RES: Honeytokens and Detection

Lance,

I'm glad to see that there is still interest on this subject. I'm trying to find other uses for it too, and I already elected some of my favourites:

• Admin Rights User: Create an administrator on your domain/computer, use a HUGE/COMPLEX password (so it cannot really be used by someone) and put your eyes on it. Users with admin rights are one of the first targets of black hats. If someone logs in with it, there is problem.
• Files on P2P nets: I already heard that the police here in Brasil is trying to identify people involved with pedophily with honeytokens files in P2P networks.
• Web Server hidden files: .inc, .old or other apparently interesting files in public accessible directories at web servers. As there is no link to them, Any entry in the web server log showing access to these files is quite suspicious and indicate that someone is able to know about files that are not related to the website.
• Renaming a common tool: This on is a bit different. It can be useful when the turnover of the administration team is not very high. You can replace one of the common tools used by administrators (like ipconfig on Windows or Kill or vi on Unix) with a "alarm trigger". All the team know that they must use the renamed tool, but someone who is not part of the team will innocently pull the trigger. The chances of false positives is a bit higher than with other honeytokens, but it's still a fun thing to do.

I believe that the most important thing about honeytokens is to make the people responsible for Intrusion Detection aware of it and how it works. As they know the systems and procedures of the company where they work, they are the best people to define what can be a honeytoken and where it should be placed. Incident history and lessons learned can be a good place to start a planning of honeytokens deployment.

Regards,

Augusto Paes de Barros, CISSP.

-----Mensagem original-----
De: Lance Spitzner [mailto:lance@honeynet.org] Enviada em: quinta-feira, 17 de julho de 2003 13:33 Para: Focus on Intrusion Detection Systems Assunto: Honeytokens and Detection

Honeytokens are a relatively new tool with many applications to detection, especially for the insider threat. I've made an attempt to define what this tool is, its value, and how it can work.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

 Honeytokens: The Other Honeypot
 http://www.securityfocus.com/infocus/1713

I would love any input, ideas, or suggestions on this relatively new tool.

Thanks!

-- 
Lance Spitzner
http://www.tracking-hackers.com



-------------------------------------------------------------------------------
Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.
-------------------------------------------------------------------------------

Augusto Quadros Paes de Barros, CISSP
http://www.paesdebarros.com.br


-------------------------------------------------------------------------------
Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.
-------------------------------------------------------------------------------