A new briefing from Hardenstance claims several telcos have invested in “fake or decoy IT infrastructure” with the intention of improving security and identifying fraud and other abuses perpetrated by staff. The report cites the example of an unnamed North American telco which gathered…
…enough compelling information on unauthorized and malicious behaviour of some employees to justify summarily firing them (which it did).
The decoy infrastructure can be used to lure criminals and gather data about them, just like the concept of a honeypot. Unlike conventional honeypots, these decoys are designed to tempt wrongdoers within the telco, so their existence must be kept secret from all but a few senior managers, and it must be impossible to spot any differences between the decoys and real network assets.
Part of the philosophy for deploying fake infrastructure is that it serves no legitimate business purpose, so no member of staff can have a good reason to play with it. This makes it unlikely that the decoys will generate false positives associated with honest but accidental attempts to access these assets.
The Hardenstance briefing is heavily influenced by one vendor of deception technology, Attivo Networks, and thus it is difficult to calibrate how much value this method would deliver for the average operator. Nevertheless, telcos should be open to using a broader range of techniques for identifying and preventing insider crime.
You will find the full text of the Hardenstance briefing by looking here.