I recently wandered around the RSA security conference in San Francisco, where the latest cybersecurity technologies were on display. And I came across the blue-bearded Chris Roberts, the chief security architect at Acalvio.
Roberts assumes that hackers will be able to break into just about any company. So his company makes software that allows security managers to detect the break-ins, monitor the activity of the hackers, and steer them into harmless containers for faux company information.
The hackers may not realize that they’re inside a “honey pot,” a kind of trap where the cybersecurity people can figure out their motives and intentions. It’s part of an ever-escalating game of cat and mouse. I interviewed Roberts about the technology and how game companies have become a primary target.
We’ll be doing a breakfast panel on games and security at the Electronic Entertainment Expo on June 14. Here’s an edited transcript of our interview with Roberts.
Above: Chris Roberts is chief security architect at Acalvio.
GamesBeat: I’m curious about the intersection between security and games. What’s your expertise? What does your company do?
Chris Roberts: My background is all over the place. Obviously it’s security-related and has been for years. I come from the screwdriver-wielding techie side of the world, through networking, and then into security. I did a bunch of gaming in the middle there as well. I’ve been at Acalvio about a year and a half, almost two years, working as their chief security architect.
They acquired a company I was part of, because they built this really cool deception product, but it was built from their perspective, as opposed to building it from a hacker’s perspective, and then the actual hacker coming in and saying, “How well does this work? How well is this architected? How well does it deceive me?” Or, in a gaming analogy, how well does it bring the hacker in? How engaging is it? How much can you tell that you’re in an environment or not in an environment? How much can you tell that what’s in front of you is the reality of an actual enterprise, or is basically an Alice in Wonderland environment that you’re put into to keep you out of the main corporate environment?
GamesBeat: What do you call that? A honey trap, so to speak?
Roberts: Acalvio calls it Deception 2.0. If you look at the history of deception technology, at least in the computing field, we go back to the old Honeynet projects from 15 to 20 years ago. All you really had was a Windows or Linux environment, or a server or a switch, that was very static. Again, take the gaming theory. I had a very non-dynamic, non-engaging environment that I could poke at. I didn’t really poke at. It didn’t change based on my mood, my feeling, or my adjustments. You remember the old text games from years ago? They had a set of algorithms that were very static. You went north, south, east, or west. That was really the beginning of the Honeynet projects, in the early days.
Fast forward to where we are now, the ability to drop an architecture into an enterprise platform and have it learn and understand what that enterprise is — health care enterprise, critical infrastructure, finance — it has the ability to adapt to its environment. Is it a Windows environment, a Linux environment? Again, you have an adaptive architecture that goes into an enterprise environment and it can have camouflage.
As an attacker, I land on your first computer. I break your computer, get you to click on something, I’m in. My job at that point is not only to extract data, but to look around and see what I can find. I have to elevate my privileges, which means I need to rifle your file system, look through your registry. If I’ve done my deception job properly, I’ve put something in the registry, something in the file system. I’ve put up a file server or a print server. I’ve put in something where the attacker doesn’t see a difference between what you see logically and what you see in the Alice in Wonderland environment.
That’s the whole idea, building something that does a good job of — the assumption is simple. The attacker is going to get in. 90 percent of the crap out here at RSA isn’t going to stop any of us from breaking in. It might log it. It might do something about it. It might cut down the 200 days it takes you to find out about it. But it’s not going to stop us. If you look at Deception and some of the other technologies out there, their role is to say, “The perimeter is broken. There is no perimeter.” When your fridge can read the email from your corporate system, you don’t have a perimeter anymore. When your car has your address book, you have no perimeter.
What do you do about that? You build an environment, a gaming architecture, that draws the attacker in and runs them through a set of scenarios. It brings them into this environment, this Wonderland, if we’ve done our job properly.
GamesBeat: What do you lead them to? Are you benefiting by simply using up their time and keeping them at something harmless?
Roberts: Think of a regular attacker. If you think of a normal corporate environment, typically a firewall, an intrusion detection, something on an endpoint will only detect once it sees something bad happen. Yes, there are predictive architectures and other things out there. But for the most part, until something leaves the environment, until something’s stolen, until I encrypt your hard drive, you won’t know I’m there.
