FBI Document-Seeding Tactics Echo Decades-Old Hacker-Hunting Trick

The technology industry moves at a lightning pace, but it’s surprising how many things stay the same. An FBI project to thwart hackers that recently surfaced by Ars Technica is a good example; it has a lot in common with techniques outlined in a book released 30 years ago.

The FBI initiative is called Illicit Data Loss Exploitation (IDLE), and it’s an attempt to slow down hackers who have gained access to a network by putting confusing data in their way. Although the FBI is coy about the program, it apparently involves creating decoy data and mixing it in with other files and records on target systems. The idea is to deceive hackers into downloading the wrong stuff by seeding business files with fake data that is indistinguishable from the real thing.

This technique serves two purposes. First, it stops hackers from dumping files on mass because they aren’t sure what they'll get. Second, it makes hackers more visible, because no legitimate user would have any business accessing or moving the decoy files. If an administrator sees someone snooping around those records, they should be on instant alert. If the hacker steals the files and distributes them on the dark web, law enforcement could use that data to help hone in on thieves.

In 1989, astronomer-turned-computer scientist Clifford Stoll published The Cuckoo’s Egg, which documented his adventures as he surreptitiously traced a hacker through not only his network at Lawrence Berkeley National Laboratory, but through many other networks as well. I won’t give away the ending to this book – if you haven't read it, it's a real treat – but one thing stood out in the light of the IBM story.

Stoll, stalled at every turn by disinterested authorities (including the FBI), began seeding his network with dummy files created to pique the hacker's interest. He had been watching the intruder’s every move for months, learning about their hacking and search patterns. He created a fictional secretary who was the administrative hub for a fictional top-secret computer network containing a mountain of fabricated files that he knew the intruder would go after.

Stoll’s endgame overlapped with the FBI’s today. He had some different motives. He was trying to keep the hacker online for as long as possible because at the time, people accessed computers via telephone calls and his colleagues were trying to trace the hacker's number. However, he was also trying to gather intelligence by advertising the secretary's name and mailing address for people to contact for information. He got a hit, too, when a mysterious postal query came in from Pennsylvania.

Watching someone move laterally inside your network while you distract them with dummy records is a dangerous game, even when you have full visibility of the intruder’s actions on your network. If nothing else, dummy files can act as the canary in the coal mine, triggering a security team into action. At their root, Stoll's tactics and those of IBM’s IDLE team have a lot in common. It just goes to show how hackers aren’t the only ones who can use age-old tactics in the cybersecurity battle.

What’s Hot on Infosecurity Magazine?