RES: Honeytokens and Detection

From: Augusto Quadros Paes de Barros (augusto_at_paesdebarros.com.br)
Date: 07/18/03

  • Next message: Raffael Marty: "Re: IDS Event/Incident Tracking" 
    Date: Fri, 18 Jul 2003 10:50:45 -0300
To: focus-ids@securityfocus.com

    Lance,

    I'm glad to see that there is still interest on this subject. I'm trying to find other uses for it too, and I already
    elected some of my favourites:

    - Admin Rights User: Create an administrator on your domain/computer, use a HUGE/COMPLEX password (so it
    cannot really be used by someone) and put your eyes on it. Users with admin rights are one of the first targets
    of black hats. If someone logs in with it, there is problem.

    - Files on P2P nets: I already heard that the police here in Brasil is trying to identify people involved with
    pedophily with honeytokens files in P2P networks.

    - Web Server hidden files: .inc, .old or other apparently interesting files in public accessible directories at web
    servers. As there is no link to them, Any entry in the web server log showing access to these files is quite
    suspicious and indicate that someone is able to know about files that are not related to the website.

    - Renaming a common tool: This on is a bit different. It can be useful when the turnover of the administration
    team is not very high. You can replace one of the common tools used by administrators (like ipconfig on Windows
    or Kill or vi on Unix) with a "alarm trigger". All the team know that they must use the renamed tool, but someone
    who is not part of the team will innocently pull the trigger. The chances of false positives is a bit higher than with
    other honeytokens, but it's still a fun thing to do.

    I believe that the most important thing about honeytokens is to make the people responsible for Intrusion
    Detection aware of it and how it works. As they know the systems and procedures of the company where they
    work, they are the best people to define what can be a honeytoken and where it should be placed. Incident
    history and lessons learned can be a good place to start a planning of honeytokens deployment.

    Regards,

    Augusto Paes de Barros, CISSP.

    -----Mensagem original-----
    De: Lance Spitzner [mailto:lance@honeynet.org]
    Enviada em: quinta-feira, 17 de julho de 2003 13:33
    Para: Focus on Intrusion Detection Systems
    Assunto: Honeytokens and Detection

    Honeytokens are a relatively new tool with many applications to
    detection, especially for the insider threat. I've made an attempt
    to define what this tool is, its value, and how it can work.

     Honeytokens: The Other Honeypot
     http://www.securityfocus.com/infocus/1713

    I would love any input, ideas, or suggestions on this
    relatively new tool.

    Thanks! 

    -- 
Lance Spitzner
http://www.tracking-hackers.com
-------------------------------------------------------------------------------
Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.
-------------------------------------------------------------------------------
Augusto Quadros Paes de Barros, CISSP
http://www.paesdebarros.com.br
-------------------------------------------------------------------------------
Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.
-------------------------------------------------------------------------------
  • Next message: Raffael Marty: "Re: IDS Event/Incident Tracking"