The whole concept of the deception is to get ahead of that game. As an attacker, you see this entire landscape in front of you. You don’t know what’s real, what’s fake, what’s booby-trapped. As an enterprise I can say, “I want to know as soon as someone steps on the land mine.” When the attacker gets into the registry and thinks they’ve found a set of credentials that were planted there, you can see those credentials as you’re watching the network and grab them. There are companies that just want to know that. Most of them are that way. Most of them just want to know that someone is doing something they shouldn’t be doing and that their other systems won’t alert them on.
There are also a lot of companies that take it to the next level. Let’s bring the attacker in. Let’s start telling them a story. We present them with a file server or FTP server or web server that looks like the main corporate one, but is different. Now you’re in this virtualized environment. It’s served up to you in a bit of story at a time. Again, it’s a game system. I give you a snippet. I give you the next clue. I keep drawing you in.
From a mentality standpoint, the attacker thinks they’re on to something. They’re getting into the database. They’re getting into the SQL server. I’m bringing you into my world. You’re a mouse in the trap now. As the defender, as the enterprise, I can look at you and learn from you.
GamesBeat: See what they attack next.
Roberts: Exactly. Can I put up a defense, or do I just want to watch them? Can I give them disinformation? There’s maybe five or 10 percent of companies that care about that. Most of them just want to know, before that average of 100 to 200 days, if somebody’s in their systems.
You take the camouflage from mother nature. You take the architecture from gaming. How do I keep somebody engaged? How do I tell a story in a digital way that brings you through an entire engagement cycle and all the events that go with it?
Above: DedSec is the hacker group in Watch Dogs 2.
GamesBeat: If you give someone disinformation, can they go off and sell that, and you see where it surfaces?
Roberts: Exactly. Now, when you’re talking about that, you’re talking maybe Fortune 50 companies or nation-states that care about that. Most organizations that buy from here don’t have the sophistication to deal with that. It’s limited. But that capability is there, to be able to do that.
GamesBeat: Do you look at the gaming vertical and how this applies to it? Do you notice any pattern among your customers there? Are they attacked for particular reasons?
Roberts: You have a mix. Acalvio, and not just Acalvio, a lot of the organizations here in the deception space — this technology can be used everywhere. The gaming space is an interesting one. Obviously, depending on the games — am I using my computer to interact with it? Am I using a game console to interact with it? As an attacker, if I have you come into my system, then I can use your processing for mining. You look at the bitcoin miners, the attack vectors they’re using across multiple gaming architectures — we can start to detect that level of intrusion and get ahead of that game. If we can start seeing spurious traffic coming out of your system, we can get ahead of it. You’re definitely looking for that.
When you look at the gaming platforms, the amount of money they put into intellectual property to build those platforms — it’s their secret sauce. It’s their coding engine. It’s their architecture. If we can put deception in there — it’s like the movie industry. When you look at the convergence of those two industries, it’s the same challenge. I’m building something now that won’t be released for three to five years. How do I keep it safe and secure? How do I make sure I’m the one that releases it? Our job would be to drop deception in there and make sure they don’t become another Sony.
GamesBeat: That’s a cautionary tale these days.
Roberts: It’s one of many. You look at HBO and the other guys along those lines. Their intellectual property is on a three-year cycle, everything they’re building. The game industry especially, the amount of money poured into the development cycle — being able to protect that without putting more files, more intrusion detection, more crap on an endpoint. Just having something inside that says, “Hi, come on in, let’s try this.” It’s a game inside a gaming organization. It’s actually kind of a fun way of doing it.
Above: An attention-grabbing robot at RSA.
GamesBeat: Do they tend to be any different as customers? Do they recognize more about game theory and design?
Roberts: I think so. Some industries, like the financial industry, they recognize some of those ways of thinking. The health care industry doesn’t have that knowledge. The gaming industry definitely does. “Oh, you’re telling a story.” Yeah, we’re telling a story. They get it. It’s a much easier conversation to help people understand how the Wonderland we’re building is protecting their system. There’s some fun stuff out there.
GamesBeat: If they’re coming in to attack, what do you find they’re doing? Do they simply want to hack a player’s account and take their virtual currency, or hack their cryptocurrency?
Roberts: That’s actually pretty big. As an individual attacker they’re not likely to do that, but if they can build a bot architecture, if they can go out and deploy against that, that’s huge. I build once and attack many. We’re seeing a ton of that. There’s a lot of that across all industries. If you look at the Steam architecture, which is more of a GUI on a web browser, that’s becoming much more of an attack vector. If we can put up a deceptive architecture and start capturing those patterns, we can build a defensive strategy against those, and when one or two get hit, we can get protection in place on everybody else.
