Turning the tide: Baiting the hook to catch the hacker

Cyber criminals - often labelled hackers - are openly demonstrating their self-styled positions of "invincibility" by dramatically increasing the scope of their activities to include theft on the grandest of scales, money laundering, extortion and other high profile crimes.

No longer content to break into and deface corporate Internet sites for fun, the meanest of them all, the so-called "black hat" hacker, is after bigger fish and is not afraid to push the limits of technology to achieve his objectives.

Hacking has become such a destructive - not to mention costly - activity that victims are now looking for retribution. The tide is turning against hackers as new-generation technology is being pitted against them. Battle lines have been drawn.

According to members of a growing band of "hacker baiters" that has sprung up in the US, the hacker is in for a rough ride from now on. This is thanks to new disinformation products being developed in labs staffed by data scientists dedicated to giving hackers a dose of their own medicine.

Hacker baiting solutions are set to discourage even the most sophisticated attacker by feeding him a raft of false information and painting completely false pictures of target computer systems.

This "smoke and mirrors" approach is designed to change the appearance of the network under attack to the point where it appears either bigger or smaller or differently configured to the real thing.

While the hacker sets out to gain knowledge of the network to formulate his break-in strategy, he is led on a wild goose chase that will - if everything goes according to plan - tax his resources to the maximum. This will have bought valuable breathing space for the organisation and given it an opportunity to do waste the intruder`s time, forcing him to execute unnecessary actions by providing him with false positives on the attack.

Early evidence is that hacker baiting could soon be seen as the first line of defence in a security infrastructure for companies of all sizes.

For a small company with a not-so-complex network, this practice can represent the organisation as just the opposite to the hacker - a large company with a highly complex computing infrastructure.

While the hacker might get excited at the prospect of "cracking" this site, he will be forced to spend many hours on useless investigative work. At the same time, the organisation will be able to keep one step ahead of any pending attacks.

On the other side of the coin, a large complex, enterprise-wide LAN/WAN can be camouflaged to look like a simple and boring small business or even home-office network composed of a very few machines running outdated software.

Technologists are now working on an evolution of this thinking: the `chameleon network`. This is an infrastructure in which it appears as if objects are constantly changing their appearance.

For example, a Windows 2000 system may be configured to look like a Windows NT system - and then like a Linux system.

By changing the appearance of the network - and the devices on it - the hacker is confused and forced to re-evaluate the topology and characteristics of the network over and over again.

All the time, network administrators can study the actions of the intruder and identify new attack signatures. Existing firewalls and intrusion prevention systems can be updated and even modified in the light of this intelligence.

In a crafty switch on the "denial of service" attack so favoured by hackers, the "baiting administrator" can now positively respond by creating millions of imaginary records for a hacker to verify. This will force him to go through laborious to-do lists that, even if executed, will be a complete waste of time.

What about hackers who spot attempts at baiting? The ability to separate fake objects from real ones on a computer system is called fingerprinting.

Fingerprinting is possible. In fact, hackers do this continuously as it allows them to identify specific brands of intrusion detection systems and apply the appropriate counter measures and cracking tools.

According to the experts, one of the keys to high-technology hacker baiting is to project real systems based on an inventory, or server farm, of real network-based objects (OS, applications, services, etc).

If these systems are installed accordingly to the standard policy, they look like everything else on the network. So fingerprinting based on emulation is impossible since nothing is emulated.

Hackers can also fingerprint by identifying default responses from software data structures and by identifying minute time delays in response from traffic redirection on the network.

To counter these "give-aways" administrators should "mix-and-match" different connectivity speeds or protocols on the network.

Deception is a great strategy to prevent attacks that cost millions in damage. The systems of the future will routinely include innovations to fool or bait hackers - systems in which little evidence of what is real or fake is to be found.