Emerging Tech

Blog archive
HADES screen shot (Sandia National Laboratories/YouTube)

Beyond honeypots: HADES tricks hackers into giving up their secrets

Researchers at Sandia National Laboratories have put a new twist on honeypots -- isolated networks designed to attract and trap hackers -- by creating an entire virtual environment that tricks hackers into sticking around so their actions can be monitored and their secrets learned, all without risking an organization’s real operational network.

The system is evocatively named HADES, for High-Fidelity Adaptive Deception & Emulation System. “The main thrust of HADES is to provide a deception environment and continue a deception campaign to tease out relevant intelligence and signatures of an ongoing attack,” Vincent Urias, a Sandia National Laboratories computational researcher, told GCN.

On the technical side, HADES leverages cloud technologies -- in particular, software-defined networking and virtual machine introspection -- to quickly move a virtual system that has been compromised from the production network to a high-definition virtual copy of that network that lacks, of course, true copies of sensitive data. “We can move the state of that virtual machine to another part of the network and start emulating the world around it,” Urias said.

While intruders unknowingly probe that sandbox network, analysts monitor them to learn what they are after and what tools they are bringing to bear.  “We can watch the adversaries’ behavior, reconstruct our tools from memory transparently to them, enabling us to develop our intelligence on the fly,” Urias told RandDMagazine in May.

According to Urias, even when hackers eventually discover they are operating in a sandbox, they don’t know when they were moved off the real network, so they don’t know how much of the data they have gathered is the real thing.  “Our intent is to introduce doubt,” Urias said.  “If they get something, is it real or is it fake? The worst horror for an adversary is the identical world, but changed.”

HADES does not, by the way, replace tools designed to detect attacks.  In fact, while HADES provides its own intrusion-detection tools, it is designed to take advantage of third-party applications.  “HADES remains agnostic on this front and provides a flexible [application programming interface] to interact with such tools,” said Urias.

First deployed in 2017, HADES is still under development and is being tested in selective deployments.  According to Urias, it has been deployed at the Florida Institute of Technology and “several facets of the platform” have been deployed at undisclosed location in government and academia.

Posted by Patrick Marshall on Jul 17, 2018 at 12:37 PM


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.