Though it may seem like the problem is only escalating with no end in sight, a group of researchers from Binghamton University are hoping to change that.
Inspired by Target’s 2013 data breach, the researchers, led by Assistant Professor of Computer Science Guanhua Yan, are working to end the fight against hackers by tightening up current cyber deception tools.
“The main objective of our work is to ensure deception consistency: when the attackers are trapped, they can only make observations that are consistent with what they have already seen so that they cannot recognize the deceptive environment,” the researchers wrote.
Tricking the hacker
Yan and PhD candidate Zhan Shu explain in their research that cyber deception works to ultimately trick the hacker. When a device recognizes a hacker is present, the cyber deception tool creates a fake online environment to effectively shut out the hacker without revealing they’ve been discovered.
However, according to Yan, some expert hackers have become keen to this trick, which is where this new research comes in.
“The issue is that sometimes cyber deception uses what are called ‘bad lies’ that are easily recognizable by the attacker,” Yan said. “Once the deception is realized, the attacker can adjust and work around this form of protection.”
Yan and Shu worked to create a deceptive environment that only shows the hacker what he/she has previously seen. The goal here is to disorient and confuse the hacker, and also eliminate any chance of data being stolen.
To put this theory to the test, the researchers had college students -- all of whom had recently completed a course in cybersecurity -- pretend to act like hackers, and some landed in the new and improved deceptive environment.
According to Yan, the system worked as designed.
“It was clear that most students were simply guessing whether they had entered into the deceptive environment or not,” said Yan. “They couldn’t quite tell the difference when we used our consistent model.”
However, despite favorable results, Yan warns that this isn’t a foolproof method, as it “may not hold up against more advanced attacks.” The researchers do plan to continue to improve these tools in their quest to crack down on malicious data hackers.
Target’s data breach
The researchers’ study was based on Target’s 2013 data breach that affected 41 million customers and cost the company $18.5 million in penalties.
The breach was so intense, and the legal process so extensive, that Target didn’t finalize the final $18.5 settlement amount until last May. California got the most out of the deal, collecting $1.4 million, while Alabama, Wisconsin, and Wyoming didn’t participate in the lawsuit.
Officials identified several errors in Target’s data storage system, including the company’s decision to ignore messages from its security system that data had been hacked.
Following the breach, Target was required to tighten its security measures in an effort to protect customers’ data, which included a new hire to monitor the new system.