The flip side is, obviously you have those targeted attacks. I want to go after your 2020 game, your 2021 game. Where is your road map going? Is it following the movies? Is it following a different theory? Where are you building your architectures? There are some interesting strategies.
GamesBeat: Does your customer base include game companies?
Roberts: I know that Acalvio is talking to a number of them. I’ve talked to many of them over the years at different organizations. We’re in a bunch of different verticals.
GamesBeat: It seems like if you can simply waste a hacker’s time, you’ve accomplished some good. You have more opportunity to learn where they’re coming from.
Roberts: It’s the tactics. It’s the methods. It’s the attack vectors. It’s the entry points. All of that helps an organization learn. “We were focused over here. We need to focus over there now.” The wasting of time is a tough one, because a lot of engagement — again, gaming systems — there are automated architectures out there that will perform a lot of the basic to mid-level attacks. If they get in, it just runs and runs. There’s no human behind a keyboard. Until something is found or discovered and a human comes in, really you’re looking at wasting system cycles. That’s a tougher one.
The mean time to breach at the moment depends on who you listen to, but it’s between 100 and 200 days. I break into your computer and for 100 to 200 days I’ll walk around with nobody knowing I’m there. Our job is to bring that down, if we can, to a matter of hours or minutes, whatever we can do, so that now you’re not waiting for the Feds to call. “Congratulations. You’ve become a point of compromise. Here’s what you lost.”
GamesBeat: How much investment does a company want to put into that deception? How elaborate should the ruse be?
Roberts: It can be huge. It comes down to the data. What are you trying to protect? If all you want to know is that somebody is creeping around your environment, there’s a limited amount. If you want the Wonderland, from our side, it’s actually a minimal amount of additional effort. We already have the data generated that you can use. It doesn’t matter what vertical you’re in. We can plug that data in. We already have deceptions built. All you have to do is hook up the engine. “You have 50 computers or 500 computers, we recommend that you put this out.”
If you want to go from just feeding breadcrumbs into the full Wonderland, that’s not much more investment. A lot of it comes down to the company. What are they comfortable doing? Do they just want to know there’s an attacker and kick them out? Or do they want to play a game with the attacker?
Above: Gamers actually make good security professionals, and this is one way to lure them to work for you.
GamesBeat: How do you position this? If you know they’re going to get in, you want to be there to catch them. How do you anticipate their way in?
Roberts: The numbers in the industry bear it out. We don’t have to put out any kind of fake entry point. You have humans sitting at keyboards that we, the industry, have not educated. Not sufficiently. We haven’t explained to everybody, “It’s January. It’s tax fraud month. Don’t click these things.” We haven’t done that continual education and invested in humans. As an attacker I always have an easy way in. It’s unfortunate, but it’s true.
As someone who’s worked in the security space, we’ve failed. As an industry we’ve managed to lose more than 10 billion records since we started keeping count. We’ve not won. This is not good. In a gaming analogy, we keep taking headshots. We’re not learning.
GamesBeat: As far as catching attackers and getting them to law enforcement, is that something you can do?
Roberts: We can bring the evidence. The challenge with any of that — this is one of the biggest issues in the industry — we have people saying that companies should be allowed to hack back. But if I’m breaking into him, I’ll take your computer over, and have your computer launch an attack against John. Now John’s going to say, “You bastard, you hacked me,” and he’ll break your computer. A few things happen. If you’re in another country, international barriers have been broken. Second, he’s hacked the wrong person. Third, I’m just laughing. It’s a huge issue. Attribution is a huge issue in this industry.
GamesBeat: So it’s up to your customers about what to turn over to authorities.
Roberts: Absolutely. We’ll learn the tactics and have the understanding as to what’s going on. We can provide the intelligence. But it’s definitely a customer-focused issue.
GamesBeat: Do companies ever tell a hacker, “We know who you are. Get out of here”?
Roberts: Rarely, if ever. At that point you’re just annoying them. They’re going to come in six different ways. They’ll do as much damage as they can. The whole idea is to just watch them, cut them off, and get everything cleaned up so they can’t come back in again. Or at least they can’t come back in the same way.
