Start-up's 'decoy' server helps track down hackers
PALO ALTO -- Start-up Recourse Technologies this week will release software, dubbed ManHunt, that can record would-be hackers' activities and trace intruders back across the Internet.
ManHunt serves as a "decoy" server -- a convincing mock corporate Web site -- that hackers can be led to once they break into a company's network. Once hackers break in, they can rummage around the decoy server and steal data, which, unbeknownst to them, is fake. ManHunt records the hacker's activities, providing the IS department with a detailed record of the event that can be used to track down and prosecute intruders in court.
Break-in leads to brainchild
Recourse is the brainchild of company founders Frank Huerta and Michael Lyle, network engineers forced to cope with an embarrassing hacker break-in while employed with service provider Exodus Communications. After reporting the network break-in to the FBI's computer crimes division, Exodus learned a lot about what law enforcement needs to successfully prosecute an intruder in terms of an event log, proof of stolen files and a network trace.
According to Huerta, now president and CEO of Recourse, simply trying to break into a network by probing isn't considered a crime.
Authorities also have a hard time bringing a case if all they see from an event log is that someone broke in but only looked around because there's no evidence of malicious intent or theft.
After the Exodus break-in, Huerta and Lyle, now Recourse chief technology officer, put together what they called a "spoofbox" at Exodus -- with the goal of capturing more useful data for legal purposes. When Exodus-managed firewalls -- in this case, those from Check Point, Cisco and Raptor -- recorded suspicious activity, the traffic was redirected to the spoofbox.
With this idea, Huerta and Lyle left Exodus to start their own venture capital-backed firm to develop spoofbox into the ManHunt product, which ships Sept. 1 for $3,500.
Their formation of the new company transpired with the blessing of Exodus, which is beta-testing ManHunt in order to offer it as part of a managed security service, similar to the service provider's existing managed firewall service.
The ManHunt software sits on a Unix server on a LAN or Internet access point where a protective firewall would be able to hand off suspicious traffic to the decoy server.
As a first-generation product, ManHunt has some limitations that Huerta readily acknowledges. The software can track hackers back across different carriers' networks, but the process is still overly manual.
An important note: ManHunt only intercepts an attack when the attack is launched against a service or port protected by a firewall.
This means ManHunt will be most useful sitting behind a firewall guarding the door to an intranet. ManHunt won't be as effective shunting would-be hackers off public Web sites.
Next year Recourse plans to release TipOff, host-based software that delivers bad news.
"Hackers typically know how to cover their tracks, they're often very good at it," Huerta says. "But TipOff will tell if you have been hacked."