Emerging Tech

Blog archive
HADES screen shot (Sandia National Laboratories/YouTube)

Beyond honeypots: HADES tricks hackers into giving up their secrets

Researchers at Sandia National Laboratories have put a new twist on honeypots -- isolated networks designed to attract and trap hackers -- by creating an entire virtual environment that tricks hackers into sticking around so their actions can be monitored and their secrets learned, all without risking an organization’s real operational network.

The system is evocatively named HADES, for High-Fidelity Adaptive Deception & Emulation System. “The main thrust of HADES is to provide a deception environment and continue a deception campaign to tease out relevant intelligence and signatures of an ongoing attack,” Vincent Urias, a Sandia National Laboratories computational researcher, told GCN.

On the technical side, HADES leverages cloud technologies -- in particular, software-defined networking and virtual machine introspection -- to quickly move a virtual system that has been compromised from the production network to a high-definition virtual copy of that network that lacks, of course, true copies of sensitive data. “We can move the state of that virtual machine to another part of the network and start emulating the world around it,” Urias said.

While intruders unknowingly probe that sandbox network, analysts monitor them to learn what they are after and what tools they are bringing to bear.  “We can watch the adversaries’ behavior, reconstruct our tools from memory transparently to them, enabling us to develop our intelligence on the fly,” Urias told RandDMagazine in May.

According to Urias, even when hackers eventually discover they are operating in a sandbox, they don’t know when they were moved off the real network, so they don’t know how much of the data they have gathered is the real thing.  “Our intent is to introduce doubt,” Urias said.  “If they get something, is it real or is it fake? The worst horror for an adversary is the identical world, but changed.”

HADES does not, by the way, replace tools designed to detect attacks.  In fact, while HADES provides its own intrusion-detection tools, it is designed to take advantage of third-party applications.  “HADES remains agnostic on this front and provides a flexible [application programming interface] to interact with such tools,” said Urias.

First deployed in 2017, HADES is still under development and is being tested in selective deployments.  According to Urias, it has been deployed at the Florida Institute of Technology and “several facets of the platform” have been deployed at undisclosed location in government and academia.


Posted by Patrick Marshall on Jul 17, 2018 at 12:37 PM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.