Beyond honeypots: It takes a honeytoken to catch a thief

Honeypots tell you who's attacking. But to catch individuals -- including suspected insiders -- honeytokens let you home in

Last week I talked about the importance of deploying honeypots to catch malicious hackers and malware. But there's a related tool that's craftier and even easier to deploy: the honeytoken.

Honeytokens contain digital data created and monitored solely as indicators of digital theft. They can be real data containing a "marker" -- fake data that simply doesn't exist in the real world, at least within a given enterprise. They can be used to track malicious outsiders or insiders engaging in unauthorized activity. There are many types of honeytokens and many methods of tracking; choose yours based on your specific concerns and threat models.

[ No honeypot? Don't bother calling yourself a security pro. | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Honeytokens have been used since the beginning of computer crime defense -- including a clever version hatched by Clifford Stoll, early honeypot user and author of "The Cuckoo's Egg," a book based on his cyber crime fighting adventures back in 1986 and 1987.

Stoll, on the cyber trail of a German hacker, created fake content that led the hacker to believe he could request additional information on a particular subject through the mail. The address led to Stoll. The hacker downloaded the fake content, read about the information request, and sent Stoll his real return address. Stoll was able to convert a hidden, online digital identity to a physical address and person. My honeytokens should be so lucky!

Fake out the bad guys
Many companies have used simple honeytokens composed of fake email addresses, user accounts, database data, or even false programs and executables.

Fake email accounts have long been used to capture or get early warning of spammers. Many companies create fake email accounts and either leave them sitting in plain sight on the mail server or place them in non-publicly accessible locations with a public-facing Web server. The idea is that the fake email address is never used, and thus would have no valid reason for receiving spam. Receiving unrequested email to the honeytoken email address indicates that someone has accessed the company's internal email list or compromised a public Web server.

Another approach is to insert fake data that's highly unlikely to exist in the real world into a real database. For example, honeytoken names could be nonsensical, such as Barbx Zoologic, Roger Exinegg, and so on -- or they could be celebrity names that have no association with the company. One enterprise I know used the entire Kiss lineup: Ace Frehley, Gene Simmons, Peter Criss, and Paul Stanley. It worked! Attackers sucked up the band member names in a malicious data haul and gave the organization the clues it needed to close the right exploit holes.

A few companies go as far as creating fake executables, which if stolen by the attacker and executed, will "dial home" and send details of the hacker's environment, such as the IP address, found names, and so on. I'm not a big fan of these types of honeytokens, for two reasons: First, compromising an attacker's machine with your own Trojan and sending back information is illegal in many countries; you can't break into a thief's house just because he broke into yours. Second, I can't believe that attackers who are smart enough to break into your environment and steal your data would randomly execute a program without some sort of protection, such as blocking all ports to the Internet.

For a more effective approach, you can try honeytokens composed of real data containing hidden, embedded links that can dial home. A simple example is a rigged PDF file, which, when opened, dials home using JavaScript. But even that approach is a little too likely to be foiled or discovered.

Use Web beacons
If you really want to catch a thief, why not think like a marketer? Online advertisers are great at tracking us and our behavior over different websites, devices, and time.

One popular technique is the Web beacon, a Web link to a very small embedded object such as a one-pixel, transparent picture file. A Web beacon can be included in all sorts of real documents and is not likely to be noticed. But when the viewer opens the content with the embedded Web beacon link, the computer will dial home to provide the Web beacon graphic. When the viewer's computer connects back to the originating server, the server's administrators can discover information about the viewer, including the Internet egress IP address, operating system, browser version, and sometimes email address as well as other identifying information.

The problem with hidden, embedded Web beacons is that, again, the thief can view the information in a safe environment not connected to the Internet, block outgoing ports, and so on.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies