Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Beyond honeypots: It takes a honeytoken to catch a thief

Roger A. Grimes | April 17, 2013
Honeypots tell you who's attacking. But to catch individuals -- including suspected insiders -- honeytokens let you home in

For example, the Screen Actors Guild (SAG) grew tired of its members leaking copies of movies submitted for Oscar consideration to people outside of the organization. This has happened for a long time, but such instances increased in the digital age. SAG told its members they were specifically marking each movie sent to them and not to share the copy. Turns out that fair warning is not enough: At least one SAG member was caught leaking movies and was punished accordingly.

I've seen canary trap markers that were simply a few unique bits on a retouched digital photo. In one case, the encoded values were the plain text representations of the suspect's employee ID. But unless you are looking for it, you'd never know.

Not that canary traps are foolproof -- all a suspicious perpetrator needs to do is compare the digital data to another representation and recapture the data in digital form. For example, in the cased of an encoded picture file, you could print out the picture, take a picture of it, and reconvert it to another file format before sending it along. For every offense there is a defense.

A canary trap can also be used to identify specific compromised resources. For example, one of the most popular examples is to create fake emails that contain unique URLs, which, if read by attackers, would lead them to probe the link. Each of these unique emails can be placed in high-value targets -- for example, a CEO or CFO email inbox. If the attacker gains access to the inbox, the email would encourage the hacker to try the link. Sitting on the receiving side of the URL request is a fake website (a honeypot), which alerts the incident response team that the email inbox has been compromised.

Honeytoken sticking points
Using honeytokens is considered a low-cost, high-value way to find a previously "undetectable" hacker. But there are challenges.

The first and most common challenge is in making the honeytoken seem real and attractive to attackers. If you're going to create a canary trap, you'll need to devise a way, hopefully automated, to uniquely mark the honeytoken. Then you need a way to track which honeytokens you placed where. It's easy, especially over the years, to lose track of where you placed fake documents and what threats they were designed to flush out.

The biggest challenge of all is to devise an alert mechanism when someone takes the honeytoken bait. For some placements, it can be as easy as turning on file access auditing. Other deployments will require dial-home mechanisms (and all their inherent risks and challenges) or separate detection of the honeytoken outside of its original placement. Some companies use host intrusion detection systems, some use sniffers, and still others use advanced data leak protection systems. There's even a small cottage industry of firms that scour the Internet looking for evidence of your company's honeytoken data.

It's worth working out the kinks. If you're tired of the same old computer security defenses failing and you want something that really works when managed propery, look into honeytokens.


Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.