Proactive methods of cyber-defense, including the use of “honeytokens”, have been growing in popularity recently, as commercial and other organizations seek ways of “bringing the fight” to hackers and cyber-criminals, rather than just sitting back and waiting for something to happen.
Ironically, one of those ways involves just that: Sitting back and waiting for something to happen – but only after a trap has been set for attackers foolhardy enough to take the bait.
The “Honey Trap” Principle
It’s a principle that’s been used over the years, and across a number of different disciplines. In the worlds of espionage and law enforcement, for example, so-called “honey traps” or “honeypots” have been used for decades (if not centuries), to lure unsuspecting targets into relationships or actions that can compromise their activities, or the knowledge that they possess.
In the cyber realm, the honey trap principle has been used with considerable success in proactive network security. Basically, what seem to be strategic or high-value assets are seeded throughout a network and monitored for the alerts they set off when hackers or cyber-criminals attempt to exploit them. Among such assets are what are known as honeytokens.
What Are Honeytokens?
Broadly speaking, honeytokens (aka honey traps or honeypots) may be described as bogus or dummy IT resources which are created or placed in a system or network for the sole purpose of attracting the attention of cyber-criminals and being attacked. These might be servers, applications, complete systems or datasets which are placed online (via the public internet, or a public-facing gateway to a private network), in order to attract cyber-attackers.
Honeytokens may be specifically defined as pieces of data which on the surface look attractive to potential attackers, but actually have no real value – at least, not to the attacker. For the owners of the tokens (i.e. the people who set the trap), they can be of great value, as they contain digital information which is monitored as an indicator of tampering or digital theft.
The name “honeytokens” (a.k.a., honeytokens or honey-tokens) was coined in 2003 by programmer Augusto Paes de Barros.
The concept of honeytokens dates back to at least 1986 when a programmer at the Lawrence Berkeley National Laboratory in California named Clifford Stoll used his file server to bury a set of fake database records for an (equally fake) organization called the Strategic Defense Initiative Network.
Records siphoned off from the database (and seeded with a request to send contact details for further information) resulted in one of the hackers sending Stoll a letter (snail mail was big, in those days), which enabled federal investigators to trace the sender back to intelligence agencies based in then East Germany and the Soviet Union.
Types of Honeytokens
There are several types of honeytokens currently in use, which we’ll look at in more detail. Namely:
Fake email Addresses
Besides tempting unfortunate victims into revealing information about themselves or their business, opening booby-trapped attachments, or clicking on links to malicious software and websites, email can also serve as a medium for observing and catching cyber-criminals in action.
Bogus email accounts may be set up using the names of individuals not actually connected to your enterprise (made up names, celebrity names, etc.), and left inactive but in plain sight on your organization’s mail server, or at a company location which has a public-facing web server.
Since the fake addresses should in theory never be used, they should have no excuse for being bombarded with spam or phishing messages. Any such messages that do get through to them must have originated from someone who has managed to gain access to an internal mail server, email address list, or compromised public web server.
Fake Database Data
Inserting fake records with enticing names or suggested content into an existing database is another method. These bogus data entries are the honeytokens which may lure hackers into stealing them, or malicious insiders into giving them away.
Either way, clues can be gained into how the attackers were able to exploit weaknesses or loopholes in your systems or network administration.
Fake Executable Files
A somewhat more extreme approach is to present honeytokens in the form of software programs or applications. These fake executable files are typically created with a “phone home” switch that activates whenever they’re run. The switch relays details such as the hacker’s IP address, names associated with their system, and so on, back to the organization that the files were stolen from.
The method is extreme because it’s essentially a “hack back”, on the part of the organization that set the trap. And it’s one that may result in damage to the attacker’s system, or violations to privacy and cyber-security laws in their home jurisdiction. In addition, the tokens only work if the attacker’s machine is unprotected – e.g., by having its external ports to the internet blocked, while the program is run.
Embedded Links That “Phone Home”
An alternative is to create honeytokens that exist as real data files (documents, programs, etc.) in your organization’s file system, but with concealed and embedded links in them, fitted with a “phone home” switch.
