Once cybercriminals have gained access to a computer network, they need to find sensitive data worth stealing or encrypting. At this point in the attack kill chain, defenders have a window of opportunity to spot and contain the attack. Savvy hackers, however, know how to use living-off-the-land techniques that can be indistinguishable from normal network activity.
This is where cyber deception techniques prove useful. Defenders can create digital assets that look irresistible to attackers but act like tripwires, triggering enterprise security alerts.
The honeynet is the largest version of this kind of cyber decoy, consisting of a whole network of computers that appear to be sensitive targets. The next step down is a honeypot, a single computer or VM. The most granular type is the honey token, which could be an individual file or even an email address or user account. Honey tokens are sometimes called honey credentials, canary traps or canary tokens.
How honey tokens work
Honey tokens are relatively easy and inexpensive to deploy. A security team can use them as standalone tools or as part of a broader cyber deception program.
An attacker would likely find it difficult to resist opening a file called
passwords.xlsx.
While honey tokens work in a variety of ways, the goal is generally to deploy them so no legitimate user would have reason to access them. Then, when the security team receives an alert that someone has accessed a honey token, it knows an attack is almost certainly in progress. Because cyber deception tools, such as honey tokens, have low false-positive rates, they don't tend to worsen security alert fatigue.
Defenders typically attempt to make these decoys as attractive as possible -- hence the name honey token. For example, an attacker would likely find it difficult to resist opening a file called passwords.xlsx.
Some types of honey tokens actively collect information to help identify malicious hackers, such as their IP addresses or unique fingerprints from their browsers. This might work via an executable file or a hidden linked image within a document that, upon running, extracts data and sends it to the security team.
An additional benefit of deceptive traps, such as honey tokens, is that they can reveal information about the tactics, techniques and procedures of attackers, such as the methods they use to move around the network and how they evade other detection techniques. The defensive team can study the methods attackers deploy and adapt their cyber defenses accordingly.
Defensive teams also use honey tokens as breadcrumbs, or lures that ultimately lead an attacker away from sensitive data and toward other decoys.
Types of honey tokens
Honey tokens include the following types of decoy assets:
Credentials. The security team can plant dummy usernames, passwords, API keys, access tokens and other credentials across various applications and systems. If someone tries to use them, the security team knows an attack is underway.
Database entries. Fake, seemingly high-value database records, including customer or employee credentials and financial information, should remain dormant. If someone accesses them, it indicates malicious activity.
Documents. Dummy Word documents, Excel files, PDFs and other documents that appear to contain sensitive information act as alarm systems that alert security teams to possible intruders or insider threats.
Email addresses. If an inactive decoy email address that exists only as an internal honey token starts receiving phishing emails, defenders know attackers found it via an intrusion or insider threat.
Executable files. Executable files are software programs that, when triggered, can automatically collect identifying information, such as threat actors' names and IP addresses. Note, however, that executable files may not work if attackers have their own cyberdefense measures in place.
Web beacons. A web beacon is a hidden digital object, such as a transparent image or a single tracking pixel, that links to a unique URL. If an attacker opens a file that contains a web beacon, it automatically and surreptitiously initiates a server request that alerts the security team and potentially provides information about the threat actor.
Honey token best practices
In implementing a cyber deception strategy and deploying honey tokens, consider the following best practices.
Location, location, location
It's best to concentrate honey tokens where threat actors are most likely to find and target them. That typically means potential entry points to the network, such as the VPN, and areas of the network where the organization's most sensitive data resides.
Believability
Cybercriminals know organizations use cyber deception techniques, and they are, therefore, wary of interacting with any obviously suspicious files. They may steer clear of possible honey tokens completely or analyze the metadata to see if it looks realistic. Therefore, it's key to deploy any deception assets -- whether honey tokens, honeypots or honeynets -- so they blend in with real assets on the network.
Security teams should regularly update honey tokens to maintain optimal believability.
Alerting
Honey tokens are useless unless security practitioners know when someone accesses them and can initiate incident response processes if necessary. Make sure honey tokens integrate with existing monitoring tools or have some other reliable mechanism for alerting the security team in real time.
