Secure anonymised communications with Dispel
16 May 2016 | 0
The phenomenon of CEO phishing has become all too common lately, and has had a number of well publicised victims.
However, it is not just the CEO that needs protection. Lawyers, chief finance officers, deal negotiators and even researchers are often regarded as viable, valuable targets for black hats.
While protected communications for high value individuals is nothing new, the approach taken by Dispel is.
Dispel uses what it terms ‘ephemeral infrastructure’ to anonymise the communications infrastructure for subscribers to its service that makes tracking, and consequently targeting, almost impossible.
“We flipped the model on its head, away from the castle model, to where no one can even identify where you are and where your infrastructure is, because you can’t attack what you cannot find. That created the idea of ephemeral infrastructure,” said Ethan Schmertzler, co-founder and CEO of Dispel.
“If you think about some of the classic infrastructure, even it is hosted on a cloud computer, it’s pretty static and people know where you connect to.”
Schmertzler observed that a bit of social engineering combined with fairly common tools and basic skills could allow hackers to identify common tools such as VPN connections or secure tools sued by travelling executives. Once connections, devices or IP addresses have been identified, they can be targeted and hacked.
A good example, said Schmertzler, is a reporter from a well-known media outlet. If that reporter goes to a hot zone and connects back, that creates a target because they are connecting back into an infrastructure point that can potentially identify them. Even the use of something like Tor can create a flag and potentially identify them in broad terms.
Dispel sought to create a better system that prevents easy identification, and thus targeting. It does this by taking each of the component that makes up the communications path and hosts it each one in different parts of the cloud. Each time the user connects, a random assortment of the components is brought together to facilitate, but should anyone else try to connect, they would be refused, as only one user is authorised for that infrastructure configuration.
The service is integrated with six cloud providers, so far, to host containerised deployments of infrastructure, and then move them around the various hosts, said Schmertzler. The user never sees this, and it affords them anonymity that is not going to draw attention in the manner of some of the other options.
The back end of the technology is moving the components around in the infrastructure in a way that cannot be predicted by a third party. All anyone can see is a random IP connecting to a random service that has no affiliation back to anything that would raise a flag, he said.
If someone does try to connect to a service that has been used by a Dispel user, then they can be bounced off to somewhere innocuous, said Schmertzler.
“It prevents hackers from creating any concrete target profile to begin an attack.”
Dispel began with what are described as two large institutional customers, but as the solution developed, it is now available as a service for individuals, and as an appliance that can be deployed by organisations to protect work groups, departments or entire organisations.
Schmertzler said Dispel is “usually adopted in enterprise to protect C Suite, because those are the people who are the most critical.” But increasingly, the service is being taken up by anyone who wants discrete, secure communications that will not attract unwanted attention.
Companies often adopt on a person by person basis, Schmertzler said, and then expand to a building or department level. A Layer 7 gateway device can handle large numbers of people and multiple connections. This can anonymise outbound connections typically, making it impossible to track the patterns to predict what is going on. This is important in industries such as financial services, market trading or pharmachem.
For enterprise customers the basic model has been developed to give them anonymised connections and virtual air gap computers (VDI built in an ephemeral cloud). There is also voice and video chat, file sharing and a few other capabilities, he said.
It scales well, and a single “wheel” or the core components to provide the service, scales out to about 10,000 users. The more people you add to it, the more cost effective it becomes.
For individual customers can sign up for $19 per month.