Honeytokens, what are they and what should you do with them?

In simple terms, a honeytoken is a decoy that is too tempting for an attacker to ignore but is not immediately recognized as fake. An example could be an account with elevated privileges. It is placed as a detection tool to entice attackers to interact with it (such as opening, copying, or using it). Once an attacker uses or accesses a honeytoken, the detection team receives a notification, prompting an immediate investigation into the potential attack.

Nerium aims to detect attackers as early as possible in various stages of an attack (cyber kill chain). Therefore, Nerium implements multiple customized detections across different digital layers. However, not every detection method is foolproof, and achieving 100% security is not feasible. The complexity of modern IT environments, including a wide range of systems, cloud infrastructures, encrypted network traffic, and limited visibility, can make it challenging to develop effective detection methods. In this regard, honeytokens can serve as specific point solutions to address these shortcomings.

Where do you implement these? Essentially everywhere, in cloud environments such as Azure, Google, and Amazon. But also on-premises, on servers, networks, applications, and workstations.

Contact

What does that look like in practice?

These are some simple examples; of course, we naturally don't want to place everything on our website for obvious reasons.

Login credentials

Publishing a username and password on a SharePoint page or in source code.

Nerium monitors if these credentials are being used anywhere.

VIP email account

An email address of a supposedly important person, which is placed in internal documents.

Nerium monitors incoming email traffic to this account.

Secret project data

A folder and files on an open share about a supposed secret project.

Nerium monitors if these data are viewed/touched.

How does Nerium tackle this?

1. Creation of the honeytoken

For instance, Nerium places a text file named Password.txt with fake login credentials on an open SharePoint page that is accessible to everyone in the organization.

2. Writing a detection rule

Then, a specific detection rule is written and implemented for this honeytoken or canarytoken. With this detection, Nerium is alerted if, for example, in this case, the fake login credentials are used anywhere in the network.

3. Investigation

When a notification occurs, an investigation is conducted to determine exactly what happened. If it's a real attacker, we know they're already in the network, and we initiate our incident response process.

4. Intervening 24/7 when necessary

If it's an attack, we can intervene immediately and stop the attack before files are stolen or systems are encrypted.

F.A.Q

Where are these honeytokens implemented?

This can be implemented on every digital layer of an organization, for example, on the cloud layer, the network, or the workstations. Nerium will work with the client to determine the most logical and effective placement for such tokens.

How does the alarm notification work when a honeytoken is accessed?

Nerium ensures that the necessary logging is available to assess whether an attacker is attempting to access a honeytoken. Using these log sources, an alert can be generated. By sending these alerts to the Security Information and Event Management (SIEM), Nerium can then continuously respond to the alerts, 24 hours a day, 7 days a week.

Detecting attackers using honeytokens?

1. Creation of the honeytoken

2. Writing a detection rule

3. Investigation

4. Intervening 24/7 when necessary

Need help or want to learn more about honeytokens?

F.A.Q