What is Honeytoken? How to detect cybercriminals stealing data?

Any business that stores personal information is a potential target for hackers. They use a variety of techniques for secure network access and are motivated by the fact that any stolen personal information can be sold or held for ransom.

All businesses are responsible for taking measures to prevent this by making their systems as inaccessible as possible. However, one option many businesses overlook is the use of Honeytoken, which can be used to provide alerts whenever there is an intrusion.

So what are Honeytoken and should your business use them?

What is Honeytoken?

Honeytokens are fake pieces of information added to security systems, so when an intruder gets them, this should trigger an alert.

Honeytokens are primarily used to indicate that an intrusion is occurring, but some Honeytokens are also designed to provide information about intruders and possibly reveal their identities.

What is the difference between Honeytoken and Honeypot?

 

Honeytoken and honeypot are both based on the same idea. By adding fake assets to the system, it is possible to be alerted to intruders and learn more about them. The difference is, while honeytokens are fake pieces of information, honeypots are fake systems.

While a honeytoken can take the form of a single file, a honeypot can take the form of an entire server. Honeypots are significantly more complex and can be used to distract intruders to a greater extent.

Types of Honeytoken

There are different types of honeytoken. Depending on the type you use, you can find out different information about the intruder.

Email address

To use a fake email address as a honeytoken, simply create a new email account and store it where an intruder can access it. Fake email addresses can be added to legitimate mail servers and personal devices. Provided the email account is hosted only in that one location, if you receive any email sent to that account, you will know that there has been a breach.

Database records

Forged records can be added to the database so that if an intruder accesses the database, they will steal these records. This can be useful because it provides intruders with misinformation, distracts them from valuable data, or detects intrusions if the bad guys refer to misinformation.

Executable files

An executable file is ideal for use as a honeytoken because it can be set up to reveal information about anyone running the file. Executable files can be added to a server or personal device and disguised as valuable data. If an intrusion occurs and an attacker steals a file and runs it on their device, then you can know his IP address and system information.

Web Beacon

 

The Web Beacon is a link in the file to a small image. Like an executable, a Web Beacon can be designed to reveal information about a user whenever it is accessed. Web Beacon can be used as honeytoken by adding them to valuable files. When the file is opened, the Web Beacon will broadcast information about the user.

It should be noted that the effectiveness of both the Web Beacon and the executable depends on the attacker using an open port system.

Cookies

Cookies are packets of data used by websites to record information about visitors. Cookies can be added to secure areas of a website and used to identify hackers in the same way they are used to identify any other user. The information collected may include what hackers try to access and how often they do so.

Identifier

Identifier is a unique element added to the file. If you're sending something to multiple groups of people and you suspect that one of them will leak it, you can add an Identifier to each person to show who the recipient is. By adding an Identifier, you will immediately know who the leaker is.

AWS key

AWS key is the key for Amazon Web Services, widely used by enterprises; they often provide access to important information, making them very popular for hackers. AWS keys are ideal for use as ciphers because any attempts to use them are automatically logged. The AWS key can be added to the server and in the document.

Embedded Links

Embedded links are ideal for use as honeytoken because they can be set up to send information when they are clicked on. By adding an embedded link to the file that an attacker can interact with, you can be alerted both when the link was clicked and potentially by whom.

Where to put Honeytoken?

Because honeytokens are small and inexpensive and come in a wide variety, they can be added to almost any system. An enterprise interested in using honeytoken should list all secure systems and add an appropriate honeytoken to each system.

 

Honeytoken can be used on servers, databases and personal devices. After adding honeytoken around the network, it is important that they are all logged and that at least one honeytoken is responsible for handling any alerts.

How to React to an Activated Honeytoken

When a honeytoken is activated, this means an intrusion has occurred. The action taken is obviously very different depending on where the intrusion occurred and how the intruder gained access. Common actions include changing passwords and trying to find out what else an intruder may have accessed.

To use honeytoken effectively, the appropriate response should be decided in advance. This means that all honeytokens must be accompanied by an incident response plan.