When I joined Acalvio as a stealth deception startup, one of the most commonly asked questions from my co-workers and friends started like this: okay tell us why deception was so important that you’d move away from DNS security – a subject you have enjoyed working on for such a long time (measured in the digital age).

image11You may not know what the acronym DNS stands for but surely you’ve touched it if you ever browse the Internet or send emails. DNS provides a simple service translating user-friendly domain names such as acalvio.com to daunting numerical IP address like 52.53.247.197 understood by your computer and Internet. Unless you are a number nerd, it’s almost impossible to correctly remember dozens or even just a few websites’ IP addresses you’d visit on a daily basis, e.g. 74.125.21.100, 173.252.90.36, or 171.159.228.150. For your reference, the corresponding websites are shown at the end of blog.

While preparing my talk on “Dark Side of the DNS Force” for the coming Blackhat conference (reference), I revisited/analyzed some high-profiled cyber attacks and found many of those so-called sophisticated threats were actually triggered by simple abuses (aka. innovative use from the dark side) of networking protocols or misconfigurations. And yet the consequences and impacts of such seemingly tiny abuses could be catastrophic and profound for Internet stability and our daily lives. In the cyber space, it’s a sad truth that the dark side has repeatedly won the battles despite the talents, resources, and our best efforts put behind today’s security products/technologies/solutions.

So what’s wrong with our cyber security? There are many possible reasons, ranging from the software complexity to attacker’s motivation/capability. Although they are all valid rationales, one critical aspect being often overlooked is the nature of asymmetric warfare between the dark side attackers and us:  any glitch in our cyber security defense theories/practices is a winning amplifiable opportunity for the dark side, while there is no extra penalty or risk associated with dark side missteps/errors. The attackers from the dark side can continue “trial and error” until succeeding in their missions. This cyber security asymmetric warfare is due to the fact that Internet was originally built on the top of a “trusted” model in which all the participants were considered to be collaborative with good intent, and all the digital assets, whether owned by individuals, enterprises, or governments, should be genuine and real. The dark side exploits the “trusted” model to the extreme as there is no need for them to worry about if the data they stole is authentic or the free DNS service they are using is a trap.

Next generation cyber deception technology will be a key component of our arsenal to help rebalance this asymmetric warfare situation by raising the cost and risks for dark side attacks: no more free rides of the “trusted” Internet. With next generation deception, for example, an open DNS resolver being used to launch large-scale DDoS attacks may become a monitored decoy server operated by the security research community or law enforcement agency; a government employment database may be just a set of fake honey data. By leveraging next generation deception technologies, we can provide quick accurate detection of malicious attacks from the dark side, and enable appropriate swift responses to contain/remediate the threats.

The next generation deception differs from the traditional honeypots in many aspects by addressing the following hard problems.

-Deception sensors will not disclose themselves and are hard to be detected/fingerprinted by the dark side;

-The combination of low- and high-interaction deception sensors/servers will enable scalable deployment in terms of volume, variety, and capability;

-Seamless integration with the existing/future perimeter-based security products/solutions will support better threat info gathering, processing, and response.

Now you can guess what’d be my answer to my co-workers/friends: deception is a true necessity for cyber security. You may find more insights about the next generation deception technologies we are working with at Acalvio from other blogs (references) written by my colleagues. I also plan to continue my discussions on a few more topics such as active deception in the near future.

Stay tuned and thanks.

The IP address list of popular websites cited in the blog.

52.53.247.197:    acalvio.com

74.125.21.100:    google.com

173.252.90.36:    facebook.com

171.159.228.150: bankofamerica.com

DS.

————

Erik joined Acalvio as our VP for Security Research. Prior to his new endeavor, he built an Internet-scale platform/service for emerging threats collection, analysis, and enforcement at Nominum. Erik brings many years’ experience in the cyber security industry including chief scientist at Damballa, principal scientist at McAfee, and head of advanced threats research at Trend Micro.