The New HoneyPot: Area 1 Security

This writer has been saying for years that security products do not work 100% of the time. So there is the need to use several different approaches to cybersecurity.

Even if intrusion detection tools worked 99.99% of the time then all it would take is 9,999 tries for the probability of someone penetrating your defense to equal certainty, i.e. 1 or 100%.

So given that security does not stop hackers, what good does it do to defend against those using the traditional approach of deploying perimeter defenses? It depends on who you ask.  Due diligence requires that you do that. But logic would suggest that you do something else too.

The New York Times says business has come to that conclusion as well. They write, “Most security start-ups seeking funding today have resigned themselves to the inevitability of a breach and are focused more on identifying an attack as it plays out and praying that they can respond before the perpetrator makes off with something important.”

The Old Fashioned Honeypot
A thinking person might say that if hackers are going to target you, set up a distraction, something enticing that lures them away from the real thing.

That’s an old idea that used to be called a honeypot. Originally it is a term from spy craft. It means sending out a voluptuous female to prey on the lust of the viral male enticing him to give up state secrets.

For IT nerds, who cannot get the real thing, the honeypot is a server set out in the DMZ of a network and left exposed, and enticing. It hash no antivirus or firewall, thus making it easier to penetrate.

A company can also load up the honeypot with fake data so that it looks like a treasure trove of company secrets. The idea is that the hacker’s mischief should stop there and they should go no further. The hacker would think they have stolen what they need. But it’s a tactic that does not work long since it is hard to maintain that illusion.

Mining the Compromised Server
Now a former NSA agent has dusted off that idea and sold it to customers of his fledgling business Area 1 Security.

Area 1 Security does not exactly work by standing up honeypot servers. Instead its approach is to find servers that have already been infected and leave them that way so that the security firm can study where hackers go from there. This reveals their tactics so tells the security firm how to defend that client and alert others against that type of assault.

area 1 security

It is not always so easy to convince nervous companies that leaving one of their servers infected is a good idea.  

Cate Machine and Welding is not so timid. This is one hacking victim who has signed up as an Area 1 customer. Yet they might have blown the cover of the honeypot spy as they have told the world about this.

Monitoring the Botnet
If this idea seems like a risky one, consider that hackers have longed used botnets to attack other computers. Most of those are poorly-defended home and office PCs that have been in some cases been compromised for years without their owners knowing anything about that.

Solving the Political Problem of Information Sharing
What Area 1 Security proposes is to attach itself to a type of botnet and monitor which Chinese or other hacking firm or government is using that and keep tabs on what they are doing. Then the security company builds up a real-time knowledge base that benefits others.

The company’s founders point out the truism today that legal and political hurdles block business from engaging in the very kind of information sharing that is needed to defeat a concerted attack.

For example, consider when Company A gets hacked and then Company B gets hacked using the very same tactic. It would have been good if Company A told Company B about the looming threat so they could have defended against that.

Governments have proposed that business get together to share that kind of information. But their own agencies often tell hacking victims to keep technical details secret while they conduct their investigation, a process that drags on forever. Governments operate at glacial speed. Hackers are much more nimble.

So Area 1 Security vacuums up all this information and shares it between parties, thus meeting the goal the government cannot.

Its customers benefit from real time information, yet the companies avoid violating any kind of antitrust or anti-collusion laws. And their anonymity is protected and trade secrets kept away from competitors. Plus they are not damaged in the market, because their customers are not informed that their private data might have been threatened.

Security the A1 Way
The company frames its philosophy thus:

“Existing cybersecurity defenses focus on constructing a perimeter around potential victims and identifying the payload to stop attacks from getting through. Area 1 takes a different approach. We focus on the attacker’s history, behavior, delivery mechanisms, and infrastructure.”

The New York Times labels what they do Threat Intelligence writing, “Until recently, companies typically adopted a defensive strategy of trying to make their networks as impermeable as possible in hopes of repelling attacks. Today, so-called threat intelligence providers sell services that promise to go on the offensive.”

We have written about Threat Intelligence ourselves here.

But there is room for doubt as the company might be doing what most companies do, which is exaggerate what they can do. The company says it has technology designed to defeat phishing.  But they do not say how.

Phishing is what they target the most, since that is how 90% to 95% of all hacking starts, says lots of different reports.

Obviously the botnet approach would work as phishing often sends spam to the widest possible number of targets. They use those botnet PCs as email proxies. Someone with a global view of all of that can warn others.

So this is a good idea.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal