Security lessons from Nature – Playing Dead

The natural world is resplendent with stories of animals that play dead. Some are well known, such as the opossum and the hognose and grass snakes. Others, such as the lemon shark, parasitic wasps and brittle stars are less well known. What is interesting, though, is that this behavior is common across many families of animals.

The root of this behavior is that an animal that is dead is likely less appetizing to an attacking predator than one that is alive. Some even go so far as to foul themselves and release blood from their mouths to be very convincing. In many cases, it works. The attacker looks at the critter, maybe paws it a bit, and then wanders off to find something better.

Wouldn’t it be nice if we could use this same technique in our everyday businesses?

Well, in a way we can. Many systems are built to detect attacks and deny traffic. This is much like a turtle hiding in it’s shell. The attacker knows that the attack was detected, and all it has to do is wait or attack from a different direction when it’s blocked. However, if you can make the system unpalatable, the attacker might just stop altogether. What if, instead of just doing a deny, you redirected that traffic to a honeypot or system in an error state. If the attacker started getting back error pages or saw services stopping, they might conclude that they broke something. Thus, instead of constantly trying, they might go on to something else.

Now, it’s important to note that, like most defenses, this one is not perfect. Some attackers would just break into the system faster than you could “play dead”. Others might persist in the attack until they get in, whether or not you are dead. This defense, much like in nature, would only function against non-persistent attackers. It might, however, be a good way to identify which attackers are persistent. That might help you determine and reasonable and targeted defense system.