Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Not so IDLE hands: FBI program offers companies data protection via deception

Accepted submission by Freeman at 2019-12-20 17:55:22 from the Engorge! dept.
Security

Freeman [soylentnews.org] writes:

The Federal Bureau of Investigations is in many ways on the front lines of the fight against both cybercrime and cyber-espionage in the US. These days, the organization responds to everything from ransomware attacks to data thefts by foreign government-sponsored hackers. But the FBI has begun to play a role in the defense of networks before attacks have been carried out as well, forming partnerships with some companies to help prevent the loss of critical data.
[...]
But the FBI is not stopping its consultative role at simply alerting companies to threats. An FBI flyer shown to Ars by a source broadly outlined a new program aimed at helping companies fight data theft "caused by an insider with illicit access (or systems administrator), or by a remote cyber actor." The program, called IDLE (Illicit Data Loss Exploitation), does this by creating "decoy data that is used to confuse illicit… collection and end use of stolen data."
[...]
In the past, the FBI got involved only when a crime was reported. But today, the new approach means playing more of a consultative role to prevent cybercrime through partnerships with both other government agencies and the private sector.
[...]
An example of that sort of outreach was visible in a case Ars reported on in March—that of the casino kiosk vendor Atrient [arstechnica.com]. FBI Las Vegas field office and FBI Cyber Division agents picked up on Twitter posts about an alleged vulnerability in Atrient's infrastructure, and the agents connected the company and an affected customer with the researchers to resolve the issue (which, in Atrient's case at least, went somewhat awry). But in these situations, the FBI now also shares information it gathers from other sources, including data gathered from ongoing investigations.
[...]
Some information sharing takes the form of collaboration with industry information sharing and analysis centers (ISACs) and "Flash" and "Private Industry Notice" (PIN) alerts on cybercrime issues.
[...]
But for some sectors of particular interest, the FBI is now trying to get a deeper level of collaboration going—especially with companies in the defense industry base (DIB) and other critical infrastructure industries.
[...]
An official familiar with the program spoke to Ars on background, and they emphasized that IDLE was not a lure but a way to identify existing threats on the network and make life harder for hackers. The goal is to give companies a greater chance of spotting attackers before they are able to get anything of value.
[...]
So rather than being a "honeypot" put in place to attract hackers for threat intelligence purposes, IDLE data is intended to baffle an attacker by obfuscating real data. It's an attempt to make the illicit use of stolen data much more difficult, or as another official described it, IDLE's approach is like putting bogus pieces in a jigsaw puzzle. The goal is to confuse attackers about how everything fits together.

While the program is not classified, FBI officials would not speak in depth about IDLE because of its sensitivity.
[...]
There are other aspects of IDLE that are not fully fleshed out in the flyer seen by Ars, and the FBI would not comment on many of our questions. According to the document, IDLE's other capabilities "may highlight the following: an illicit actor in your network; unauthorized downloading of data from your network; [and] data loss from your network... These capabilities are in addition to your current network defenses and are supplemental whereas traditional technical means to protect networks may not detect/prevent such activity." These additional capabilities, according to the flyer, "can be used individually or together depending on client needs."
[...]
The FBI does not take an active part in monitoring data still on the customer's network, the official who spoke with Ars on background insisted. That monitoring is done by the company that owns the network, not by the FBI. The FBI does not maintain access to the network where IDLE is deployed, and much of the deployment of the system is left to the network owner and the company employees tasked with supporting the IDLE solution.

And while the FBI helps create the "obfuscated" data using real company data, no data is retained by the FBI from the process—a concern raised by one security professional who has also seen the IDLE flyer.
[...]
Given how, despite the efforts of private industry, the volume of data breaches continues to rise—including insider threat-related cases such as the Saudi espionage effort at Twitter [arstechnica.com]—it's no surprise that the FBI is trying to raise its crime prevention game. But given how many companies deal with breaches, and the reluctance they have to bring in law enforcement for pure business reasons, it's not clear (outside the defense industrial base and other more government-connected industries) what the uptake on IDLE will be.
[...]
But for those organizations in industries increasingly targeted for data theft, the FBI's program could at the very least offer another layer of defense against threats that show no sign of going away. And as a bonus, it might make companies less reluctant to interact with the bureau on cybercrime issues—which in itself might be enough of a win for the FBI to dabble in data protection.

https://arstechnica.com/information-technology/2019/12/not-so-idle-hands-fbi-program-offers-companies-data-protection-via-deception/ [arstechnica.com]

Original Submission