Building walls isn't enough to keep attackers out, so the trio of co-founders behind CounterCraft are offering companies a new weapon in their security arsenal: easy-to-make honey traps that look and act like the real thing.
CounterCraft has built a framework for building deception tools, such as fake systems and networks. When hackers attack the false environment, security staff can lock down real systems and observe attackers to uncover their motives and other key forensic information.
The idea has attracted the attention of GCHQ, with CounterCraft picked as one startup to take part in an accelerator run by the government surveillance organisation. We spoke to co-founder Daniel Brett to find out how the technology works.
What does your system do?
The idea of honeypots has been around since the beginning of IT security, but they tend to be more emulated, more static systems. So it's very obvious that you're getting at something that's been set up to fool you.
Our tools allow you to build up false environments that can confuse and engage with adversaries. And then, whilst they're in that environment, our tool would extract information about the adversaries. And then all of the information we gather would get pumped back into your typical IT security defence system.
The difference [versus a standard security system] is trying to treat your adversaries as a resource... of information that can help us improve the whole defence structure.
How do security staff use your tools?
We give them a series of playbooks of typical campaigns that people use, and they can range from something as simple as an insider threat to a focussed reconnaissance from external companies. And then it's up to them to adapt this and make it something that is specific and tailored to their exact business.
We need to build something that actually really does look like a real IT structure... then we have to work out where to deploy them. If someone does come across these systems and start engaging and interacting with them, then we have to take decisions about what to do next. That can be as simple as deciding that we just want information and now we're shutting down the system, or you may want to take real steps and deploy more decoy systems that take them down a path, to see what technical skills they have. That's where we start engaging to extract information from the adversaries.
What about smaller companies without a dedicated security staff?
We think at the moment the only people that can actually take advantage of these kind of systems will be the big, more mature companies. However, we want to learn how they use it and be able to build up automation, perhaps even some degree of machine learning... and then be able to encapsulate this in a much more midmarket product. But probably that'll be two years from now. At the moment we think the people who are going to get value from this are going to be the big corporations.
What sort of attackers have you seen?
We can't actually talk about who our clients are, nor can we talk about what we've seen. But in the last three months we've been on an accelerator with GCHQ, which is fascinating. Obviously, the people we are working with there, their daily job is dealing with the defence of a nation, a lot of very high-level attacks.
Aside from companies, who else could use CounterCraft's tools?
We've got a great European project called Titanium... working on Bitcoin with Europol, Interpol, and University College London, trying to mathematically pinpoint and identify bad Bitcoin transactions. They want to investigate how we can use our system to work out who's behind those bad transactions. We're very excited to start that project; it will be a new and interesting proactive way to be using our tool outside of its typical corporate environment.
This article first appeared in PC Pro
Main image credit: Bigstock
