Wednesday, September 8, 2010

Does anyone still think about honeytokens?

Honeypot technologies are always relegated to a second place or to experimental environments only. However, I was reading about the most common attacks in the Verizon DBIR report: malware stealing data - memory scrappers, etc. All automated stuff searching for "valuable" data! This is exactly the kind of threat that can be easily identified by honeytokens. And it doesn't have to be extremely complicated. A quick and dirty solution that could help a lot:

  1. Create a text file with a bunch (10? 100?) fake credit numbers, all of them with, let's say the same first 10 numbers. There are thousands of credit card number generators out there that can do it. Distribute the file using your regular software distribution tool to all your desktops.

  2. Install a custom signature in your perimeter IDSes searching for those initial numbers.

  3. Run periodically (monthly? weekly? daily?) a job with something like "cat file > /dev/null" that will be enough to bring the contents of the file to memory. Something that could keep the contents in memory for a couple of hours would be best.

  4. Monitor for anything triggering that signature. If anything hits it there is a high chance you have malware like those mentioned in the report running on your desktops.
I know it is very targeted to a specific type of malware, but as it looks like this type of malware is responsible for the majority of the incidents and records in the report, it might be worth the (small) effort.