Re: RES: Protocol Anomaly Detection IDS - Honeypots

[Lance Spitzner <lance () honeynet org>]

On Fri, 21 Feb 2003, Augusto Paes de Barros wrote:

> Lance's point can be expanded in very interesting views. Why use only
> honeypots "hosts" or "nets", when whe can use accounts, documents, info,
> etc? I was developing an idea that I call "honeytokens", to use on Windows
> networks. Basically, information that shouldn't be flowing over the network
> and, if you can detect it, something wrong is happening.

Ohh, ooh!  Very cool suggestion Augusto!  This is something I never
thought of.  Create documents, webpages, or resources that no one should
be accessing.  You create these resources with specific, obvious signatures
so your detections mechanisms (logs, IDS sensors, etc) can easily pick
them up.  If you detect these resources being moved around your network,
you know something is up!

For example, you create a word document that has the title of payroll
or 'research and development'.  You put whatever fluff you want in the
document, and give it a "tracking number", such as 14A8478bG98734T90AAZ.
Now, you simply create a signature looking for that "tracking number".
The concept would be to create resources that no one should be accessing
(the honeytoken) but is easily detectable if they do.  You would have to 
ensure the signature, as in this case the tracking number, is unique enough 
that it minizimes, if not eliminate, false positives.

This potentially opens a whole new world to honeypot concepts :)

very cool :)

lance


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure