Beyond honeypots: It takes a honeytoken to catch a thief

Honeypots tell you who's attacking. But to catch individuals -- including suspected insiders -- honeytokens let you home in

1 2 Page 2
Page 2 of 2

Leave cookies lying round
As a honeytoken, the humble browser cookie may be a better choice. If your honeytoken plan includes the ability to place a cookie on the attacker's computer, you can track the attacker just like Google and its DoubleClick entity do on a regular basis. Alternatively, you can use Adobe Flash tracking mechanisms.

Wait, you ask, what hackers would be clueless enough to allow Web beacons or cookies to track them? Well, individually, hackers are pretty smart. But groups of hackers, which are behind most attacks today, often have at least one individual who messes up and leads the authorities to discover true identities and physical locations.

All it takes is one bad guy accidentally using his nonspy fake email address on the wrong website that can then be linked to his secret identity. This happens all the time. If you don't believe me, see Brian Krebs' website, where you can find many examples of how he successfully tracked "secret" online identities to the real person. It's not as hard as you think.

Trap canaries
Honeytraps have also been used to identify insiders leaking information to unauthorized outsiders. In the so-called canary trap, you send (or allow access to) a nearly identical copy of a document to each suspected leaker within a group of suspects. Each honeytoken document is identical except for a unique marker, which ties the receiver to that document.

For example, the Screen Actors Guild (SAG) grew tired of its members leaking copies of movies submitted for Oscar consideration to people outside of the organization. This has happened for a long time, but such instances increased in the digital age. SAG told its members they were specifically marking each movie sent to them and not to share the copy. Turns out that fair warning is not enough: At least one SAG member was caught leaking movies and was punished accordingly.

I've seen canary trap markers that were simply a few unique bits on a retouched digital photo. In one case, the encoded values were the plain text representations of the suspect's employee ID. But unless you are looking for it, you'd never know.

Not that canary traps are foolproof -- all a suspicious perpetrator needs to do is compare the digital data to another representation and recapture the data in digital form. For example, in the cased of an encoded picture file, you could print out the picture, take a picture of it, and reconvert it to another file format before sending it along. For every offense there is a defense.

A canary trap can also be used to identify specific compromised resources. For example, one of the most popular examples is to create fake emails that contain unique URLs, which, if read by attackers, would lead them to probe the link. Each of these unique emails can be placed in high-value targets -- for example, a CEO or CFO email inbox. If the attacker gains access to the inbox, the email would encourage the hacker to try the link. Sitting on the receiving side of the URL request is a fake website (a honeypot), which alerts the incident response team that the email inbox has been compromised.

Honeytoken sticking points
Using honeytokens is considered a low-cost, high-value way to find a previously "undetectable" hacker. But there are challenges.

The first and most common challenge is in making the honeytoken seem real and attractive to attackers. If you're going to create a canary trap, you'll need to devise a way, hopefully automated, to uniquely mark the honeytoken. Then you need a way to track which honeytokens you placed where. It's easy, especially over the years, to lose track of where you placed fake documents and what threats they were designed to flush out.

The biggest challenge of all is to devise an alert mechanism when someone takes the honeytoken bait. For some placements, it can be as easy as turning on file access auditing. Other deployments will require dial-home mechanisms (and all their inherent risks and challenges) or separate detection of the honeytoken outside of its original placement. Some companies use host intrusion detection systems, some use sniffers, and still others use advanced data leak protection systems. There's even a small cottage industry of firms that scour the Internet looking for evidence of your company's honeytoken data.

It's worth working out the kinks. If you're tired of the same old computer security defenses failing and you want something that really works when managed propery, look into honeytokens.

This story, "Beyond honeypots: It takes a honeytoken to catch a thief," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies