Picture a bank robber (complete with tiny black mask and oversized sack, of course). He operates at night, slipping past the security cameras and alarms to make it inside. He blackmailed an employee to give him the combination to the vault, but when he swings open the heavy door, he's greeted with a surprise. Inside are 100 smaller safes, each with their own combination lock and each labeled "money."
That's basically the scene that Russian hackers encountered when they tried to mess with the 2017 French presidential election. According to reports from President Emmanuel Macron's security staff, the Macron campaign fooled the cyberattackers -- or at least slowed their progress substantially -- by stuffing their own servers with phony documents and made-up passwords.
"We created false accounts, with false content, as traps," Macron's digital director, Mounir Mahjoubi, told The New York Times. "We did this massively, to create the obligation for them to verify, to determine whether it was a real account. Even if it made them lose one minute, we're happy."
It's called "cyber-blurring" or "cyber deception," and the thwarted French election hack provided one of the first public examples of a creative cybersecurity technique that shifts the power away from hackers and back to the home team.
"It's about taking control," says Gadi Evron, cybersecurity expert and CEO of Cymmetria, a security firm that helps organizations protect sensitive data by luring hackers into a hall of mirrors built from decoy servers and phony documents.
"Cyber deception says, 'We're not taking it lying down anymore. We're no longer waiting for them to come in,'" says Evron. "It's about controlling your own network. Controlling the geography of the battlefield. If they go into my home, I know how I want to arrange things so that they go where I want them to go."
The conventional cybersecurity strategy for large organizations was to play defense, scrambling to identify incoming attacks and patch holes in the network. It was the job of the security team to vigilantly monitor the network to figure out what's benign user activity and what's a threat. Likewise, it was the responsibility of regular employees to decide which emails are legit and which are phishing scams.
But folks like Evron felt that short-staffed IT departments were expending way too many resources trying (in many cases, unsuccessfully) to keep the bad guys out of the network. What if, instead, we leave the door open and set a trap inside. (Thank you, "Home Alone.")
Cymmetria sells a product called MazeRunner that's specifically designed to detect "lateral movement" inside a secure network. When a hacker infiltrates a system -- maybe with a username and password data stolen through a phishing scam -- he doesn't know exactly what he wants to steal, so he moves from server to server looking for the juiciest assets.
MazeRunner lays down realistic breadcrumbs for unwitting hackers to follow, leading them into decoy servers that are rigged to alert the security team. All it takes is one false move, one wrong turn in the maze, and the hacker trips the alarm.
Other active defense tools offered by cyber security companies include the "honey badger" which is a live server with no real use, complete with administrative controls. However, if it is hacked, it locates the source of the cyber attack and tracks its location with a satellite picture. Another tool is to place "beacons" in documents that detect when and where data is accessed. There is even the controversial — and illegal — technique of hacking back, where the company accesses the hacker's computer to delete its data or take revenge in some way.
Evron says that proactive security measures like MazeRunner have become the industry standard, purchased and installed by large financial institutions, tech companies and other Fortune 500 businesses. That wasn't always the case. Just three years ago, a private company taking such an aggressive counterintelligence stance would have been on the fringe.
But John Hultquist, director of cyberespionage analysis for FireEye, still thinks that a lot of companies balk at entering the world of counterintelligence.
"Are these countermeasures the realm of law enforcement or national security assets, or do private companies feel comfortable in that space, altering information, actually engaging with the adversary versus taking a more passive role?" asks Hultquist.
For organizations thinking about attempting a Macron-style deception campaign by creating reams of phony documents, the technique isn't without risks.
"The biggest danger being that you're now putting out information that others may believe is yours, and it may not be true," says Hultquist. "That can cause all sorts of business consequences that you hadn't necessarily considered."
Evron says that it's up to the organization how deeply they want to engage in cyber deception. Simply by plugging in MazeRunner, security teams can keep tabs on lateral movement in the network. The next step, for those with specific assets to protect, is to create a story: What's the hacker looking for, and what does he expect to see once inside? And how do you use the attacker's own psychology to build a convincing deception?