Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques

Mohamed Msaad; Shreyas Srinivasa; Mikkel Møller Andersen; David Audran; Charity U. Orji; Emmanouil Vasilomanolakis

doi:10.1007/978-3-031-22295-5_6

Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques

Mohamed Msaad^*, Shreyas Srinivasa, Mikkel Møller Andersen, David Audran, Charity U. Orji, Emmanouil Vasilomanolakis

^*Kontaktforfatter

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

1 Citationer (Scopus)

83 Downloads (Pure)

Abstract

The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

Originalsprog	Engelsk
Titel	Secure IT Systems : 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings
Redaktører	Hans P. Reiser, Marcel Kyas
Antal sider	19
Forlag	Springer
Publikationsdato	1 jan. 2023
Sider	101-119
ISBN (Trykt)	978-3-031-22294-8
ISBN (Elektronisk)	978-3-031-22295-5
DOI	https://doi.org/10.1007/978-3-031-22295-5_6
Status	Udgivet - 1 jan. 2023
Begivenhed	The 27th Nordic Conference on Secure IT Systems, NordSec 2022 - Reykjavik University, Reykjavik, Island Varighed: 30 nov. 2022 → 2 dec. 2022

Konference

Konference	The 27th Nordic Conference on Secure IT Systems, NordSec 2022
Lokation	Reykjavik University
Land/Område	Island
By	Reykjavik
Periode	30/11/2022 → 02/12/2022

Navn	Lecture Notes in Computer Science
Vol/bind	LNCS 13700
ISSN	0302-9743

Adgang til dokumentet

10.1007/978-3-031-22295-5_6

HoneysweeperForlagets udgivne version, 978 KB

AUB Link

Søg efter materialet i Aalborg Universitetsbiblioteks søgemaskine

Andre filer og links

Link to publication in Scopus

Citationsformater

Msaad, M., Srinivasa, S., Møller Andersen, M., Audran, D., Orji, C. U., & Vasilomanolakis, E. (2023). Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. I H. P. Reiser, & M. Kyas (red.), Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings (s. 101-119). Springer. https://doi.org/10.1007/978-3-031-22295-5_6

Msaad, Mohamed ; Srinivasa, Shreyas ; Møller Andersen, Mikkel et al. / Honeysweeper : Towards stealthy Honeytoken fingerprinting techniques. Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. red. / Hans P. Reiser ; Marcel Kyas. Springer, 2023. s. 101-119 (Lecture Notes in Computer Science, Bind LNCS 13700).

@inproceedings{56bd5d0c01234f5b818c7267893dcf69,

title = "Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques",

abstract = "The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.",

keywords = "Honeypots, fingerprinting, honeytokens, Counter-deception, Fingerprinting, Honeytokens",

author = "Mohamed Msaad and Shreyas Srinivasa and {M{\o}ller Andersen}, Mikkel and David Audran and Orji, {Charity U.} and Emmanouil Vasilomanolakis",

year = "2023",

month = jan,

day = "1",

doi = "10.1007/978-3-031-22295-5_6",

language = "English",

isbn = "978-3-031-22294-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "101--119",

editor = "Reiser, {Hans P.} and Marcel Kyas",

booktitle = "Secure IT Systems",

address = "Germany",

note = "The 27th Nordic Conference on Secure IT Systems, NordSec 2022, NordSec 2022 ; Conference date: 30-11-2022 Through 02-12-2022",

}

Msaad, M, Srinivasa, S, Møller Andersen, M, Audran, D, Orji, CU & Vasilomanolakis, E 2023, Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. i HP Reiser & M Kyas (red), Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. Springer, Lecture Notes in Computer Science, bind LNCS 13700, s. 101-119, The 27th Nordic Conference on Secure IT Systems, NordSec 2022, Reykjavik, Island, 30/11/2022. https://doi.org/10.1007/978-3-031-22295-5_6

Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. / Msaad, Mohamed; Srinivasa, Shreyas; Møller Andersen, Mikkel et al.
Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. red. / Hans P. Reiser; Marcel Kyas. Springer, 2023. s. 101-119 (Lecture Notes in Computer Science, Bind LNCS 13700).

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

TY - GEN

T1 - Honeysweeper

T2 - The 27th Nordic Conference on Secure IT Systems, NordSec 2022

AU - Msaad, Mohamed

AU - Srinivasa, Shreyas

AU - Møller Andersen, Mikkel

AU - Audran, David

AU - Orji, Charity U.

AU - Vasilomanolakis, Emmanouil

PY - 2023/1/1

Y1 - 2023/1/1

N2 - The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

AB - The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

KW - Honeypots

KW - fingerprinting

KW - honeytokens

KW - Counter-deception

KW - Fingerprinting

KW - Honeytokens

UR - http://www.scopus.com/inward/record.url?scp=85147841236&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-22295-5_6

DO - 10.1007/978-3-031-22295-5_6

M3 - Article in proceeding

SN - 978-3-031-22294-8

T3 - Lecture Notes in Computer Science

SP - 101

EP - 119

BT - Secure IT Systems

A2 - Reiser, Hans P.

A2 - Kyas, Marcel

PB - Springer

Y2 - 30 November 2022 through 2 December 2022

ER -

Msaad M, Srinivasa S, Møller Andersen M, Audran D, Orji CU, Vasilomanolakis E. Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. I Reiser HP, Kyas M, red., Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. Springer. 2023. s. 101-119. (Lecture Notes in Computer Science, Bind LNCS 13700). doi: 10.1007/978-3-031-22295-5_6

Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques

Abstract

Konference

Adgang til dokumentet

AUB Link

Andre filer og links

Fingeraftryk

Citationsformater