Leveraging HADES for Advanced Threat Intelligence

The following is a guest post by Vince Urias and Will Stout, Cyber Security Research and Development at Sandia National Laboratories.

With the growing number and sophistication of threats, organizations are playing catch-up with cyberdefense. Security tools focus on capturing profiles of activities on specific assets in a network—such as endpoints and servers—but fall short of providing the whole picture of what is really transpiring across the enterprise in one single view. While collected information is useful, it does not deliver real value unless analysts can stitch together a holistic end-to-end picture.

Organizations take on capital and operating costs in terms of technology deployments, modifying processes and training people for the changing threat landscape. Meanwhile, in response, the adversary need only make minor changes to their operations, continuing their success with minimal investment or cost. It is uneven, incongruent and stacked against the defender.

That is why we at Sandia designed and built the High-fidelity Adaptive Deception & Emulation System (HADES) platform. While many companies offer basic programs on which HADES could run, we chose to put Splunk at its core due to Splunk’s ease of configuration. This enables the HADES project to better focus on disrupting the defender expenditure cycle with a solution that shifts the cost to the adversary.  

First, HADES solves a fundamental deception challenge—fusing human-mediated and machine-assisted deception. Contemporary deception technologies rely solely on machine-driven deception. Through the HADES interface, analysts interact directly with live attacks; the machine-driven capability fills in the gaps to drive environment fidelity and data extraction, incognito.  

Secondly, HADES enables analysts to produce and share threat intelligence as they interact with attacks—live. The gathered threat intelligence spans network, application, service and operating system indicators, and enables analysts to understand not only the attacker’s modus operandi, but also their command and control constructs.

The moment an adversary knows they are being watched, all bets are off. Thus, our goal is to provide a transparent, observable environment to let them play out their attack. HADES traces the attacker in real-time without adversarial knowledge, so that their tactics, techniques and procedures (TTPs)—as well as their tools—can be identified without tipping them off. The more a defender knows about their adversary, the better equipped they are to drop in hurdles and plan defensive measures to stay ahead.

Other companies might offer applications that could have aided HADES; in our case we chose to make Splunk central to our effort because of its customizability, streamlined integration, and technical support. With a highly instrumented environment and the Splunk platform, deep correlated introspection is realized across all assets—virtual machines, operating systems, network and payload data, and any other entity—to extract data in real-time about adversarial actions. This actionable intelligence feeds the development of adversary profiles and facilitates the tracking of lateral movement and dwell time, helping the defender stay abreast of attacks, and most importantly, take the fight to the adversary.

In a complex threat landscape, it is important we rethink defense. It is time we defeated the adversary at his own game. That is what Splunk helps us do.

Vince Urias, Cyber Security Research and Development, Sandia National Laboratories
Will Stout, Cyber Security Research and Development, Sandia National Laboratories

Posted by


Join the Discussion