Alright, I'll grant that in these semi restricted environs one might
also make use of such toys, yet, again, these are not open to to all public consumption applications, and a variation on the 'insider threat'
scenario. Additionally, if you create false records in a database,
and monitor and log accesses to those records, the rest of the data
is probably still available for exploit and consumption, nothing
has really been stopped or prevented, though it's attempted access
might have been logged. Honeypots, in their various forms, are
placed for tracking abuse and logging of activities for later
analysis and perhaps replay, they are not preventive measures, nor
are they IDS/IPS kind of systems. If prevention is combined within the
toy, then you have created something altogether different.
Limiting the scope to the definition provided above lets examine.
"Honeypots, in their various forms, are placed for tracking abuse and logging of activities for later analysis and perhaps replay"
Given this would the following definition be disagreeable?
Honeytokens, in their various forms, are placed for tracking abuse and logging of activities for later analysis and perhaps replay with or without the use of a dedicated honeypot.
Seems to me that it is easy enough to place honeytokens in any public service to identify and track any number of activities not within the normal usage of said service.
There is no requirement that there be an insider, customer, partner, or any other known entity to achieve the stated goal of tracking, identifying, and analyzing abuse and activities at a later time.
In fact, you could use a HoneyToken
* with a honetpot to make the identification easier. * with an IDS to identify attempted intrusions. * with a log analyzer to identify theft of data. * with a packet logger to flag important sessions. * with an access control technology to block further communications. * ...
This is not a variation of an insider threat management case. This is another layer of defense in depth. It is a practical use of the tools available for a security purpose.
I myself have been using snort for this for a long time. I have implemented this for my customers and different employers over the years. In each implementation different tools have been used, one implementation changed the DB used for the session to that of a complete honeypot DB if the first record in any table was ever used, I think this could qualify as a honeytoken although it better qualifies as bait and switch in conjunction with a honeypot.
I implemented another system that used common default accounts to flag people attempting to circumvent authentication and closed down access for that remote system for 30 sec.
I used no toys to do this and these were public consumption systems.
There was an interest by the people making risk management decisions to actively manage that risk by attempting to identify threats as soon as possible instead of when it was absolutely too late.
---- OT message ----
To all those out there that like to get personal:
I would like to pass on something stated to me once, in person, that I still have a problem remembering from time to time. Usually after too much external influence. :-)
"Your content is not the problem, it is your delivery"
Simply put, you could be the most correct and accurate person in the world but with all of this other noise you get yourself ignored. This ultimately frustrates you and causes you to become more inflammatory in the hopes of getting noticed. Listen carefully. IT DOES NOT WORK! See a shrink, get laid, take the blue pill, whatever it takes. Your message is lost on the vast majority of people because of your delivery.
Please think of this before you post...
- Jason.
morning_wood wrote:
you are...[snip useless words]
wood[snip quoted above]
Ron DuFresne wrote:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
