War room: A website can use Mykonos software to track attackers and deploy counter responses designed to drive them away with delays and false information.
Mykonos’s software creates the illusion that the hacker is making progress. “We can intercept their scans and inundate them with fake values,” says Koretz. “It takes much longer [for an attacker to scan a site], and the results are useless.”
A scan that might usually take five hours could take 30, Koretz says. Other tactics include offering up dummy password files, which can help track an attacker when he or she tries to use them. “We’ll let them break the encryption and present a false login page. We have the ability to hack the hacker,” says Koretz.
As a promotional tool to impress potential clients, Mykonos engineers have built versions of the company’s software that taunt attackers. One directs a hacker to a Google Maps search for nearby criminal attorneys. Another parodies Microsoft’s now-defunct anthropomorphic paper clip, Clippy, with the message: “It looks like you’re an unsophisticated script kiddie. Do you need help writing code?”
Mykonos could use its system to simply block attackers, but Koretz says hackers expect such behavior and will simply keep looking for new ways in. “If you just block, they will find a different route to attack you. If you ensnare them in a painful way, you change the economics of the attack—it becomes much more expensive.”
Sven Dietrich, an expert on computer security and a professor at Stevens Institute of Technology, says annoying attackers can be a bad idea. “It’s conceivable that when he or she finds out that they’ve been had, they will seek retribution,” says Dietrich.
Security researchers sometimes use sacrificial “honeypot” computers as a way to study attacks up close in a safe environment. Dietrich says it’s important to carefully separate these machines from other computer networks to reduce the potential impact of revenge attacks, but this is not an option for a company using Mykonos’s software. “If you are using it in a production system, then they know who created it and is trying to deceive them.”
Koretz argues that the frustrations his software delivers can crop up naturally in the course of hacking a site, so many attackers will likely ascribe them to bad luck and move on to another possible target.
Dietrich also says that actively scanning, or installing pieces of tracking code on another computer, could make it unstable. If attackers compromise an innocent machine, “the risk is that you may affect systems that are critical or cause someone to lose their digital goods or worse,” he says.
Koretz predicts that the approach will become more common as conventional security software proves increasingly ineffective. “Deception is a legitimate defense,” he says.