Attivo Networks Blogs

Researchers create ‘Shadow Figment’ cybersecurity decoy tech that lures attackers into a fake world

Geek Wire logo

Over the past several years, hackers have increasingly targeted the physical systems we rely on to run our society. Electrical utilities, food processing plants, and aluminum producers are only a few of the industries that have recently been attacked, resulting in tremendous supply chain disruptions.

Fortunately, innovative research at Pacific Northwest National Laboratory is bringing a new tool to the battle against this kind of cybercrime. They call it Shadow Figment.

Using machine learning techniques, Shadow Figment puts a new spin on the concept known as a “honeypot.” In computing, honeypots are traditionally a region of a site or network that contains what appears to be legitimate files and other information. This is used to lure and track hackers, helping to identify the methods and techniques they use to gain access.

But as intrusion methods and the cybersecurity field itself have developed, more sophisticated decoy techniques have been needed. Shadow Figment meets this need by generating an illusion to make intruders think they have breached a working industrial control system when they’re actually isolated in a false representation of the facility.

“The goal is to create a decoy of a specific control system so that an advanced attacker who’s targeting it believes they’ve found what their looking for,” explained Thomas Edgar, the cybersecurity researcher who led the PNNL project. “For instance, the decoys need to look like they’re part of an electrical system or part of a pipeline.”

Unlike data networks, industrial control systems (ICS) utilize countless instruments and sensors in order to operate. So, while a static decoy system may be suitable for a data honeypot, ICS decoys need to be much more dynamic and interactive in order to be convincing. The goal of keeping the hacker engaged requires a convincing system that can provide the necessary feedback to make them believe they’ve gained access to a legitimate target.

“The intruder will start probing to see what this sensor is monitoring and what that controller is controlling,” said Edgar. “This way they can identify what their targets are.”

Cybersecurity specialists generally want to keep hackers in the honeypot for as long as possible, not only to learn about their techniques, but to also identify the weaknesses in the system so they can be addressed. Shadow Figment does this by letting the intruder believe they’re making progress, regularly rewarding them with false indications that their actions are having real results. This consumes their time and diverts the attacker from real assets, data and resources.

Accurately representing hundreds, even thousands of sensors and controllers is a huge amount of work, especially when it needs to be done for many distinctly different types of control systems. Shadow Figment’s machine learning approach achieves this by learning the expected outputs from the actual system. Using extrapolative machine learning techniques on the control system’s software back end, Shadow Figment is trained on the equations of the data that are being generated in order to create its models.

From there, it can then simulate realistic behaviors, producing convincing outputs in response to the intruder’s actions.

“We’re buying time so the defenders can take action to stop bad things from happening,” Edgar said. “Even a few minutes is sometimes all you need to stop an attack. But Shadow Figment needs to be one piece of a broader program of cybersecurity defense. There is no one solution that is a magic bullet.”

The development of Shadow Figment and this approach is very timely. The number and severity of attacks on ICS facilities have ratcheted up significantly during the past year’s pandemic. Given the potentially thousands of sensors, controllers, valves, heaters, pumps and so forth that might be accessed, it’s challenging to anticipate every vulnerability of an industrial control system. Once malicious actors compromise a facility, they can potentially generate false readings, alter chemical mixtures or overheat critical parts.

The potential for destruction and even death is growing. In February, a Florida water treatment facility was infiltrated by a relatively novice hacker. The attacker attempted to increase the amount of sodium hydroxide – also known as lye – in the city’s water supply to what could have been lethal levels. Had the attacker been more sophisticated and concealed their presence, their actions might have been disastrous.

There still remain many kinds of vulnerabilities that deception defenses like Shadow Figment can’t protect against. For instance, the recent attack on the Colonial Pipeline that shut down nearly half of the fuel supply to the East Coast of the U.S. was the result of ransomware that locked up the company’s billing system. While the physical pipeline itself wasn’t compromised, it was shut down to prevent possible spread of the infection. Regardless of the method used, such attacks are not only becoming increasingly expensive, but disruptive as well.

Given the growing need for new tools to prevent such attacks, PNNL has developed its Proactive Adaptive Cybersecurity for Control suite (PACiFiC). Conceived as a new approach to automated threat detection, the suite provides the means to make control systems measurably more secure, reliable, robust, and resilient. Shadow Figment is one of five cybersecurity tools designed for the suite.

PNNL has applied for a patent on Shadow Figment, which is being developed into a commercial product by Fremont, Calif.-based Attivo Networks under a nonexclusive license. The results of the PNNL team’s research were published in the Journal of Information Warfare this past spring.

Since the early days of the internet, the sophistication and prevalence of cybercrime has grown exponentially. From relatively few incidents in the early 1990s, the global cost of all forms of cybercrime have skyrocketed. A recent estimate by research firm Cybersecurity Ventures estimated the global cost of cybercrime had risen to $6 trillion in 2020.

In combating this explosive growth, the cybersecurity industry has advanced in tandem, developing tools for securing networks and recovering lost data against such intrusion. Shadow Figment and PACiFiC are one more set of tools that are helping to make a difference.

Read the original article by Richard Yonck on Geekwire.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

one + 18 =

Ready to find out what’s lurking in your network?

Scroll to Top