Again, this method is likely to fail if an attacker takes precautions to isolate their system from the internet while opening the file.
A web beacon consists of an internet link to a small object embedded within a file, such as a single-pixel transparent graphic. Being so small, this kind of honeytoken is unlikely to be spotted by the naked eye. And when a document with a beacon on it is opened, the web beacon will phone home details on the thief’s system and location on the internet.
As with fake executables and embedded links, this method relies on an attacker not firewalling their machine against outgoing traffic to the internet, or via external ports.
Setting up browser cookies as honeytokens get around the blocked ports problem, and enables the people setting the trap to use methods similar to the ones that Google and other platforms employ to glean information about people who visit them.
This method has the most success by relying on human error – and the fact that hackers often act in groups or networks, not all of whose members may be careful about hiding their online activities (clearing browser caches, etc.).
These honey traps are constructed on the basis of a “canary” being like a whistle-blower, or snitch – someone within or associated with an enterprise, who “sings”, or gives out information that they shouldn’t. The associated honeytokens typically consist of some kind of tracer or marker that can tie an exposed piece of data to the individual who made it public.
Hollywood’s Screen Actors Guild (SAG) has had some notable success with this strategy, in exposing members of its organization who leak copies of movies submitted for Oscar consideration, to outsiders. Each copy of a film sent out to its membership bears a unique marker, associated with the recipient – which is replicated if they make copies for other people.
Amazon Web Services (AWS) Keys
The huge and popular cloud platform Amazon Web Services (AWS) uses digitally signed keys to unlock various parts of its access management infrastructure. These may be placed on desktops, in text files, in GitHub repositories, and in numerous other places – and they’re potentially valuable to cyber-criminals, for a number of reasons.
At the “jackpot” end of the spectrum, AWS keys could potentially be used to control a targeted organization’s infrastructure. Lower down the success scale, the keys can grant hackers access to useful information, which might suggest other pathways or methods of gaining access to a corporate network.
To find out how far an AWS key can take them, the hackers have to test it out – and since Amazon Web Services keys have a built-in logging mechanism, they can be set up as honey tokens by security teams who monitor how they’re being used. This honey trap approach has been brought to light by a successful test, reported in recent days.
The Case of Project Spacecrab
In March 2018, Daniel Grzelak, head of security at Atlassian, together with a team of researchers at Black Hat Asia demonstrated how Amazon Web Services keys could be deployed by enterprises as honey tokens on a wide scale. The team developed Project Spacecrab, a platform which lets users create, annotate, and configure alerts for massive numbers of AWS keys.
All the keys have a set policy to deny all access, and none of them actually provide access to anything. They do however record actions taken on them, which are loaded onto an Amazon Web Services S3 bucket, and therefore available for in-house security teams to monitor and analyze.
Are Honeytokens An Effective Strategy?
According to the Project Spacecrab research, there’s an 83% chance that someone will use honey token credentials which are posted to a public repository on GitHub. And the average time for a hacker to exploit such a token after it gets posted is almost exactly 30 minutes.
Research figures from other organizations show similar results. For example, in a security experiment conducted on behalf of the BBC (British Broadcasting Corporation) in September 2017, 100 legitimate email marketing lists were seeded with spoof addresses.
It took just 21 hours for the first booby-trapped phishing emails to land in the Inboxes of the fake employees – to be followed by a series of others. Of these messages, 85% had malicious attachments, while 15% contained links to booby-trapped websites.
But it’s not just in the speed and volume of response, that honeytokens give value. What the attackers do with these bogus assets once they get their hands on them can reveal much about cyber-criminal technologies and methodology, the vulnerable aspects of an enterprise’s own cyber-defenses, and the measures that may be taken to plug the gaps.
So honey traps and honeytokens are attractive – and informative. Little wonder that they’ve been actively endorsed by official authorities, including the EU security agency ENISA, which has recommended their use since November 2012.
Share this Post