Why Honeytokens Are the Way forward for Intrusion Detection

A number of weeks in the past, the thirty second version of RSA, one of many world’s largest cybersecurity conferences, wrapped up in San Francisco. Among the many highlights, Kevin Mandia, CEO of Mandiant at Google Cloud, offered a retrospective on the state of cybersecurity. Throughout his keynote, Mandia said:

“There are clear steps organizations can take past widespread safeguards and safety instruments to strengthen their defenses and improve their possibilities of detecting, thwarting or minimizing assault […] Honeypots, or faux accounts intentionally left untouched by licensed customers, are efficient at serving to organizations detect intrusions or malicious actions that safety merchandise cannot cease“.

“Construct honeypots” was one in every of his seven items of recommendation to assist organizations keep away from a few of the assaults which may require engagement with Mandiant or different incident response companies.

As a reminder, honeypots are decoy programs which can be set as much as lure attackers and divert their consideration away from the precise targets. They’re usually used as a safety mechanism to detect, deflect, or examine makes an attempt by attackers to achieve unauthorized entry to a community. As soon as attackers work together with a honeypot, the system can acquire details about the assault and the attacker’s ways, strategies, and procedures (TTPs).

In a digital age the place knowledge breaches are more and more widespread regardless of rising budgets allotted to safety every year, Mandia identified that it’s essential to take a proactive strategy to restrict the influence of knowledge breaches. Therefore the necessity to flip the tables on attackers and the renewed curiosity in honeypots.

What Fishing Lures Are to Fishing Nets

Though honeypots are an efficient answer for monitoring attackers and stopping knowledge theft, they’ve but to be broadly adopted because of their setup and upkeep difficulties. To draw attackers, a honeypot wants to seem reliable and remoted from the true manufacturing community, making them difficult to arrange and scale for a blue workforce seeking to develop intrusion detection capabilities.

However that is not all. In at this time’s world, the software program provide chain is extremely advanced and made up of many third-party elements like SaaS instruments, APIs, and libraries which can be usually sourced from completely different distributors and suppliers. Parts are added at each degree of the software program constructing stack, difficult the notion of a “protected” perimeter that must be defended. This shifting line between what’s internally managed and what’s not can defeat the aim of honeypots: on this DevOps-led world, supply code administration programs and steady integration pipelines are the true bait for hackers, which conventional honeypots can not imitate.

To make sure the safety and integrity of their software program provide chain, organizations want new approaches, akin to honeytokens, that are to honeypots what fishing lures are to fishing nets: they require minimal sources however are extremely efficient in detecting assaults.

Honeytoken Decoys

Honeytokens, a subset of honeypots, are designed to seem like a reliable credential or secret. When an attacker makes use of a honeytoken, an alert is straight away triggered. This permits defenders to take swift motion based mostly on the symptoms of compromise, akin to IP handle (to differentiate inside from exterior origins), timestamp, person brokers, supply, and logs of all actions carried out on the honeytoken and adjoining programs.

With honeytokens, the bait is the credential. When a system is breached, hackers usually seek for simple targets to maneuver laterally, escalate privileges, or steal knowledge. On this context, programmatic credentials like cloud API keys are a super goal for scanning as they’ve a recognizable sample and sometimes include helpful info for the attacker. Due to this fact, they characterize a chief goal for attackers to seek for and exploit throughout a breach. In consequence, they’re additionally the simplest bait for defenders to disseminate: they are often hosted on cloud property, inside servers, third-party SaaS instruments, in addition to workstations or recordsdata.

On common, it takes 327 days to establish an information breach. By spreading honeytokens in a number of places, safety groups can detect breaches inside minutes, enhancing the safety of the software program supply pipeline towards potential intrusions. The simplicity of honeytokens is a major benefit eliminating the necessity for the event of a complete deception system. Organizations can simply create, deploy, and handle honeytokens on an enterprise scale, securing 1000’s of code repositories concurrently.

The Way forward for Intrusion Detection

The sphere of intrusion detection has remained below the radar for too lengthy within the DevOps world. The truth on the bottom is that software program provide chains are the brand new precedence goal for attackers, who’ve realized that improvement and construct environments are a lot much less protected than manufacturing ones. Making the honeypot expertise extra accessible is essential, in addition to making it simpler to roll it out at scale utilizing automation.

GitGuardian, a code safety platform, just lately launched its Honeytoken functionality to satisfy this mission. As a pacesetter in secrets and techniques detection and remediation, the corporate is uniquely positioned to rework an issue, secrets and techniques sprawl, right into a defensive benefit. For a very long time, the platform has emphasised the significance of sharing safety accountability between builders and AppSec analysts. Now the purpose is to “shift left” on intrusion detection by enabling many extra to generate decoy credentials and place them in strategic locations throughout the software program improvement stack. This will likely be made doable by offering builders with a device permitting them to create honeytokens and place them in code repositories and the software program provide chain.

The Honeytoken module additionally routinely detects code leaks on GitHub: when customers place honeytokens of their code, GitGuardian can decide if they’ve been leaked on public GitHub and the place they did, considerably lowering the influence of breaches like those disclosed by Twitter, LastPass, Okta, Slack, and others.


Because the software program business continues to develop, it’s important to make safety extra accessible to the lots. Honeytokens gives a proactive and easy answer to detect intrusions within the software program provide chain as quickly as doable. They will help corporations of all sizes safe their programs, regardless of the complexity of their stack or the instruments they’re utilizing: Supply Management Administration (SCM) programs, Steady Integration Steady Deployment (CI/CD) pipelines, and software program artifact registries, amongst others.

With its zero-setup and easy-to-use strategy, GitGuardian is integrating this expertise to assist organizations create, deploy and handle honeytokens on a bigger enterprise scale, considerably lowering the influence of potential knowledge breaches.

The way forward for honeytokens seems brilliant, and that is why it was little shock to see Kevin Mandia reward the advantages of honeypots to the biggest cybersecurity corporations at RSA this 12 months.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles