Gotcha!

That is the goal behind an increasingly popular cybersecurity tactic in financial services that relies on deception to lure hackers into a fake network component, server or database to study their behavior and — ideally — to shut them down.

Large banks and credit unions are interested in the technology and are starting to use it, software vendors and other experts say.

"For banks and credit unions it makes sense to have … an early-stage heads-up that you have been hacked and can get your incident-response team going on it immediately," said Stu Sjouwerman, founder and chief executive of the security-consulting firm KnowBe4.

Banks appreciate the technology as they are constantly under threat, said Tushar Kothari, the CEO of Attivo Networks, who says five of the top ten U.S. banks use his company's software. "Most banks are now keen on beefing up security; if malware gets through the perimeter, they want to quarantine and neutralize that threat as soon as possible."

It feels counterintuitive: if attackers have broken into a network, wouldn't banks want to destroy them, rather than fool them into thinking they have hit pay dirt?

There are a few reasons why deception makes sense.

First, the software is actually a last-resort measure. It is the Plan B — a network has been accessed, a data breach has occurred, and the targeted bank wants to figure out who the intruders are and to share information about them among its staff members and with other institutions. It is a way for the bank to know it is the victim of a data breach right away rather than six months later as often happens.

Second, quarantining hackers in a "deception environment" can drain their resources until they figure out later that they have been duped.

"Today we use a sledgehammer — we detect you and you're blocked," explained Lawrence Pingree, research director at information-technology consultant Gartner. "You know for darned sure you've been detected. If we start to deceive you, we can make you spin your wheels and that's an economic burden."

Third, banks can learn a lot about the attackers and their tools and methods, to block future incursions. "You have to get the detail of their entire attack to be able to nab them in the future," Pingree said. "This doesn't mean we allow them to breach our data. It means that when we detect them, we start to deceive them, isolate them from real systems and we watch them."

Evolution of 'Honeypots'
Deception has long been part of the art of war. During World War II, the U.S. and British armies set up fake camps to convince the Germans that they were in one spot when they were actually heading to an attack elsewhere, tricking the enemy into preparing for the wrong attack.

In modern times, the Defense Department has used so-called honeypots to try to catch cybercriminals. The word honeypot comes from the days when farmers would put honey out to lure bears who were killing their livestock, and wait in a blind to shoot them. Honeypot software creates a fake system that sits on a network and exposes emulated or real services to the attacker.

"You could do things like emulate an Apache server and make it look like Apache is running somewhere when it isn't," Pingree said. "Or you could run a real copy of Apache that's monitored."

As soon as an attacker sends data to the honeypot, it issues an alert. The attacker will most likely start rummaging around, performing passive scans of hosts on the network. The beauty of a honeypot is, legitimate users know it is fake. So the only people accessing it are cybercriminals and hackers, meaning there are no false positives, there is no need to filter out the noise that occurs in most fraud-detection systems.

"The biggest problem with security-transaction monitoring is you have to filter out what's good and what's bad," Pingree said. "But if it's a decoy, everyone that's hitting it is bad."

Yet first-generation honeypot software is considered immature and because it is open-source, hackers as well as anyone else can download and analyze it.

Next Generation
The newer generation of honeypot software is generally called deception software. (Pingree calls it "distributed decoy systems.") Unlike earlier incarnations, it can be centrally managed, integrated with other security software and run without special hardware. It can use virtualization to deploy many traps simultaneously.

These advances combined with the dire state of cybersecurity in financial services have made the products more popular, Pingree said.

Gartner identifies four layers of what it calls the "deception stack:" network, endpoint, application and data. At each layer, intruders can be fooled — with, say, fake credentials in the browser caches of decoy workstations, phony files and data sets. An endpoint might be set up to look like it runs a particular version of Windows when it is really a Linux machine, and deceive malware into attacking vulnerabilities it doesn't have.

Once an attacker is snared, "we continue to entertain him to find out what he knows about the bank, then the bank can give back false data to lay traps for bad guys," Kothari said.

A decoy document made to look like it contains, for instance, new product designs, could be embedded with a tracking element that will let the bank know when, and from where, it was opened.

"If you have hidden technology in that document, you have this beacon calling home with a bunch of information including potentially even a picture of the bad guy behind his computer," Sjouwerman said.

Software companies such as Attivo Networks, TrapX Security, Allure Security Technology, CyberTrap, Cymmetria, ForeScout, GuardiCore, Hexis Cyber Solutions, LogRhythm, Percipient Networks, Rapid7, Shape Security, Specter, and TopSpin Security all offer new twists on the old honeypot idea.

Deception's Limits
If hackers know what they are doing — say they have obtained correct credentials for a system and know where the crown jewels are without having to rummage around — honeypot or deception software might accomplish nothing.

But as a piece of a much bigger defensive strategy — including antivirus software, authentication controls and intrusion prevention — deception software is useful, observers say.

"This will significantly raise the odds of detection and lower false positives," Pingree said. "That's the key ingredient. If I start hunting around the network and causing alarms to go off, because I've hit a distributed decoy, I'm for sure somebody looking around who shouldn't be."