Monthly Archives: October 2004

You’ve probably not heard of CyberShield Networks. It isn’t a big company yet, but it has some very interesting security technology, which may make a difference to the IT security picture. The company refers to it as Intrusion Prevention and Deception Management. So what does “deception” mean in this context?

Well first of all, this is a sophisticated idea. Some organizations (but only a few) have set up what are called “honey pots”. The term is what it implies, a trap to deflect hackers from their real target and tie them up, as they attack what is, in reality, a safe isolated environment. Setting up a “honey pot” is not a simple task, it involves deflecting the hacker from the actual target into a network that looks (to the hacker at least) as though it is a real environment running real applications. While the hacker invades these “safe’ machines, you can gather information on the hacker and possibly discover who it is and what they are trying to do.

So far this sounds simple, but technically it is complex, because a “honey pot” is a system just like any other and it needs to be maintained:

• Because it needs to fool the hacker in a convincing way. (So you need to update all the software that it runs so the hacker doesn’t suspect being caught in a honey pot).
• Because it is imperative that it does not actually provide a way in to the real network. There are incidences where a “honey pot” has been compromised and simply served as a springboard into the systems it was trying to protect.

This is why few organizations build honey pots. It can be expensive and it can also be a source of problems. But the idea is a good one if it can be implemented inexpensively and securely.

Installing a network that exists solely for the purpose of deflecting hackers clearly has a cost, but providing a virtual environment that does the same thing is a lot less expensive. This is the idea that CyberShield Networks implements – not a physical “honey pot” but a virtual one, that is under control and able to report on everything that is happening. Virtualization has virtues, there can be no doubt. One virtue is that the honey pot places a negligible load on the rest of the environment and only requires a small amount of hardware – CyberShield’s IPDM device, which is simply plugged in to the network.

So how does it work? Well, putting it very simply, it identifies attackers at the network level, due to the fact that it can identify “intent” from the necessity of any attacker to scan the network. As soon as it detects such activity it activates a virtual honey pot and directs the attacker into it. CyberShield claims that it can identify attacks with 100 percent accuracy – which is, of course a huge claim – but it does sound feasible (from my knowledge of networking at least).

After that, the IPDM can monitor what the attacker does within the honey pot and do two things:

1. Gather information on the attacker, which can be analyzed to determine where the attack is coming from.
2. See what techniques the attacker uses to try to gain control of any computing resource.

It is the gathering of information that makes this technology look very promising. The second point is, for me at least, more impressive than the first, because CyberShield gathers the knowledge of how the hacker was attempting to gain access and can then check whether the actual network is vulnerable to the techniques being tried, and, if it is, update the network to protect it against the newly discovered vulnerability. That’s the theory anyway.

Add it up and it amounts to a real time threat management system with a very high level of effectiveness against all threats, including zero-day threats – coupled with an intelligence gathering capability against the intruder that very few other IT Security products can provide.

This is fairly recent technology so, at this point, I have no realistic figures on how much more secure this is compared to other IDS systems, but I have to admit to being impressed. This approach to IT security looks to have great potential.