Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Honeysweeper: Towards Stealthy Honeytoken Fingerprinting Techniques

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13700))

Included in the following conference series:

  • 814 Accesses

Abstract

The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deception-based defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdf-parser.py.

  2. 2.

    https://canarytokens.org/generate.

  3. 3.

    https://github.com/aau-network-security/canarytokens_finger_printer.

References

  1. Acrobat: Acrobat API reference (2021). https://opensource.adobe.com/dc-acrobat-sdk-docs/acrobatsdk/html2015/Acro12_MasterBook/API_References_SectionPage/API_References/Acrobat_API_Reference/AV_Layer/Weblink.html

  2. Aguirre-Anaya, E., Gallegos-Garcia, G., Luna, N.S., Vargas, L.A.V.: A new procedure to detect low interaction honeypots. Int. J. Electr. Comput. Eng. (IJECE) 4(6), 848–857 (2014)

    Google Scholar 

  3. Čenys, A., Rainys, D., Radvilavicius, L., Goranin, N.: Database level honeytoken modules for active DBMS protection. In: Nilsson, A.G., Gustas, R., Wojtkowski, W., Wojtkowski, W.G., Wrycza, S., Zupančič, J. (eds.) Adv. Inf. Syst. Dev., pp. 449–457. Springer, US, Boston, MA (2006)

    Chapter  Google Scholar 

  4. Dahbul, R.N., Lim, C., Purnama, J.: Enhancing honeypot deception capability through network service fingerprinting. J. Phys: Conf. Ser. 801, 012057 (2017). https://doi.org/10.1088/1742-6596/801/1/012057

    Article  Google Scholar 

  5. Faveri, C.D., Moreira, A.: Visual modeling of cyber deception. In: 2018 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pp. 205–209 (2018). https://doi.org/10.1109/VLHCC.2018.8506515

  6. Fraunholz, D., et al.: Demystifying deception technology: a survey. CoRR abs/1804.06196 (2018). https://arxiv.org/abs/1804.06196

  7. Fu, X., Yu, W., Cheng, D., Tan, X., Streff, K., Graham, S.: On recognizing virtual honeypots and countermeasures. In: 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pp. 211–218 (2006). https://doi.org/10.1109/DASC.2006.36

  8. Ghirardello, K., Maple, C., Ng, D., Kearney, P.: Cyber security of smart homes: development of a reference architecture for attack surface analysis. In: Living in the Internet of Things: Cybersecurity of the IoT - 2018, pp. 1–10 (2018). https://doi.org/10.1049/cp.2018.0045

  9. Guarnizo, J.D., et al.: Siphon: towards scalable high-interaction physical honeypots. In: Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security, pp. 57–68. CPSS 2017, Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3055186.3055192

  10. Gungor, A.: Pdf forensic analysis and XMP metadata streams (2017). https://www.meridiandiscovery.com/articles/pdf-forensic-analysis-xmp-metadata/

  11. Han, X., Kheir, N., Balzarotti, D.: Deception techniques in computer security: a research perspective. ACM Comput. Surv. 51(4), 1–36 (2018). https://doi.org/10.1145/3214305

    Article  Google Scholar 

  12. Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 29–36 (2005). https://doi.org/10.1109/IAW.2005.1495930

  13. IBM: how much does a data breach cost? (2021). https://www.ibm.com/security/data-breach

  14. IBM: Insights into what drives data breach costs (2021). https://www.ibm.com/account/reg/uk-en/signup?formid=urx-51643

  15. IBM: key findings (2021). https://www.ibm.com/downloads/cas/OJDVQGRY

  16. La, Q.D., Quek, T.Q.S., Lee, J., Jin, S., Zhu, H.: Deceptive attack and defense game in honeypot-enabled networks for the internet of things. IEEE Internet Things J. 3(6), 1025–1035 (2016). https://doi.org/10.1109/JIOT.2016.2547994

    Article  Google Scholar 

  17. Mokube, I., Adams, M.: Honeypots: Concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference. p. 321–326. ACM-SE 45, Association for Computing Machinery, New York, NY, USA (2007). https://doi.org/10.1145/1233341.1233399

  18. Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M.K., Sung, A.H.: Detection of virtual environments and low interaction honeypots. In: 2007 IEEE SMC Information Assurance and Security Workshop, pp. 92–98 (2007). https://doi.org/10.1109/IAW.2007.381919

