Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Beyond honeypots: It takes a honeytoken to catch a thief

Roger A. Grimes | April 17, 2013
Honeypots tell you who's attacking. But to catch individuals -- including suspected insiders -- honeytokens let you home in

For a more effective approach, you can try honeytokens composed of real data containing hidden, embedded links that can dial home. A simple example is a rigged PDF file, which, when opened, dials home using JavaScript. But even that approach is a little too likely to be foiled or discovered.

Use Web beacons
If you really want to catch a thief, why not think like a marketer? Online advertisers are great at tracking us and our behavior over different websites, devices, and time.

One popular technique is the Web beacon, a Web link to a very small embedded object such as a one-pixel, transparent picture file. A Web beacon can be included in all sorts of real documents and is not likely to be noticed. But when the viewer opens the content with the embedded Web beacon link, the computer will dial home to provide the Web beacon graphic. When the viewer's computer connects back to the originating server, the server's administrators can discover information about the viewer, including the Internet egress IP address, operating system, browser version, and sometimes email address as well as other identifying information. 

The problem with hidden, embedded Web beacons is that, again, the thief can view the information in a safe environment not connected to the Internet, block outgoing ports, and so on.

Leave cookies lying round

As a honeytoken, the humble browser cookie may be a better choice. If your honeytoken plan includes the ability to place a cookie on the attacker's computer, you can track the attacker just like Google and its DoubleClick entity do on a regular basis. Alternatively, you can use Adobe Flash tracking mechanisms.

Wait, you ask, what hackers would be clueless enough to allow Web beacons or cookies to track them? Well, individually, hackers are pretty smart. But groups of hackers, which are behind most attacks today, often have at least one individual who messes up and leads the authorities to discover true identities and physical locations.

All it takes is one bad guy accidentally using his nonspy fake email address on the wrong website that can then be linked to his secret identity. This happens all the time. If you don't believe me, seeBrian Krebs' website, where you can find many examples of how he successfully tracked "secret" online identities to the real person. It's not as hard as you think.

Trap canaries
Honeytraps have also been used to identify insiders leaking information to unauthorized outsiders. In the so-called canary trap, you send (or allow access to) a nearly identical copy of a document to each suspected leaker within a group of suspects. Each honeytoken document is identical except for a unique marker, which ties the receiver to that document.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.