Australian security firm Penten is backing research into the use of artificial intelligence to build more convincing “cyber tripwires,” according to chief executive Matthew Wilson.
Penten announced earlier this week that it would conduct the research in collaboration with the Cyber Security CRC, of which it is a partner. The Cyber Security CRC is chaired by former ASIO head David Irvine and last year Rachael Falk, Telstra’s former general manager of cyber influence, was appointed its CEO.
The government-backed Cooperative Research Centre (CRC) program is intended to boost collaboration between researchers and industry; the government in 2017 pledged $50 million to establish the Cyber Security CRC.
Wilson said Penten was supporting two research initiatives through the CRC. Both of them are focused on “cyber traps” or “cyber decoys,” the CEO told Computerworld.
Penten is one of Australia’s few home-grown producers cyber security hardware. Its flagship offering is the AltoCrypt Stik, a miniature device designed to deliver secure wireless access to government networks.
“There are two main thrusts within our organisation,” Wilson said. “One’s about secure mobility and the other is about building cyber deception capabilities.”
The research with the Cyber Security CRC is focused on the latter area, building on Penten’s existing experience through its TrapDocs product.
The two projects are focused on using AI to make more realistic traps, the CEO said. Unlike a honeypot — a system intended to lure hackers — the concept of a cyber trap is more like a “honey file,” he said.
“A honeypot is a decoy environment, and a decoy environment is interesting to try and manoeuvre someone into,” Wilson said. “Our area of focus is actually on decoy content. So we’re creating decoy files or network traffic or radiofrequency signals. In this context we’re focused on files.”
Instead of a ‘fake’ environment, the traps use a real environment and decoy files. When accessed, those files can trigger an alert.
“What we’ve found is they’re very, very effective at catching people that shouldn’t be in the places that they are,” Wilson said. The CEO gave an example of a system with a subdirectory dedicated to submarine-related documentation.
“Within that environment, we can actually create decoys that are focused on very different things,” he said. “If the subdirectory has lots of Word documents in it, we’ll create a Word document on submarines that may be on propulsion systems, and one on submarine financing. We know if the attacker takes the one on propulsion systems, then that’s the thing that they’re actually after and not financing.”
“The thing about these files is: Because there’s so few of them and we put them into particular environments, and they have no production value at all, if anybody touches them, we know something significant is going on,” he added.
Someone who is not used to working in that environment — whether it be a bot or a hacker or malicious insider — will trigger the tripwire by moving, copying or deleting the decoy data.
“Suddenly we can push through into the security operations centre a very, very high value alert that says, ‘We know something bad is happening over here and it’s very specifically in this environment – you need to focus on this right now,’” Wilson said.
A benefit of the approach is that because the tripwire is unlikely to be triggered by a non-malicious actor, it can to help counter alert fatigue inside a SOC, the CEO said.
AI could potentially make it easier to build compelling decoy content, he explained.
“I’m trying to create a file that’s enticing — so the name is right, the authorship is right, the structure of the document is right. When it runs through a search engine, the word profile is right, so it’ll be an enticing thing for someone to take,” Wilson said.
Penten is currently also working on a $2 million proof of concept for the Australian Army focused on the creation of decoy radiofrequency traffic. The idea is to create decoys that mimic the radiofrequency signature of a vehicle.
“If you look at a vehicle on a battlefield, we’ll try and mimic that vehicle five or six times on the battlefield, so an RF-based targeting system that’s over the horizon will see five or six vehicles and won’t know which is the actual vehicle that they need to target.”