  19. Research, T.A.: Canarytokens. https://github.com/thinkst/canarytokens

  20. Sethia, V., Jeyasekar, A.: Malware capturing and analysis using dionaea honeypot. In: 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1–4 (2019). https://doi.org/10.1109/CCST.2019.8888409

  21. Srinivasa, S., Pedersen, J.M., Vasilomanolakis, E.: Towards systematic honeytoken fingerprinting. In: 13th International Conference on Security of Information and Networks. SIN 2020, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3433174.3433599

  22. Srinivasa, S., Pedersen, J.M., Vasilomanolakis, E.: Gotta catch’em all: a multistage framework for honeypot fingerprinting. arXiv preprint arXiv:2109.10652 (2021)

  23. Srinivasa, S., Pedersen, J.M., Vasilomanolakis, E.: Open for hire: attack trends and misconfiguration pitfalls of iot devices. In: Proceedings of the 21st ACM Internet Measurement Conference, pp. 195–215. IMC 2021, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3487552.3487833,https://doi.org/10.1145/3487552.3487833

  24. Vasilomanolakis, E., et al.: This network is infected: hostage - a low-interaction honeypot for mobile devices. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 43–48. SPSM 2013, Association for Computing Machinery, New York, NY, USA (2013). https://doi.org/10.1145/2516760.2516763

  25. Vasilomanolakis, E., Karuppayah, S., Mühlhäuser, M., Fischer, M.: Hostage: a mobile honeypot for collaborative defense. In: Proceedings of the 7th International Conference on security of information and networks. SIN 2014, vol. 2014, pp. 330–333. ACM (2014)

    Google Scholar 

  26. Vetterl, A., Clayton, R.: Bitter harvest: systematically fingerprinting low- and medium-interaction honeypots at internet scale. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore, MD (2018). https://www.usenix.org/conference/woot18/presentation/vetterl

  27. Zhang, L., Thing, V.L.: Three decades of deception techniques in active cyber defense-retrospect and outlook. Comput. Secur. 106, 102288 (2021). https://arxiv.org/abs/2104.03594

Download references

Author information

Authors and Affiliations

  1. Aalborg University, Copenhagen, Denmark

    Mohamed Msaad, Shreyas Srinivasa, Mikkel M. Andersen, David H. Audran & Charity U. Orji

  2. Technical University of Denmark, Kgs. Lyngby, Denmark

    Emmanouil Vasilomanolakis

Authors
  1. Mohamed Msaad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shreyas Srinivasa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mikkel M. Andersen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David H. Audran
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Charity U. Orji
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Emmanouil Vasilomanolakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shreyas Srinivasa .

Editor information

Editors and Affiliations

  1. Reykjavik University, Reykjavik, Iceland

    Hans P. Reiser

  2. Reykjavik University, Reykjavik, Iceland

    Marcel Kyas

Appendix

Appendix

1.1 Static Data on PDF Canarytoken

Listing 1.2 shows the static data identified on parsing the composite XML file of the PDF Canarytoken. We can observe static data on the modify date, create date and metadata date.

figure d

1.2 Fingerprinting of PDF Canarytoken

Listing 1.3 shows the pseudo code for fingerprinting of PDF Canarytoken. The method checks for URLs embedded in the PDF and against a list of known honeytoken service URLs.

figure e

1.3 Fingerprinting of .docx and .xlsx Canarytokens

Listing 1.4 shows the pseudo code for fingerprinting of .docx and .xlsx Canarytokens. The techniques unzips the composite file formats to check for URLs embedded in the files.

figure f

1.4 Mitigation of Metadata in Canarytoken

Listing 1.5 shows the mitigation by randomization of the file creation date and time. The randomness avoids static creation dates that is implemented by Canarytokens.

figure g

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Msaad, M., Srinivasa, S., Andersen, M.M., Audran, D.H., Orji, C.U., Vasilomanolakis, E. (2022). Honeysweeper: Towards Stealthy Honeytoken Fingerprinting Techniques. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. Lecture Notes in Computer Science, vol 13700. Springer, Cham. https://doi.org/10.1007/978-3-031-22295-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22295-5_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22294-8

  • Online ISBN: 978-3-031-22295-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation