Honeytokens and detection

[Lance Spitzner <lance () honeynet org>]

I've been playing with the concept of Honeytokens, 
thinking of ways that they could apply to intrusion 
detection.  Based on recent events, had some ideas.  
There have been reports of databases broken into, with 
thousands of social security numbers or millions of 
credit cards stolen.  One of the problems is in some
of these cases, it was not known for days, weeks, or
even months that the data had been compromised.

I was thinking that Honeytokes could be used for detecting
when such data was compromised/stolen.  Inside each
database Honeytoken numbers are inserted.  These tokens
are known to have no value, no one should be using them.
Detection mechanisms such as IDS signatures are then created 
to look for and detect these tokens being access or used.  If 
these tokens are seen, this means someone has captured the 
database, or looking where they shouldn't be.

For example, create bogus social security numbers and store
them in your SSN database.  If the honeytoken SSN's hit
your network, someone may have just grabbed your database.  For
a CC database, insert honeytoken CC's and monitor for
those to hit your wire.  Once again, if you see someone 
retrieving these numbers, someone is most likely being
naughty.

The advantage with this detection method is its both 
very simple and should dramatically reduce false positives.
What would be even better is if the IRS or some credit
card companies could post or distribute such honeytoken 
numbers, so we within the security community are certain
we are not implanting valid numbers.

Either way, a thought to consider :)

-- 
Lance Spitzner
http://www.tracking-hackers.com