How Honeytokens and XDR Can Improve the Detection of Threat Actors

Threat actors are continuously searching for new and sophisticated ways to exploit weaknesses in an organization’s cyber defenses. Staying ahead of these sophisticated threats requires new cybersecurity methods and techniques. The use of honeytokens can help identify potential threats and minimize the damage they can cause to an IT environment.

What are Honeytokens?

Many readers are undoubtedly familiar with the practice of deploying honeypots to lure threat actors. They may not be as familiar with honeytokens, which offer a proactive method of searching for malicious intruders in an IT environment.

Honeytokens, also known as canary tokens, are digital assets designed to lure a threat actor into using them to conduct an attack on an IT environment. They attempt to deceive a potential attacker into believing they offer legitimate means of gaining entry into the infrastructure or that they are a valuable item that the attacker may want to steal. In either case, their use signals the presence of an unauthorized entity that needs to be investigated and typically removed from the environment.

The purpose of a honeytoken is to alert security personnel that a threat actor is in the environment. Creating a honeytoken and attracting a threat actor is only the first step in using this cybersecurity tactic effectively. The real value is achieved by tracking access to the honeytoken and monitoring its use. Accomplishing this requires that telemetry is generated when the honeytoken is accessed to enable effective tracking. Security personnel can then investigate how the honeytoken is being used to thwart a potential threat actor and obtain information on how they gained access to the IT environment.

Honeytokens can be created in many different forms that appeal to threat actors. The forms honeytokens can take include:

• Files that promise to contain valuable information;
• Credentials that can appear to have the capacity to access sensitive data resources;
• Database records that may contain high-risk enterprise data;
• API keys that may point to malicious actors when used;
• Web-based honeytokens such as URLs and hidden web pages that will only be accessed by potential threat actors;
• Phony email addresses that pose an attractive target for phishing campaigns.

A Physical World Analogy

It’s instructive to use a physical world analogy to look at how honeytokens can be used to address threat actors or criminals in the physical world. Their use as a cybersecurity defense mechanism will be clear after seeing the amount of evidence a honeytoken can provide regarding malicious or damaging activities in a physical world setting.

Imagine a retail auto parts establishment that is experiencing what appears to be a high degree of insider theft. The business’s owner is convinced that some of the parts he is purchasing from alternate sources were originally located on his shelves. He strongly suspects that at least one of his employees is stealing inventory and selling it to part distributors. The owner ends up buying the same parts twice and losing considerable sums of money because of these thefts.

Frustration sets in as months go by and the business owner cannot catch the perpetrators in the act. He decides to mark certain high-value parts that will appeal to the thieves by using a hole punch to place an almost imperceptible mark on the items. He does this when specific employees are working and keeps a log of the marked parts and who has access to them.

This strategy pays off in a big way. The owner receives marked parts when placing an order with a distributor whom he suspects may be involved in the theft ring. He confronts the part dealer and the single employee who had access to this specific part which inexplicably disappeared from the inventory. Faced with irrefutable proof of their transgression, the culprits confess.

The employee is fired, the distributor won’t be selling parts to this establishment anymore, and both parties may be subject to criminal prosecution. The business owner has used the marked parts as a honeytoken that has successfully closed an expensive gap in security.

Honeytokens in Cybersecurity

Obtaining a similar effective use of honeytokens in cybersecurity requires a three-pronged effort.

• Deployment - Strategic deployment of honeytokens is necessary to attract threat actors. This involves identifying valuable or sensitive resources that make prime targets. After determining the most likely targets for threat actors, honeytokens are deployed to deceive potential malicious entities. This may include placing phony credentials where they can be discovered or naming files so they appear to contain valuable data.
• Detection - Access to or use of the honeytoken needs to be detected through system telemetry. Since the honeytoken serves no legitimate business purpose, any use of the item should be treated with suspicion. There will be no false positives reported when tracking a honeytoken.
• Response - The threats raised by the use of honeytokens need to be addressed to eliminate the risk to the environment. In the majority of cases, usage of the honeytoken will expose an unwelcome intruder in the IT environment. The malicious presence can quickly be tracked down to mitigate damage to the environment. Ideally, the security team can identify the route taken to exploit the honeytoken so the environment can be hardened against future attacks.

Identifying and Tracking Honeytoken Use

Honeytoken usage needs to be identified and tracked to serve as an effective component of cyber defenses. This involves collecting the necessary telemetry to generate alerts when an entity accesses or uses the honeytoken. The specific type of telemetry is predicated on the deployed honeytokens. For example, an access management tool can detect when phony credentials are used or when attempts are made to extract the contents of decoy files.

Minimizing Potential Damages with Honeytokens

Devising traps for threat actors with honeytokens offers cybersecurity teams a proactive method of protecting an IT environment. The key is in generating the telemetry required to enable their usage to be tracked with tools like an extended detection and response platform.

The use of honeytokens offers a supplemental cybersecurity technique that is not meant to replace existing defensive measures. They should be seen as a valuable tool that can help detect threat actors and the methods they are using to gain access to the environment.

How XDR Fits into the Picture

The advanced query and threat detection capabilities of a solution like Samurai XDR can be instrumental in identifying when honeytokens are being used by potential threat actors. The information generated by the platform allows security personnel to address the immediate risks by eliminating the intruder from the environment. A thorough investigation can then be initiated to find out how the honeytoken was accessed so more effective defenses can be implemented to close any identified vulnerabilities.

Talk to the security experts at Samurai and learn how you can leverage this advanced cloud-based, SaaS XDR solution to provide enhanced security to your IT environment. The tool provides exceptional threat detection and response capabilities in addition to assisting with the effective use of honeytokens. Using advanced threat intelligence, Samurai XDR identifies known and previously unknown risks to the IT infrastructure.

Request a free trial to see this valuable cybersecurity platform in action.