Statuscheck CYBERSECURITY
HADES tricks hackers
into giving up their secrets
The simulated virtual environment lets network defenders deceive, interact with and analyze adversaries in real time
BRY PATRICK MARSHALL esearchers at Sandia National
Laboratories have put a new
twist on honeypots — isolated networks designed to attract and trap hackers — by creating an entire virtual environment that tricks hackers into sticking around so their actions can be monitored and their secrets learned, all without risking an organization’s real op- erational network.
The system is evocatively named HADES, for High-Fidelity Adaptive De- ception and Emulation System. “The
promised from the production network to a high-definition virtual copy of the network that lacks, of course, true copies of sensitive data.
“We can move the state of that virtual machine to another part of the network and start emulating the world around it,” Urias said.
While intruders unknowingly probe that sandbox network, analysts monitor them to learn what they are after and what tools they are bringing to bear. “We can watch the adversaries’ behavior
is it fake? The worst horror for an adver- sary is the identical world but changed.”
HADES does not, by the way, replace tools designed to detect attacks. In fact, although HADES provides its own intru- sion-detection tools, it is designed to take advantage of third-party applications.
“HADES remains agnostic on this front and provides a flexible [application pro- gramming interface] to interact with such tools,” Urias said.
First deployed in 2017, HADES is be- ing tested in selective deployments. •
“Our intent is to introduce doubt. If they get something, is it real or is it fake? The worst horror for an adversary is the identical world but changed.”
— Vincent Urias, Sandia National Laboratories
 HADES’ benefits
• Creates high-fidelity deception environments based on real system attributes.
• Provides granular insight into attacker’s tools and tactics (malware, behavior, workf low).
• Allows interaction with adversaries through host, network and file modification.
• Provides varying operating and deployment modes to facilitate various network models.
Source: Sandia National Laboratories
main thrust of HADES is to provide a deception environment and continue a deception campaign to tease out relevant intelligence and signatures of an ongoing attack,” Vincent Urias, a computational researcher at Sandia National Laborato- ries, told GCN.
On the technical side, HADES uses cloud technologies — in particular, software-defined networking and vir- tual machine introspection — to quickly move a virtual system that has been com-
[and] reconstruct our tools from memo- ry transparently to them, enabling us to develop our intelligence on the fly,” he told R&D magazine in May.
According to Urias, even when hackers eventually discover they are operating in a sandbox, they don’t know when they were moved off the real network so they don’t know how much of the data they have gathered is the real thing.
“Our intent is to introduce doubt,” he said. “If they get something, is it real or
GCN.com
14 GCN AUGUST/SEPTEMBER 2018 • GCN.COM
GCN covers all the latest cybersecurity news on a daily basis at GCN.com. For more, go to GCN.com/cyber.