The Washington Post’s Ellen Nakashima wrote another cutting-edge article on innovative approaches to network defense. I’ve blogged before about honeytokens, deceptive files that leave hackers with false data while flagging the intrusion to defenders. The article suggests that their use is growing, as other defensive techniques prove ineffective:
Brown Printing Co…began planting fake data in Web servers to lure hackers into “rabbit holes” in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.
“We’re taking the hackers’ strengths and we’re making it their weaknesses,” said Nathan Hosper, a senior information technology officer at Brown. “They get caught up in this cycle of fake information.”
US officials and many security experts caution companies against taking certain steps, such as reaching into a person’s computer to delete stolen data or shutting down third-party servers.
Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire — hackers who identify data as bogus may be all the more determined to target the company trying to con them.
I might be cutting the FBI too much slack. Just think – if you call 911 to report a home invasion, at least the police will send someone to your house who is armed and ready to take on the intruder. (Whether they’ll arrive in time is a different question, leading to the familiar saying, “When seconds count, the police are just minutes away.”)
Try calling the FBI to report a network intrusion, and you’ll get a stifled yawn and a request to meet with your CEO for relationship building purposes. Given the government’s meager capabilities against cyberespionage, discouraging corporate self-help is particularly irresponsible.
In all actuality, not everything the bureau said was wrong. Shutting down third party servers probably is illegal under the Computer Fraud and Abuse Act. However, I doubt that companies are acting unlawfully when they delete their own files from a hackers’ computer, though I recognize that Orin Kerr has a different view, and the Justice Department may be closer to Orin than to me on this.
I don’t know anyone who thinks that it violates federal law to deploy honeytokens on your own network. So when FBI officials caution that using deceptive files that way could make you more of a target, they aren’t giving legal advice. They’re giving “leave it to the FBI” advice, in a field where leaving it to the FBI is a recipe for failure.
It sounds like they’re talking through their, uh, hats. In what way will deploying fake files “backfire”? Sure, fake files may not work forever; the hackers may come back and look harder for the real stuff, but is that really a reason not to deploy them?
Here’s a thought experiment: In option A, you don’t use fake files, so bad guys who break into your network steal your data. In option B, you do deploy fake files, so the bad guys steal bad data, and you find out that you’re a target whose current security isn’t sufficient. After that, either the bad guys are fooled by the bad data and they waste time and money acting on it, or they figure out that it’s bad data and they have to go back and find the real data on a system that you’ve had time to harden. And according to the FBI, option B is the one that might “backfire”?
(I recognize that it’s also possible that the hackers will get mad about being fooled and will destroy files or take other retaliatory actions that they wouldn’t take if they got the good stuff right away. But I’m skeptical. First, that’s a big escalation in tactics that we haven’t seen yet from cyberspies, probably for good reason. Second, that would be astonishing advice from a law enforcement agency, the equivalent of: “Better let these criminals steal you blind; otherwise they might burn down the store” or “Cooperate with hijackers so they don’t have to kill any hostages” or “Resisting a rapist will only get you beaten, stabbed or shot.” If that’s the FBI’s official position on cybercrime, it means they’ve officially given up.)