Honeytokens (Canary Tokens). What is it? And How it works? Detect Insider Threat

What are Honeypots:

We all are familiar with the concept of honeypots and their importance in a corporate environment. If you are not aware honeypots are deployed across the network in order to detect the intruder in the network. Honeypots are the system that contains detective and alerting features with some intended vulnerability to attract attackers. But this can work if you have an intruder touching honeypot systems in the network. In order to differentiate more, we need to understand the types of honeypots to effectively use honeypots in your network.

Types of Honeypots:

  1. Spam Honeypot: An fake email address used to attract spam emails. The data collected can be used to create blocklist
  2. Malware Honeypot: Work on to fooling the malware to prevent malware attack.
  3. Database Honeypot: Attract attacker with decoy database to perform attacks like SQL injection .
  4. Client Honeypot: A system setup to identify steps for attacker performed to exploit servers.
  5. Honeynet: It is an collection of different types of honeypots deployed across networks.
  6. IOT Honeypots: It creates IoT decoys to attract attacker to perform IoT based attacks
  7. SCADA/ICS Honeypots: This emulate industrial grade system to know attacks based on industrial system
  8. Credential Honeypots: It works on deploying deceptive credentials and building detective measures around it.
  9. Honeytokens: This are decoy data that is spread across in different format, once deployed it will trigger alert if attacker try to access it.

What are Honeytokens:

As we saw in the brief introduction above, Honeytokens are decoy data with a different format that is deployed across different servers, NAS, file servers, or client computers, it triggers defined action when accessed. The trigged information can be used to further trace the malicious actor in the network and can be stopped before more damage is done.

How does it work:

Triggers are an important part of the honeytokens. Each action on a decoy document or link should precisely be monitor to be accurate.

Once a token interacts with it the monitoring mechanism detects the move a triggers an appropriate alert. Keep in mind different honeytokens work differently by the concept remains the same.

How to create Honeytokens:

Using the following site you can create free canary tokens: https://canarytokens.org/generate

For more commercial product use you can use honeytokens provided by SIEM providers or  Thinkst Canary (Founder of CanaryTokens)

References:

https://www.kaspersky.com/resource-center/threats/what-is-a-honeypot

https://www.fortinet.com/resources/cyberglossary/what-is-honeypot

https://www.smokescreen.io/practical-honeypots-a-list-of-open-source-deception-tools-that-detect-threats-for-free/

https://www.researchgate.net/publication/271853358_Intrusion_Detection_System_using_Honey_Token_based_Encrypted_Pointers_to_Mitigate_Cyber_Threats_for_Critical_Infrastructure_Networks

https://canarytokens.org/generate

Leave a Comment