Towards systematic honeytoken fingerprinting

Srinivasa, Shreyas; Pedersen, Jens Myrup; Vasilomanolakis, Emmanouil

doi:10.1145/3433174.3433599

Cited by 9 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Srinivasa et al [21] proposed an set of techniques, referred to as fingerprinting honey tokens, to compromise a decoy system. The authors of this study explicitly mentioned the difficulty of fingerprinting honey tokens created at data level.…”

Section: A Deception-based Approachesmentioning

confidence: 99%

“…On the other hand, the content-based approach applies machine learning and natural language processing techniques to textual content to build models for insider threat detection [2]- [4]. Finally, the deception-based approach uses decoy assets otherwise known as honey elements such as honey permissions [23], honeypots [25], honey files [19], honey documents [20], honey tokens [21], [26], honey words [24], and honey encryption [22] to attract and track insiders. Unlike other approaches, deception-based measures provide efficient early signs of insider incidents with the least amount of data collected from former or potential insiders [44].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection

2022

View full text Add to dashboard Cite

Insider threat is an ever-present challenge to corporate security. The availability of knowledge and privileges to insiders makes it extremely difficult to prevent, detect or deter malicious insider activities. In the literature, several studies have proposed deception-based approaches to mitigate insider threats through different layers of corporate systems. However, the integration of access control and cyber deception methods has not been adequately discussed. In this paper, we integrate Attribute-based Access Control (ABAC) with honey-based deception techniques to effectively track insiders, particularly in the context of a dynamic work environment. To the best of our knowledge, this is the first study to design, implement and evaluate this integration. Our evaluation results show that the proposed framework reliably identifies sensitive attributes in the system and generates indistinguishable honey values to protect them with an average similarity score of 0.90 to the truth.

show abstract

Section: A Deception-based Approachesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection

2022

View full text Add to dashboard Cite

show abstract

“…To the best of our knowledge, the only work that examines honeytokenspecific fingerprinting to date is by Srinivasa et al [21]. The work showcases a proof of concept regarding fingerprinting a public honeytoken provider as a case study.…”

Section: Honeytoken Fingerprintingmentioning

confidence: 99%

“…To analyze the honeytokens, we started by building a classification to help us create fingerprinting techniques for each honeytoken class. Srinivasa et al have established a Canarytoken honeytoken classification, and we use it as a building block for our extended version [21].…”

Section: Honeytoken Analysismentioning

confidence: 99%

Honeysweeper: Towards Stealthy Honeytoken Fingerprinting Techniques

et al. 2022

Self Cite

View full text Add to dashboard Cite

The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deceptionbased defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

show abstract

“…However, we consider this out of the scope of this article. Similarly, we will not discuss here fingerprinting of honeypot-like systems (such as honeytoken identification) [36]. We also note all papers in the SotA exclude high interaction honeypots from their analysis.…”

Section: Related Workmentioning

confidence: 99%

Gotta catch 'em all: a Multistage Framework for honeypot fingerprinting

Srinivasa¹,

Pedersen²,

Vasilomanolakis³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the last years a number of researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state of the art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21, 855 honeypot instances. Moreover, we present a number of interesting side-findings such as the identification of more than 354, 431 non-honeypot systems that represent potentially vulnerable servers (e.g. SSH servers with default password configurations and vulnerable versions). Lastly, we discuss countermeasures against honeypot fingerprinting techniques.

show abstract

Towards systematic honeytoken fingerprinting

Cited by 9 publications

References 11 publications

Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection

Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection

Honeysweeper: Towards Stealthy Honeytoken Fingerprinting Techniques

Gotta catch 'em all: a Multistage Framework for honeypot fingerprinting

Contact Info

Product

Resources

About