The sophisticated technique called Red Herring was created by a team of computer scientists to automate the process of creating decoy servers. It makes hackers think they have gained access to confidential, secure information, when actually their actions are being monitored, analyzed and traced back to the source.
“Our automated honeypot creates a fixed Web server that looks and acts exactly like the original — but it’s a trap,” said Dr. Kevin Hamlen, the team’s leader. “The attackers think they are winning, but Red Herring basically keeps them on the hook longer so the server owner can track them and their activities. This is a way to discover what these nefarious individuals are trying to do, instead of just blocking what they are doing.”
The Heartbleed bug affects around two-thirds of websites previously believed to be secure. They are websites using the computer code library called OpenSSL to encrypt apparently secure Internet connections that are used for sensitive purposes such as online banking and purchasing, sending and receiving emails, and remotely accessing work networks. Heartbleed was announced to the public last week.
In 2012, a new feature named Heartbeat was added to software primarily for slow Internet connections. Heartbeat enabled connections to be held open, even during idle time. But a flaw in its implementation allowed sensitive information to be passed through the connection, thus the name Heartbleed.
Even though Heartbleed is well into the process of being patched, victims have the issue of not knowing who may already be exploiting it to steal the information, and what information they may be going after.
A common fix for this type of problem is to create a trap, a honeypot that lures and exposes attackers. Typically this can involve setting up another Web server somewhere else.
Virtual Fake Servers
“There are all sorts of ad hoc solutions where people try to confuse the attacker by deploying fake servers, but our solution builds the trap into the real server so that attacks against the real server are detected and monitored,” Hamlen said. “Our research idea can build this honeypot really quickly and reliably as new vulnerabilities are disclosed.”
The Red Herring algorithm designed by Hamlen automatically converts a patch, the code widely used to fix new vulnerabilities like Heartbleed, into a honeypot that can catch the attacker at the same time.
“When Heartbleed came out, this was the perfect test of our prototype,” Hamlen said.
Red Herring goes beyond just being a decoy and blocker; it can also lead to catching the attacker.
As the attacker thinks they are stealing data, an analyst is tracking the attack to find out what information the attacker is after, how the malicious code works and who is sending the code.
“In their original disclosure, security firm Codenomicon urged experts to start manually building honeypots for Heartbleed,” Hamlen said. “Since we already had created algorithms to automate this process, we had a solution within hours.”