Digital attacks on companies and institutions have become a lucrative business for criminal groups. These attacks are increasingly hitting small and medium-sized businesses. This is often a difficult situation for them, as many do not have the resources to maintain large security departments with the necessary infrastructure. Over the past two years, the German research project IUNO InSec has delivered solutions specifically for small and medium-sized companies.
The German Research Institute for Artificial Intelligence has developed a solution that fools criminal hackers into thinking that the infrastructure is easy to infiltrate. The bait is ostensibly confidential data.
DFKI solution fools easy targets
The goal of this solution, developed in DFKI’s Intelligent Networks research area, is to keep attackers away from the actual target. In a mock infrastructure, attackers can be observed and their activities analyzed. Experts can then follow their digital tracks and not only fend them off but also track them down and arrest them in the real world.
The DFKI methodology thus pre-empts a major problem in detecting and defending against cyberattacks. This is because they often only become apparent much later, for example, when the system has already been infiltrated and the security officers become aware of unusual data traffic. By then, the attackers may have already stolen sensitive data. Or they may have planted ransomware, programs that encrypt computer systems that lock out users. The attackers then demand a ransom for handing over the key.
At first glance, genuine company data
DFKI project manager Daniel explains the methodology. “If an attacker searches the network for vulnerable servers, he is presented with a fictitious log-in page by the upstream deception proxy. Once the attacker interacts with such a decoy, it makes itself known.”
Called cyber deception, this defense in depth technique steers attackers into a fake IT infrastructure. The deception proxy contains digital decoys such as seemingly genuine company data, fake credentials, file shares, or service offers. Attackers are presented with easy prey. If they go for the bait, security experts can track and record their activities.
Three layers are typical:
- Fake systems that are created to look like real ones but have no real function
- Users in the system that serve as traps
- Fake data and folders in the network that appear to be important.
Cyber deception has several advantages. Intrusions are detected early, ideally even before hackers have gained access to the real company system. The security team gains time to observe the attackers and protect the actual company IT infrastructure from attacks. It can also keep attackers busy until they give up in frustration.
The number of false alarms drops. This, in turn, frees up resources to deal with real threats. If hackers access one of the deception layers, the cyber security team receives a very real alert. Alerts can also be automated, eliminating the need for manual intervention in the system. And as the company grows, the technology can be scaled and adapted to more extensive corporate systems.
IUNO InSec delivers cyber defense tools
The Fraunhofer Institute for Applied and Integrated Security (AISEC) was the lead partner for IUNO InSec (National Reference Project for IT Security in Industry 4.0). Partners from science and industry participated in the project, including the German Research Institute for Artificial Intelligence (DFKI), the Fraunhofer Institute for Secure Information Technology (SIT), the Technical University of Darmstadt, and the IT companies accessec and axxessio. The project sought to create a toolbox for SMEs that the respective company can adapt to its own needs.
The toolbox consists of:
- Solutions for modeling and automatically detecting anomalies
- Applications for improved security of industrial clouds
- Secure remote access to machines
- Controllable and secure usage management in digital value networks.
The threat from cyberspace
According to the industry association Bitkom, cyber criminals inflicted damage amounting to €223 billion on German companies in 2020. For a long time now, it has no longer been exclusively large companies that have been affected, but also medium-sized businesses. These can be automotive suppliers, real estate companies, trades, insurance companies, law firms, or advertising agencies. Just about every company has data that could be of interest to cybercriminals.
Between January and November 2022, the online magazine CS Online listed 77 companies in all industries that were the target of cyberattacks. For Alexander Giehl of Fraunhofer AISEC, who was in charge of the IUNO InSec project, the situation is serious. “I would say that the risk of a cyberattack is high,” he says. In his view, there is a host of reasons for that. “A lot of information is on the Internet,” he says. “For example, the search engine ‘Shodan’ finds any device that is connected to the network.” The search engine is actually intended for security experts, law enforcement agencies, and scientists. They use “Shodan” to track down vulnerabilities in their own IT systems.
Vulnerability doesn’t just affect IT systems
But cybercriminals can also use the search engine for themselves. “It’s relatively easy to find targets here,” is Giehl’s assessment. “Many applications have known vulnerabilities that are not closed by their users. Especially in small and medium-sized enterprises, current security patches are installed only hesitantly because operators fear restrictions in availability.” In addition, Giehl continues, SMEs often lack the resources for effective patch management. Added to this are outdated software and so-called isolated hardware solutions. It could be that hardware manufacturers are no longer in business or that certain devices, including control programs, are no longer produced.
This shows: Vulnerability not only affects IT systems but also operating technology or operational technology (OT). “Operational technology is either accessible from the network via IT or is even directly connected to the Internet,” explains Alexander Giehl.
The attack by cyber extortionists on the Norwegian aluminum manufacturer “Norsk Hydro” in March 2019 shows what a successful cyber attack looks like that accesses operational technology via IT connected to the Internet. Here, the attackers smuggled so-called ransomware into operational technology via IT. At “Norsk Hydro,” the attackers had an easy time because outdated Windows systems were installed in the OT. Here, the ransomware was able to spread and encrypt all data. This in turn forced the company to shut down production facilities around the world for about a week.