HoneyToken
What is a HoneyToken?
A “honeytoken” (or “honey token”) is a cybersecurity concept that involves using a piece of fake or deliberately misleading information to detect unauthorized access or monitor malicious activity.
Honeytokens can be extremely valuable in identifying breaches or unauthorized access because they are rarely used by legitimate users. Therefore, any activity involving a honeytoken is highly likely to be malicious in nature. Monitoring honeytoken activity can provide insights into the methods and techniques used by attackers, as well as help organizations respond more quickly to security incidents.
Honeytoken vs. Honeypot
Unlike honey pots or honey accounts, which simulate entire systems or accounts, honeytokens are typically discrete pieces of data that are placed within a system or network but are not supposed to be accessed or used by legitimate users. For example, a honeytoken could be a fake username and password, a specific file with an enticing name, a URL, or an email address that doesn’t correspond to an actual user. If any of these honeytokens are accessed or used, it’s a clear sign that unauthorized activity is occurring.
Benefits of Utilizing Honeytokens
There are several benefits to using honeytokens:
- Proactive Threat Identification – Deploying Honeytokens (and Honey Accounts) goes beyond traditional cybersecurity approaches. They proactively identify threats by luring attackers and forcing them to reveal themselves.
- Boost to Existing Security Measures – Honeytokens act as an additional defensive layer, providing deception-based identity threat detection and response (ITDR). This is a necessary detection layer for a defense-in-depth approach to identity protection.
- Negligible Impact on System Performance – With automated solutions like Acalvio Honey Accounts and Honeytokens, deployment is scalable and across multiple AD domains and many endpoints. The solution is easy to adopt and does not require any additional component to be installed in the customer environment
- Adaptability – Detection by deploying Honeytokens is not dependent on signatures, network traffic, or the availability of logs and is agnostic to attacker TTPs. This enables detection of current and emerging identity threats.
- Enhanced Threat Intelligence – Together, Honey Accounts and Honeytokens enable early and precise detection of identity threats. Any usage of these deceptive artifacts results in an actionable alert. They lure and detect attackers early, divert, confuse, and slow them down – all while gathering valuable intelligence.
How Do Honeytokens Function?
When an attacker interacts with a honeytoken, the organization’s security team is alerted. This allows the team to take action to prevent the attack from succeeding, such as blocking the attacker’s IP address or isolating the affected system.
Deployment
Deploying and refreshing honeytokens at scale across a large number of endpoints cannot be done manually. IT automation also would not solve this issue, as the honeytokens need to be created based on deep domain knowledge of deception technology, for the honeytokens to appear realistic and appear attractive to attackers.
Enterprises must have a platform to operationalize honeytokens for effective identity security solutions.
Detection
Honeytokens are usually deployed in association with Honey Accounts. Both these are deceptive artifacts and legitimate users will have no reason to interact with either. Whenever any activity is detected that originates from these deceptive artifacts, it is a high-fidelity indicator of malicious activity.
Incident response
Honeytokens are a proactive form of cyberdefense. By deploying honeytokens, cybersecurity teams can force or lure attackers into revealing themselves instead of waiting for an attack against a real asset. When any form of activity is detected against a honeytoken, or a honey account associated with a honeytoken, an incident is logged. The security team can configure response policies to determine further action. The endpoint from where the suspicious activity originated can be isolated or quarantined.
Different Types of Honeytokens
Some of the most common types of honeytokens include:
File-based honeytokens
These are files that are created on the organization’s file system and are named in a way that is likely to attract attackers, such as “passwords.txt” or “financial records.xlsx”. File-based honeytokens can be used to detect credential harvesting and data exfiltration attacks.
Database honeytokens
These are records that are inserted into the organization’s database and are made to look like real data, but they will actually contain meaningless or misleading information. Database honeytokens can be used to detect data exfiltration attacks and to gather intelligence about attackers.
Network traffic honeytokens
These are packets that are sent over the organization’s network and are made to look like legitimate traffic, but they will actually contain no useful information. Network traffic honeytokens can be used to detect reconnaissance and scanning activities.
Session honeytokens
These are tokens that are used to authenticate users to a system. Session honeytokens can be used to detect credential harvesting attacks.
Canary tokens
These are honeytokens that are deliberately exposed to attackers. Canary tokens are used to detect when an attacker has gained access to a system.
Data-based honeytokens
These could be in the form of fake user credentials or access credentials. They could be inserted in a database, along with other data. Any attempt at using these honeytokens will be a high-fidelity sign of malicious activity.
Token-based honeytokens
These types of honeytokens could be in the form of access tokens or API keys. Legitimate users will have no reason to employ these keys and so these are a good way to force attackers to reveal themselves.
Web-based honeytokens
These honeytokens can be in the form of URLs or links to decoy web pages that no legitimate network user will need to access . Accessing these triggers a high-fidelity alert for the cybersecurity team.
Email Addresses
This is one honeytoken type, where fake email addresses are inserted into system resources and mailing lists. They can indicate if the mailing list has been hacked.
Browser Cookies
These types of honeytokens can provide information on the activities of attackers once they are inside the system. They are a useful way to track and analyze attacker behavior.
AWS Keys
Amazon Web Services Keys are digitally signed keys that provide access within the AWS infrastructure. Attackers target these keys because they can gain access to network resources through them, including administrator-level access. Using decoy AWS keys as honeytokens can give the cybersecurity team the opportunity to trap attackers without compromising real network assets.
Best Practices for Honeytoken Implementation
Implementing and deploying honeytokens so that they will blend into the network and also lure attackers requires deep domain knowledge and a scalable, automated platform. Best practices include:
- Deploy the right type of honeytokens across different domains so that they do not stand out as obvious lures.
- Integrate honeytokens with existing security infrastructure.
- Regularly update and refresh honeytokens.
- Use an automated deployment solution that is scalable and efficient to deploy honeytokens at scale across domains and on several endpoints.
How does Acalvio use HoneyTokens for identity security?
Acalvio provides an enterprise-scale implementation of Honey Accounts and HoneyTokens with automated life cycle management.
Acalvio Honey Accounts are deceptive accounts (representing human and service accounts) created in the Active Directory (AD) that are specifically designed to lure attackers and deflect them away from real identities.
HoneyTokens are deceptive credentials and data that are embedded in legitimate assets such as endpoints and cloud workloads. Any usage or manipulation of these deception artifacts is a very reliable indicator of an identity threat.
Acalvio recommends the count and types of Honey Accounts that can be registered on CrowdStrike. Acalvio also deploys HoneyTokens on endpoints. CrowdStrike monitors the activity on Honey Accounts and effectively blocks the identity threat based on that information.
Available on the CrowdStrike Store, the solution empowers customers to use Acalvio’s HoneyTokens and Honey Accounts seamlessly to detect identity threats.