Attivo Networks Blogs

Decoy system diverts hackers from critical infrastructure

Scientists at the Pacific Northwest National Laboratory have created a cybersecurity technology designed to stop hackers from damaging critical infrastructure networks by luring them instead into an artificial world and feeding them false signals of success.

Shadow Figment is based on honeypots, which attract hackers by providing what appears to be an easy target so cybersecurity researchers can study the attackers’ methods.

PNNL’s technology uses a machine learning enhanced honeypot that learns from observing the real-world operational-technology system where it is installed. It responds to an attack by sending signals that indicate that the system under attack is responding in plausible ways. This “model-driven dynamic deception” is much more realistic than a static decoy, PNNL officials said in a recent release.

The strategy is to keep attackers engaged, “giving our defenders extra time to respond,” said Thomas Edgar, a PNNL cybersecurity researcher who led the development of the technology.

In cyber-physical systems supporting critical infrastructure, the number of potential targets — such as valves, controls, pumps, sensors, chillers and so on — is practically limitless. Hackers inserting false data into a single system could trigger safety procedures that shut down power and water distribution.

Shadow Figment creates interactive clones of operational technology systems that behave just as experienced operators and cyber criminals would expect. If a hacker turns off a fan in a server room in the artificial world, PNNL officials said, the program would respond realistically by signaling that air movement has slowed and the temperature is rising. The ruse would hopefully keep bad actors engaged with the mirror system where they can do no harm.

“Even a few minutes is sometimes all you need to stop an attack,” Edgar said. “But Shadow Figment needs to be one piece of a broader program of cybersecurity defense. There is no one solution that is a magic bullet.”

The technology, which is one of five cybersecurity technologies created by PNNL and packaged together in a suite called PACiFiC, has been licensed to Attivo Networks.

“This cybersecurity tool has far-reaching applications in government and private sectors—from city municipalities, to utilities, to banking institutions, manufacturing, and even health providers.” said Kannan Krishnaswami, a commercialization manager at PNNL.

Read the original article on GCN.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

16 + six =

Ready to find out what’s lurking in your network?

Scroll to Top