This article describes the 2nd Generation of SSProtect Honeypots.
2nd Generation Release
Honeypot capabilities prior to SSProtect v5.2.5 were fairly limited in that they exposed activity on the local host computer where the Honeypot file was stored. v5.2.5 includes the 2nd Generation of Honeypots which can detect and notify for most any activity on a Honeypot file. Specifics are listed at the end of this article, and remaining sections describe how this impacts modern attack dynamics.
A Honeypot is a resource designed to draw the attention of malicious intent. Honeypots come in many forms, often mirroring legitimate resources but using fake data. Because the information is of no value, those accessing the fake resources are either mistaken (seldom) or up to no good (often the case). By deploying Honeypot resources and monitoring activity, Administrators can gain early insight into attack dynamics without giving attackers obvious signs that their questionable behavior has been noticed. This type of early detection can be critical in preparing for and stopping data security breaches.
For corporations, a widespread attack dynamic involves mass exfiltration of unstructured content - email messages and application data files. SSProtect was designed to work against such attacks by providing a new level of protective capability integrated with ease of use. This makes it much harder for a nation-state adversary to connect to a corporate network, copy data files en masse, and make use of the results - data is encrypted in a way that's inaccessible to someone operating in this dynamic.
But no protection is perfect, and SSProtect Honeypots offer a way to provide traps in plaintext files that attackers will target. In fact, when an attacker works around protective systems, they count on mistakes, gaps, and shortcomings to acquire the information they seek. By purposely creating fake data files that appear unprotected, you set a trap for an attacker to engage which then tells your team that there is a greater problem.
Honeypot Data Files
When you configure and use SSProtect, you apply protections to sensitive content. Honeypots allow you to choose specific files and tag them for monitoring. They are not marked as protected, and content is not encrypted. Configuration information is, in fact, obfuscated from attackers who have access to the host computer. Ultimately, files configured as Honeypots are difficult to recognize, and in many cases that won't even matter since a lot of attackers will copy what they can access, then throw away anything they can't immediately decipher. With Honeypots, it becomes exceptionally challenging to selectively copy files without triggering event notification.
Because you configure Honeypots from your host computer, an attacker who has gained access may be able to watch those actions. With 2-factor authentication enabled, it is more than a little difficult for an attacker to have an impact on the results, but he/ she could hypothetically watch you make adjustments and enumerate files you have configured as Honeypots. This allows him/ her to avoid them in forward action.
For this reason, Honeypot configuration is masked, and unmasking requires a second password entry after normal SSProtect Login. This allows you to selectively and temporarily enable Honeypot controls to make adjustments, minimizing exposure to anyone watching activity. As a result, if you create and configure Honeypot files early in the lifecycle of SSProtect or when your host is uncompromised, you retain configuration obfuscation for any later date when dynamics change.
It's worth noting that Honeypot control unmasking requires the secondary password on a display that cannot be rendered without the 2nd authentication factor, providing additional protection against weak passwords or those that are compromised.
For configuration details and Honeypot password management, see the article, Deploying Honeypots.
Honeypot File Access Dynamics
Once you configure a Honeypot, SSProtect monitors for the following, independent of whether or not a Login session is active:
- Renaming of a Honeypot File
- Moving a Honeypot file (to another location on the same mass storage device)
- Copying a Honeypot file (to any location on the local host)
- Copying a Honeypot file (to an external host)
- Deleting a Honeypot file (monitoring continues if a file later takes its' place)
- Accessing a Honeypot file with its' default registered application
- Accessing a Honeypot file with any application or service
When any of these events takes place, SSProtect generates an event that you will see in File Reports spanning the date/ time of the event, and it also dispatches email notification to Organization Administrators and Delegates. If you are working independently (i.e. not using an Organization), you will receive the email at your SSProtect Account email address. Remember, however, that this is potentially visible to the attacker, and it may be that he/ she then discovers that his actions have been observed.
Capabilities and Limitations
It's important to note that notification does not (yet) include source detail, such as the IP address from which a remote copy operation originated, or the credentials in-use by the source of detected activity. These are specifics for future release consideration, though in many cases additional security software will contain such details.
SSProtect can, however, differentiate between normal anti-virus or service activity and (end-user) actions that result in data transfer. Though event notification is not perfect, it does represent a high probability that such actions took place, which at the very least offers a strong indication that an unauthorized user is engaging in malicious activity. This alone, early in an attack dynamic, offers a strong defense against those that rely on stealth as their primary weapon. When distributed across multiple host computers in a large network, attack dynamics are more than a little impacted, which can tip the scales to your favor.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to email@example.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v5.2.5 of the :Foundation Client