Abstract
The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection
and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deceptionbased defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.
and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deceptionbased defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of 27th Nordic Conference on Secure IT Systems |
| Number of pages | 19 |
| Publication date | 2022 |
| Publication status | Published - 2022 |
| Event | 27th Nordic Conference on Secure IT Systems - Reykjavik University, Reykjavik , Iceland Duration: 30 Nov 2022 → 2 Dec 2022 Conference number: 27 https://nordsec2022.ru.is/ |
Conference
| Conference | 27th Nordic Conference on Secure IT Systems |
|---|---|
| Number | 27 |
| Location | Reykjavik University |
| Country/Territory | Iceland |
| City | Reykjavik |
| Period | 30/11/2022 → 02/12/2022 |
| Internet address |
Keywords
- Honeytokens
- Fingerprinting
- Counter-deception