logo

Using Honey Tokens for Threat Detection with Netwrix Threat Manager

Today, cyberattacks are no longer a matter of if, but when. Spotting malicious actors before they can do damage requires a proactive approach. One effective strategy is to use honey tokens. This article explains what honey tokens are and how Netwrix Threat Manager enables organizations to easily create and use them to gain the threat intelligence they need to shut down attacks and improve their security posture.

What Honey Tokens Are and How They Work

A honey token is a digital object that appears to be valuable for a hacker but is actually a carefully designed decoy designed to empower defenders to discover information about the attackers and their activity. Examples of honey tokens include:

  • Fake email accounts
  • Fake credentials
  • Decoy files or database records
  • Browser cookies or tokens for tracking in-app behavior

For example, honey-token email addresses don’t correspond to actual users — when a hacker sends a phishing message to the email account, the security team can spot the campaign and begin investigating it. Similarly, defenders can set up a honey-token file or database with a tempting name like “Financial Records”; while a hacker is eagerly sifting through the false data in it, the honey token is sending information about the activity back to the security team.

Security teams can use the data from honey tokens to build a profile on the attacker, including details like IP addresses, server locations and user agents. More broadly, honey tokens help IT teams pinpoint underlying security gaps, such as weak password policies or outdated code.

Types of Honey Tokens

Honey tokens come in various forms, each designed to attract different types of malicious actors and provide valuable intelligence. By diversifying the types of honey tokens deployed, organizations can improve their threat detection across multiple entry points. Here are the most common types of honey tokens:

  1. Decoy Files
    These are files that appear valuable, such as documents labeled “Financial Records” or “Employee Data.” When an unauthorized user interacts with the file, it triggers an alert, allowing the security team to track and analyze the attacker’s movements within the system.
  2. Fake Credentials
    These are login credentials for non-existent accounts. When a hacker attempts to use them, the organization is notified, providing an opportunity to trace the origin of the attack and assess the hacker’s methods.
  3. Decoy Database Records
    These are false records that appear in databases containing sensitive information, like customer or financial data. These decoys help detect unauthorized database access and provide insight into the attacker’s objectives.
  4. Canary Tokens
    These are small pieces of code placed in applications or servers to alert security teams when they are accessed. Canary tokens can be disguised as browser cookies, URLs, or API keys and can help track the hacker’s movements through an application.
  5. Email-Based Honey Tokens
    These tokens involve setting up fake email addresses that don’t belong to any real employee. When a hacker sends phishing emails or tries to establish contact, the security team gains valuable information about the attacker’s methods and goals.

Benefits of Netwrix Threat Manager for Honey Tokens

Honey tokens are essential to any modern cybersecurity strategy. However, establishing and maintaining an effective set of honey tokens can be a challenge, especially across today’s diverse and dynamic IT environments. One of the keys to success is to choose a software solution that automates and streamlines the work.

Netwrix Threat Manager (formerly StealthDEFEND) is one of the most robust deception-based security systems available. It offers honey tokens in the form of credentials inserted into LSASS on a host to entice an attacker to use a tool such as mimikatz to discover, capture and attempt to use those credentials. Defenders can easily monitor this activity around the honey token credentials to spot and investigate threat actors.

Key benefits include the following:

  • Enhanced threat detection  — The honey tokens in Netwrix Threat Manager go above and beyond basic threat intelligence. Immediately upon being set off, they begin actively gathering information and building a complex profile of the attackers, including their method of entry and tactics.
  • Faster incident response — The average time to identify a data breach is an unsettling 197 days. Netwrix’s honey tokens generate real-time threat alerts that empower organizations to begin addressing threats as soon as possible. The platform supports alerts via both email and SMS. 
  • Fewer false positive alerts — False positives remain a massive issue in the IT realm, as they can distract teams from responding to legitimate threats. Honey tokens are an excellent way to focus on true threats because honey-token activity is inherently a sign of attacks in progress.
  • Scalability — Netwrix Threat Manager streamlines the work of creating and managing honey tokens so organizations can readily continue protecting their IT ecosystem as it grows and changes.
  • Easy deployment and integration — The Netwrix solution is easy to implement and integrates smoothly with other security technologies. As a result, organizations can ensure a comprehensive approach that maximizes the return on their various cybersecurity investments.

How to Implement Honey Tokens with Netwrix Threat Manager

Netwrix Threat Manager provides an intuitive GUI that makes it simple to set up, deploy and monitor honey tokens. The first step is to select a compelling username for the honey token to entice an adversary to try to use it. To reduce noise, the username should not match, either in part or in full, another user, group, or computer account in your environment.

You can easily configure the honey token credentials and customize criteria such as how long a token can be active on a host and token reuse settings. Then you can schedule deployment.

It’s also simple to monitor all honey token accounts that you have set up. If an attacker attempts to query the honey token account or authenticate with the honey token credentials, the solution will generate a threat detailing the event. 

You can also review a rich history of what tokens are currently active on which host, as well as when and where tokens were previously active.

Conclusion

Honey tokens are a powerful tool for rooting out adversaries inside your network. Netwrix Threat Manager makes the creation, management, and maintenance of honey tokens as straightforward and painless as possible. As a result, you can not only shut down threats promptly but also study the behavior and tactics of attackers so you can pinpoint and close underlying security gaps to fortify your cyber resilience.

We invite you to visit https://www.netwrix.com/threat_detection_software.html, where you can learn more, take an in-browser demo, and schedule a one-to-one consultation.

FAQ

What are honeypot tokens?

Honeypot tokens are traps disguised as useful data, such as an email address, password or sensitive record. However, instead of providing hackers with valuable information or access, these objects are equipped with trackers that can glean valuable information concerning the adversary’s location, tactics and identity.

How are honey tokens used by companies?

Companies use honey tokens across the IT ecosystem, including email accounts, file caches and cloud databases. They deploy honey tokens as bait to draw in hackers and then harvest their information to learn how they gained access to the company’s systems and servers.

How does a honeypot work?

A honeypot appears to be a legitimate digital asset, which lures cybercriminals into trying to use or access it. But that action triggers a sensor or cookie that tracks the hacker’s actions and records data such as their device and IP address. Using this information, defenders can shut down threats in progress, as well as identify and close underlying security gaps to block future attacks. 

Jeff Warren is SVP of Products at Netwrix. Before joining Netwrix, Jeff has held multiple roles within Stealthbits - now part of Netwrix, Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits - now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.