BAIT AND SWITCH

A graduate of the British spy agency’s startup incubator is using fake news to fight hackers

Learning the tricks of the trade.
Learning the tricks of the trade.
Image: Reuters/Ben Birchall
By

A startup that has just graduated from the accelerator run with the help of GCHQ, the British government’s intelligence agency, wants to lure hackers into computer networks using a form of fake news, while secretly observing them to gather intelligence.

The company, Countercraft, sells a tool that generates a series of cues to bait hackers into thinking they are penetrating a system. In fact, the attackers are revealing their attack methods in an isolated part of a system where they can do no harm.

Countercraft’s approach is called a “deception technology.” It’s a tactic that’s gaining ground among big companies that are the target of cyberattacks.

“This ‘deception environment’ allows us to learn from the adversary and treat them as a resource, so we can discover the tools they are using,” says Countercraft co-founder Dan Brett. “Are they low-grade nation-state actors? Script kiddies? Hacktivists?”

The research firm Gartner has estimated that 10% of companies will use deception tools and techniques by 2018. It’s a shift from existing cybersecurity systems that focus on alerting targets to incursions. “That’s like closing the windows and locking the doors. But what if [attackers] do something unexpected, like come in through the roof?” Brett says.

Countercraft sells templates of “security narratives” to its customers. These are storylines that start with bait for would-be attackers who are already sniffing around a company as a target. This might be a comment in the source code of an app; a security certificate uploaded to the Shodan search engine (which indexes all sorts of connected devices, like security cameras); or a particularly enticing LinkedIn profile to attract a phishing attack.

“We try to sprinkle clues online,” Brett says.

Once the attackers take the bait, they then progress through the narrative, encountering tougher and tougher challenges. The idea is to get the attackers to reveal their methods, while misdirecting them. This helps the target create a profile of the attacker, which might be matched to existing profiles or shared with law enforcement agencies, Brett says.

Countercraft’s jargon puts a modern spin on an age-old security technique: the honeypot. Brett says his team has learned even more about honeypot techniques from GCHQ. “[Using honeypots] has been going on for a long time at organizations like GCHQ, but bringing it to corporations is new,” he says.

At least some enterprises are willing to try luring hackers with fake leads. Brett says his firm has a handful of clients in banking, the retail industry, and in government, who pay an annual fee for Countercraft’s tool, although he won’t name them.

“Are we the first post-truth startup of 2017? It has come up in conversation,” says Brett. “It is ‘fake news’ but we are trying to use it in the best way possible for defense.”