In this post we will discuss the concept of Honey Pots, and how StealthDEFEND utilizes Honey Tokens in its threat detection to provide an additional line of defense against attackers.
Introduction to Honey Pots
Wikipedia defines “Honey Pots” as a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.
Honey Pots are not a new concept in the realm of Information Security. Implementations of Honeypots in the form of Servers, Databases, and Web Applications have been a long-established way to detect attackers and monitor for potentially malicious activity.
Active Directory Honey Pots: Honey Tokens
Active Directory Honey Pots are a newer application of the concept and is increasingly becoming a viable and suggested security layer for organizations to implement in their information security strategy.
There are a variety of Honey Pot implementations when it comes to the realm of Active Directory, the most typical implementations fall under one of the three following types:
- Active Directory Honey Pot User Accounts
- Active Directory Honey Pot Service Accounts
- Honey Tokens
This post focuses on how StealthDEFEND can manage and detect threats for Honey Tokens. Honey Tokens have been a focus of other recent STEALTHbits blog posts, it is suggested reading for additional background information on Honey Tokens:
Simply put, a Honey Token in this context is essentially a set of credentials inserted into LSASS on a host. These would typically be deployed to entice an attacker to use a tool such as mimikatz to discover, capture, and attempt to use those credentials. This results in threat detection as any activity related to the credentials contained within our Honey Tokens is being closely monitored.
Example of Mimikatz displaying Honey Token information from LSASS memory:
With StealthDEFEND, we can automatically insert Honey Tokens on a variety of hosts by using Honey Token Policies. This allows us to insert Honey Tokens for non-existent Active Directory accounts. Using these techniques, it will be very easy for us to detect any activity for these Honey Token accounts that could only have been obtained through nefarious means.
Honey Token Management with StealthDEFEND
Typically, a huge challenge with Active Directory Honey Pots is the management challenge especially when it comes to scaling and ensuring our deployments of Honey Tokens are configured properly. StealthDEFEND has an entire management feature built from the ground up to manage and deploy Honey Tokens. Honey Tokens are defined in StealthDEFEND via a “Honey Token Configuration” Page. This page allows for customization of Token User, Token Password, how long a token can be active on a host and if/when “old” tokens are to be reused.
This allows StealthDEFEND administrators to define Honey Tokens that match the organizations naming convention and password policy for accounts. This results in a much more realistic looking set of credentials to further entice potential attackers.
While there are certainly many options for deploying Honey Tokens across your environment, StealthDEFEND has implemented a unified deployment method that can be used with nearly any existing endpoint/infrastructure deployment solution or can be managed via the “Action Engine” in StealthDEFEND. The “Honey Token Host Deployment” controls allow scheduling remote Honey Token deployment in the StealthDEFEND console.
A deployment package is also made available for integration with existing deployment tools in an organizations environment for those who instead wish to manage the deployment of Honey Tokens using their existing infrastructure.
StealthDEFEND not only allows for ease of deployment, but also maintains a rich token history such as the deployment history, what tokens are currently active on which host, and when/where previous tokens were previously active.
Using this history, we can greatly enhance and automate the process of Honey Token threat detection and response. Any Honey Token threat detected by StealthDEFEND will indicate when and where the Honey Token was active to gain further understanding on how the attack occurred and how to respond to it.
Honey Token Detection with StealthDEFEND
The Honey Token threat detection is built to be highly integrated with the Honey Token policy management capabilities outlined in the previous section. By monitoring Authentication and LDAP events, any activity related to any previously active Honey Tokens will automatically be detected by the threat detection of StealthDEFEND so that any attempted use of the Honey Token will result in threat detection.
There are two variants of the Honey Token threat that will be generated based on the activity of the perpetrator.
- If an attacker attempts to Authenticate with the Honey Token credentials a threat detailing the attempted authentication will be generated.
- If an attacker attempts to query the account contained in the Honey Token a threat detailing the attempted reconnaissance of the Honey Token account will be generated.
The Honey Token threat details page will display a variety of useful information to allow us to understand what happened and how to respond. Important details regarding the perpetrator, the Honey Token utilized, and the managing Honey Token policy is displayed.
A link to the Honey Token Policy will also be provided in order to easily view the defined policy for further investigation into the Honey Token history.
The Automated Context Injection capabilities of StealthDEFEND provides us with the perpetrator, sources, targets, and other information related to the Honey Token attack that can be utilized by our response steps. Using this information, we can easily populate additional layers of alerts/incidents for our responders or can even automatically begin locking down the perpetrating account.