The Energy Department has created a honeypot on steroids.
Energy’s Sandia National Laboratories, a multimission U.S. National Nuclear Security Administration research and development lab, has developed a tool called the High-Fidelity Adaptive Deception and Emulation System, better known as HADES.
Like a traditional honeypot, HADES is designed to mimic the look and feel of a real system to attract the attention of hackers. As the department explains in a news release, once inside, “cloned virtual hard drives, memory and data sets create a simulation very much like the reality. However, certain artifacts have been deliberately, but not obviously, altered.”
HADES started out as a research project in 2017, and won a 2017 R&D 100 award and a 2018 Government Innovation Award. Since then, Sandia has worked with Splunk to enhance the system’s capabilities. The long-term goal is to allow other federal agencies to take advantage of HADES.
“The hopes are to help cross-sectional .gov and commercial networks,” Vincent Urias, distinguished member of the technical staff at Sandia who helped develop HADES, tells FCW.
How HADES Helps Sandia Learn Hackers’ Moves
Sandia develops, engineers and tests non-nuclear parts of nuclear weapons, as FCW reports, which makes the lab’s IT infrastructure a major target for cyberattacks.
As Urias explains in a news release, using HADES, Sandia may lure a hacker in, who then may report to his or her handler that he or she has broken into the lab’s system and will be sending back reports on the lab’s “real” activities.
“Let’s say they spent 12 months gathering info,” he says. “When they realize we’ve altered their reality, they have to wonder at what point did their target start using deception, at what point should they not trust the data? They may have received a year or so of false information before realizing something is wrong.”
Urias adds: “A hacker informing his boss that he’s discovered a problem doesn’t do his reputation much good, he’s discredited. And then the adversary must check all data obtained from us because they don’t know when we started falsifying.”
At its heart, HADES is a “threat intelligence platform that is tailored to specific environments,” Urias tells Federal News Network.
HADES uses software-defined networking and virtualization to move virtual machines “into a completely isolated environment that could have completely synthetic things,” Urias tells Federal News Network. “Imagine if you had a laptop plugged in one part of the network, and we just moved you to an isolated network that may have a full, rich set of services that were not real but looked real to you, and let them play the game.”
Sandia uses HADES to make the IT environment “looked as lived-in as possible,” and can tailor applications, browser history, document history, users’ identities, domain identities and other elements an attacker would see in a normal enterprise, Urias says.
Additionally, Sandia has been working with Splunk Enterprise to pull data from the artificial environment. Splunk’s tools help Sandia analyze the attacker’s moves in real time, including “what tools are being used, what time the attack infiltrated the network, where it got in and other details that can be hard to pin down afterwards,” FCW reports. The Splunk tools help HADES “identify and analyze criminal behavior and then apply countermeasures,” according to Federal News Network.
Frank Dimina, the vice president of public sector at Splunk, tells Federal News Network that agencies need to read and analyze cybersecurity data at machine speed to be effective.
“All the machine data that comes from a network is incredibly messy, unpredictable, and managing the data is hard especially when it’s locked away in legacy technologies,” he says. “Through the use of high-precision time stamps, HADES lets defenders sift through logs and funnel that intelligence to real operational networks where they can extract what they need to do production network to harden their networks further. This is a real-time use.”