Any business storing private information is a potential target for hackers. They employ a range of techniques to access secure networks and are motivated by the fact that any personal details stolen can be sold or held for ransom.
All responsible businesses take measures to prevent this by making their systems as difficult to access as possible. One option that many businesses overlook, however, is the use of honeytokens, which can be used to provide alerts whenever an intrusion occurs.
So what are honeytokens, and should your business be using them?
What Are Honeytokens?
Honeytokens are pieces of fake information which are added to secure systems, so that, when an intruder takes them, this will trigger an alert.
Honeytokens are primarily used to simplyshow that an intrusion is occurring, but some honeytokens are also designed to provide information about intruders which may reveal their identity.
Honeytokens vs. Honeypots: What’s the Difference?
Honeytokens andhoneypots are both based on the same idea. By adding fake assets to a system, it’s possible to be alerted of intruders and learn more about them. The difference is that, while honeytokens are pieces of fake information, honeypots are fake systems.
While a honeytokens might take the form of an individual file, a honeypot might take the form of an entire server. Honeypots are significantly more sophisticated and can be used to distract intruders to a greater extent.
Types of Honeytokens
There are many different types of honeytokens. Depending on which one you use, you may be able to learn different information about an intruder.
Email Addresses
To use a fake email address as a honeytoken, simply create a new email account and store it in a place that may be accessed by an intruder. Fake email addresses can be added to otherwise legitimate mail servers and personal devices. Provided the email account is only stored in that one location, if you receive any emails to that account, you will know that there was an intrusion.
Database Records
Fake records can be added to a database so that if an intruder accesses the database, they will steal them. This can be useful for providing an intruder with false information, distracting them from valuable data, or detecting the intrusion, if the intruder references the false information.
Executable Files
An executable file is ideal for use as a honeytoken because it can be set to reveal information about anyone who runs it. Executable files can be added to servers or personal devices and disguised as valuable data. If an intrusion occurs, and the attacker steals the file and runs it on their device, you may be able to learn their IP address and system information.
Web Beacons
A web beacon is a link in a file to a small graphic. Like an executable file, a web beacon can be designed to reveal information about a user whenever it is accessed. Web beacons can be used as honeytokens by adding them to files which appear valuable. Once the file is opened, the web beacon will broadcast information about the user.
It’s worth noting that the effectiveness of both web beacons and executable files is dependent on the attacker using a system with open ports.
Cookies are packets of data that are used by websites to record information about visitors. Cookies can be added to secure areas of websites, and used to identify a hacker in the same way that they are used to identify any other user. Information collected can include what the hacker attempts to access and how often they are doing so.
Identifiers
An identifier is a unique element that is added to a file. If you are sending something to a wide group of people, and you suspect that one of them is going to leak it, you can add an identifier to each one that states who the recipient is. By adding the identifier, you’ll know who the leaker is immediately.
An AWS key is a key for Amazon Web Services, used widely by businesses; they often provide access to important information, making them very popular with hackers. AWS keys are ideal for use as honeytokens because any attempt to use one is automatically logged. AWS keys can be added to servers and within documents.
Embedded Links
Embedded links are ideal for use as honeytokens because they can be set to send information when they are clicked. By adding an embedded link to a file that an attacker may interact with, you can be alerted both when the link is clicked and potentially who by.
Where to Put Honeytokens
Because honeytokens are small and inexpensive, and there are so many different types, they can be added to almost any system. A business interested in using honeytokens should make a list of all secure systems and add a suitable honeytoken to each one.
Honeytokens can be used on servers, databases, and individual devices. After adding honeytokens around a network, it’s important that they are all documented, and that at least one person is responsible for handling any alerts.
How to React to Honeytokens Being Triggered
When a honeytoken is triggered, this means that an intrusion has occurred. The action to be taken obviously varies widely depending on where the intrusion occurred and how the intruder gained access. Common actions include changing passwords and attempting to learn what else the intruder may have accessed.
In order to use honeytokens effectively, the adequate reaction should be decided ahead of time. This means that all honeytokens should be accompanied by anincident response plan.
Honeytokens Are Ideal for Any Secure Server
All responsible businesses are increasing their defenses to prevent intrusion by hackers. Honeytokens are a useful technique for not only detecting intrusions but also providing information about the cyberattacker.
Unlike many aspects are cybersecurity, adding honeytokens to a secure server is also not an expensive process. They are easy to make and provided they appear realistic and potentially valuable, most intruders will access them.
