Re[2]: Honeytokens and detection

[Bojan Zdrnja <Bojan.Zdrnja () LSS hr>]

> Original message:

> From:    george chamales <george () overt org>
> To:      Grant, Liam <Liam.Grant () GDC4S Com>
> Date:    Saturday, April 5, 2003, 9:51:33 AM
> Subject: Honeytokens and detection

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> > One problem I see with the whole concept is that if I was the other 
> > side,
> > I'd be using an encrypted tunnel to grab the info.

> I think that relying on network traffic is the wrong way to handle 
> this.  I suggest having hooks set up on the host itself that monitor 
> when the "token" is opened, read, modified, etc.  In effect, real-time 
> file integrity checking/tripwire on the fly.  With a bit of work the 
> integrity checking could be hidden from all the users on the system and 
> alerts could be sent covertly off of the host.

Yep, I'd agree with this.

Most intruders will use encrypted connections for transfering data from
compromised machine to their own machine (or few hops between them, to covert
their actions). Therefore, NIDS won't do much good here after intruder uses ssh
or scp to next hop.

As George said, I think that hooks should be set up either on database access
or on access to specially crafted data in database.

If we trap all database access we don't have any use of honeytokens or we will
make a honeydatabase (just to keep naming convention :).
If we trap access to honeytokens in a valid database, we can detect some malicious
activities. Of course, we shouldn't rely only on that because intruder could read
only valid data (even if he's not knowing we have honeytokens inside) so our detection
would end up with a false negative report.

Regards,

Bojan Zdrnja