Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Beyond honeypots: It takes a honeytoken to catch a thief

Roger A. Grimes | April 17, 2013
Honeypots tell you who's attacking. But to catch individuals -- including suspected insiders -- honeytokens let you home in

Last week I talked about the importance of deploying honeypots to catch malicious hackers and malware. But there's a related tool that's craftier and even easier to deploy: the honeytoken.

Honeytokens contain digital data created and monitored solely as indicators of digital theft. They can be real data containing a "marker" -- fake data that simply doesn't exist in the real world, at least within a given enterprise. They can be used to track malicious outsiders or insiders engaging in unauthorized activity. There are many types of honeytokens and many methods of tracking; choose yours based on your specific concerns and threat models.

Honeytokens have been used since the beginning of computer crime defense -- including a clever version hatched by Clifford Stoll, early honeypot user and author of "The Cuckoo's Egg," a book based on his cyber crime fighting adventures back in 1986 and 1987.

Stoll, on the cyber trail of a German hacker, created fake content that led the hacker to believe he could request additional information on a particular subject through the mail. The address led to Stoll. The hacker downloaded the fake content, read about the information request, and sent Stoll his real return address. Stoll was able to convert a hidden, online digital identity to a physical address and person. My honeytokens should be so lucky!

Fake out the bad guys
Many companies have used simple honeytokens composed of fake email addresses, user accounts, database data, or even false programs and executables.

Fake email accounts have long been used to capture or get early warning of spammers. Many companies create fake email accounts and either leave them sitting in plain sight on the mail server or place them in non-publicly accessible locations with a public-facing Web server. The idea is that the fake email address is never used, and thus would have no valid reason for receiving spam. Receiving unrequested email to the honeytoken email address indicates that someone has accessed the company's internal email list or compromised a public Web server.

Another approach is to insert fake data that's highly unlikely to exist in the real world into a real database. For example, honeytoken names could be nonsensical, such as Barbx Zoologic, Roger Exinegg, and so on -- or they could be celebrity names that have no association with the company. One enterprise I know used the entire Kiss lineup: Ace Frehley, Gene Simmons, Peter Criss, and Paul Stanley. It worked! Attackers sucked up the band member names in a malicious data haul and gave the organization the clues it needed to close the right exploit holes.

A few companies go as far as creating fake executables, which if stolen by the attacker and executed, will "dial home" and send details of the hacker's environment, such as the IP address, found names, and so on. I'm not a big fan of these types of honeytokens, for two reasons: First, compromising an attacker's machine with your own Trojan and sending back information is illegal in many countries; you can't break into a thief's house just because he broke into yours. Second, I can't believe that attackers who are smart enough to break into your environment and steal your data would randomly execute a program without some sort of protection, such as blocking all ports to the Internet.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.