Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques

Mohamed Msaad; Shreyas Srinivasa; Mikkel Møller Andersen; David Audran; Charity U. Orji; Emmanouil Vasilomanolakis

doi:10.1007/978-3-031-22295-5_6

Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques

Mohamed Msaad^*, Shreyas Srinivasa, Mikkel Møller Andersen, David Audran, Charity U. Orji, Emmanouil Vasilomanolakis

^*Corresponding author for this work

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

1 Citation (Scopus)

83 Downloads (Pure)

Abstract

The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

Original language	English
Title of host publication	Secure IT Systems : 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings
Editors	Hans P. Reiser, Marcel Kyas
Number of pages	19
Publisher	Springer
Publication date	1 Jan 2023
Pages	101-119
ISBN (Print)	978-3-031-22294-8
ISBN (Electronic)	978-3-031-22295-5
DOIs	https://doi.org/10.1007/978-3-031-22295-5_6
Publication status	Published - 1 Jan 2023
Event	The 27th Nordic Conference on Secure IT Systems, NordSec 2022 - Reykjavik University, Reykjavik, Iceland Duration: 30 Nov 2022 → 2 Dec 2022

Conference

Conference	The 27th Nordic Conference on Secure IT Systems, NordSec 2022
Location	Reykjavik University
Country/Territory	Iceland
City	Reykjavik
Period	30/11/2022 → 02/12/2022

Series	Lecture Notes in Computer Science
Volume	LNCS 13700
ISSN	0302-9743

Keywords

Honeypots
fingerprinting
honeytokens
Counter-deception
Fingerprinting
Honeytokens

Access to Document

10.1007/978-3-031-22295-5_6

HoneysweeperFinal published version, 978 KB

AUB Link

Search for the material in Aalborg University Library's search engine

Cite this

Msaad, M., Srinivasa, S., Møller Andersen, M., Audran, D., Orji, C. U., & Vasilomanolakis, E. (2023). Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. In H. P. Reiser, & M. Kyas (Eds.), Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings (pp. 101-119). Springer. https://doi.org/10.1007/978-3-031-22295-5_6

Msaad, Mohamed ; Srinivasa, Shreyas ; Møller Andersen, Mikkel et al. / Honeysweeper : Towards stealthy Honeytoken fingerprinting techniques. Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. editor / Hans P. Reiser ; Marcel Kyas. Springer, 2023. pp. 101-119 (Lecture Notes in Computer Science, Vol. LNCS 13700).

@inproceedings{56bd5d0c01234f5b818c7267893dcf69,

title = "Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques",

abstract = "The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.",

keywords = "Honeypots, fingerprinting, honeytokens, Counter-deception, Fingerprinting, Honeytokens",

author = "Mohamed Msaad and Shreyas Srinivasa and {M{\o}ller Andersen}, Mikkel and David Audran and Orji, {Charity U.} and Emmanouil Vasilomanolakis",

year = "2023",

month = jan,

day = "1",

doi = "10.1007/978-3-031-22295-5_6",

language = "English",

isbn = "978-3-031-22294-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "101--119",

editor = "Reiser, {Hans P.} and Marcel Kyas",

booktitle = "Secure IT Systems",

address = "Germany",

note = "The 27th Nordic Conference on Secure IT Systems, NordSec 2022, NordSec 2022 ; Conference date: 30-11-2022 Through 02-12-2022",

}

Msaad, M, Srinivasa, S, Møller Andersen, M, Audran, D, Orji, CU & Vasilomanolakis, E 2023, Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. in HP Reiser & M Kyas (eds), Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. Springer, Lecture Notes in Computer Science, vol. LNCS 13700, pp. 101-119, The 27th Nordic Conference on Secure IT Systems, NordSec 2022, Reykjavik, Iceland, 30/11/2022. https://doi.org/10.1007/978-3-031-22295-5_6

Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. / Msaad, Mohamed; Srinivasa, Shreyas; Møller Andersen, Mikkel et al.
Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. ed. / Hans P. Reiser; Marcel Kyas. Springer, 2023. p. 101-119 (Lecture Notes in Computer Science, Vol. LNCS 13700).

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

TY - GEN

T1 - Honeysweeper

T2 - The 27th Nordic Conference on Secure IT Systems, NordSec 2022

AU - Msaad, Mohamed

AU - Srinivasa, Shreyas

AU - Møller Andersen, Mikkel

AU - Audran, David

AU - Orji, Charity U.

AU - Vasilomanolakis, Emmanouil

PY - 2023/1/1

Y1 - 2023/1/1

N2 - The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

AB - The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

KW - Honeypots

KW - fingerprinting

KW - honeytokens

KW - Counter-deception

KW - Fingerprinting

KW - Honeytokens

UR - http://www.scopus.com/inward/record.url?scp=85147841236&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-22295-5_6

DO - 10.1007/978-3-031-22295-5_6

M3 - Article in proceeding

SN - 978-3-031-22294-8

T3 - Lecture Notes in Computer Science

SP - 101

EP - 119

BT - Secure IT Systems

A2 - Reiser, Hans P.

A2 - Kyas, Marcel

PB - Springer

Y2 - 30 November 2022 through 2 December 2022

ER -

Msaad M, Srinivasa S, Møller Andersen M, Audran D, Orji CU, Vasilomanolakis E. Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques. In Reiser HP, Kyas M, editors, Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings. Springer. 2023. p. 101-119. (Lecture Notes in Computer Science, Vol. LNCS 13700). doi: 10.1007/978-3-031-22295-5_6

Honeysweeper: Towards stealthy Honeytoken fingerprinting techniques

Abstract

Conference

Keywords

Access to Document

AUB Link

Other files and links

Fingerprint

Cite this