-stamps relationships among all relevant parts of an IT ecosystem and generates h a rich set of analytics so analysts can sift through the data to learn about the tools and techniques used by adversaries, then funnel that intelligence to network defenders.

HADES is ultimately aimed at "changing the conversation with the adversary," Urias told FCW, GCN's sibling site. That shift is particularly important as threat information is being commoditized by security companies that crunch their own threat intelligence, he said. The system offers the ability to develop unique streams of threat intelligence by observing actual attackers and developing responses in real time.

Current cybersecurity practices, such as post-attack forensics and assuming compromise "are not the entire story" for federal and industry IT security managers, he said. HADES can fill in details in the here and now, such as what tools are being used, what time the attack infiltrated the network, where it got in and other details that can be hard to pin down afterwards.

First deployed in 2017, HADES has grown to develop better and better data analytic capabilities, Urias said. "The hopes are to help cross-sectional .gov and commercial networks."

This article was first posted to FCW, a sibling site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected