Today, cyberattacks are no longer a matter of if, but when. Spotting malicious actors before they can do damage requires a proactive approach. One effective strategy is to use honey tokens. This article explains what honey tokens are and how Netwrix Threat Manager enables organizations to easily create and use them to gain the threat intelligence they need to shut down attacks and improve their security posture.
What Honey Tokens Are and How They Work
A honey token is a digital object that appears to be valuable for a hacker but is actually a carefully designed decoy designed to empower defenders to discover information about the attackers and their activity. Examples of honey tokens include:
- Fake email accounts
- Fake credentials
- Decoy files or database records
- Browser cookies or tokens for tracking in-app behavior
For example, honey-token email addresses don’t correspond to actual users — when a hacker sends a phishing message to the email account, the security team can spot the campaign and begin investigating it. Similarly, defenders can set up a honey-token file or database with a tempting name like “Financial Records”; while a hacker is eagerly sifting through the false data in it, the honey token is sending information about the activity back to the security team.
Security teams can use the data from honey tokens to build a profile on the attacker, including details like IP addresses, server locations and user agents. More broadly, honey tokens help IT teams pinpoint underlying security gaps, such as weak password policies or outdated code.
Types of Honey Tokens
Honey tokens come in various forms, each designed to attract different types of malicious actors and provide valuable intelligence. By diversifying the types of honey tokens deployed, organizations can improve their threat detection across multiple entry points. Here are the most common types of honey tokens:
- Decoy Files
These are files that appear valuable, such as documents labeled “Financial Records” or “Employee Data.” When an unauthorized user interacts with the file, it triggers an alert, allowing the security team to track and analyze the attacker’s movements within the system. - Fake Credentials
These are login credentials for non-existent accounts. When a hacker attempts to use them, the organization is notified, providing an opportunity to trace the origin of the attack and assess the hacker’s methods. - Decoy Database Records
These are false records that appear in databases containing sensitive information, like customer or financial data. These decoys help detect unauthorized database access and provide insight into the attacker’s objectives. - Canary Tokens
These are small pieces of code placed in applications or servers to alert security teams when they are accessed. Canary tokens can be disguised as browser cookies, URLs, or API keys and can help track the hacker’s movements through an application. - Email-Based Honey Tokens
These tokens involve setting up fake email addresses that don’t belong to any real employee. When a hacker sends phishing emails or tries to establish contact, the security team gains valuable information about the attacker’s methods and goals.
Benefits of Netwrix Threat Manager for Honey Tokens
Honey tokens are essential to any modern cybersecurity strategy. However, establishing and maintaining an effective set of honey tokens can be a challenge, especially across today’s diverse and dynamic IT environments. One of the keys to success is to choose a software solution that automates and streamlines the work.
Netwrix Threat Manager (formerly StealthDEFEND) is one of the most robust deception-based security systems available. It offers honey tokens in the form of credentials inserted into LSASS on a host to entice an attacker to use a tool such as mimikatz to discover, capture and attempt to use those credentials. Defenders can easily monitor this activity around the honey token credentials to spot and investigate threat actors.
Key benefits include the following:
- Enhanced threat detection — The honey tokens in Netwrix Threat Manager go above and beyond basic threat intelligence. Immediately upon being set off, they begin actively gathering information and building a complex profile of the attackers, including their method of entry and tactics.
- Faster incident response — The average time to identify a data breach is an unsettling 197 days. Netwrix’s honey tokens generate real-time threat alerts that empower organizations to begin addressing threats as soon as possible. The platform supports alerts via both email and SMS.
- Fewer false positive alerts — False positives remain a massive issue in the IT realm, as they can distract teams from responding to legitimate threats. Honey tokens are an excellent way to focus on true threats because honey-token activity is inherently a sign of attacks in progress.
- Scalability — Netwrix Threat Manager streamlines the work of creating and managing honey tokens so organizations can readily continue protecting their IT ecosystem as it grows and changes.
- Easy deployment and integration — The Netwrix solution is easy to implement and integrates smoothly with other security technologies. As a result, organizations can ensure a comprehensive approach that maximizes the return on their various cybersecurity investments.
How to Implement Honey Tokens with Netwrix Threat Manager
Netwrix Threat Manager provides an intuitive GUI that makes it simple to set up, deploy and monitor honey tokens. The first step is to select a compelling username for the honey token to entice an adversary to try to use it. To reduce noise, the username should not match, either in part or in full, another user, group, or computer account in your environment.
You can easily configure the honey token credentials and customize criteria such as how long a token can be active on a host and token reuse settings. Then you can schedule deployment.
It’s also simple to monitor all honey token accounts that you have set up. If an attacker attempts to query the honey token account or authenticate with the honey token credentials, the solution will generate a threat detailing the event.
You can also review a rich history of what tokens are currently active on which host, as well as when and where tokens were previously active.
Conclusion
Honey tokens are a powerful tool for rooting out adversaries inside your network. Netwrix Threat Manager makes the creation, management, and maintenance of honey tokens as straightforward and painless as possible. As a result, you can not only shut down threats promptly but also study the behavior and tactics of attackers so you can pinpoint and close underlying security gaps to fortify your cyber resilience.
We invite you to visit https://www.netwrix.com/threat_detection_software.html, where you can learn more, take an in-browser demo, and schedule a one-to-one consultation.
FAQ
What are honeypot tokens?
Honeypot tokens are traps disguised as useful data, such as an email address, password or sensitive record. However, instead of providing hackers with valuable information or access, these objects are equipped with trackers that can glean valuable information concerning the adversary’s location, tactics and identity.
How are honey tokens used by companies?
Companies use honey tokens across the IT ecosystem, including email accounts, file caches and cloud databases. They deploy honey tokens as bait to draw in hackers and then harvest their information to learn how they gained access to the company’s systems and servers.
How does a honeypot work?
A honeypot appears to be a legitimate digital asset, which lures cybercriminals into trying to use or access it. But that action triggers a sensor or cookie that tracks the hacker’s actions and records data such as their device and IP address. Using this information, defenders can shut down threats in progress, as well as identify and close underlying security gaps to block future attacks.
