Honeypots mailing list archives
Re[2]: Honeytokens and detection
From: Bojan Zdrnja <Bojan.Zdrnja () LSS hr>
Date: Sat, 5 Apr 2003 22:19:00 +1200
Original message:
From: george chamales <george () overt org> To: Grant, Liam <Liam.Grant () GDC4S Com> Date: Saturday, April 5, 2003, 9:51:33 AM Subject: Honeytokens and detection
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
One problem I see with the whole concept is that if I was the other side, I'd be using an encrypted tunnel to grab the info.
I think that relying on network traffic is the wrong way to handle this. I suggest having hooks set up on the host itself that monitor when the "token" is opened, read, modified, etc. In effect, real-time file integrity checking/tripwire on the fly. With a bit of work the integrity checking could be hidden from all the users on the system and alerts could be sent covertly off of the host.
Yep, I'd agree with this. Most intruders will use encrypted connections for transfering data from compromised machine to their own machine (or few hops between them, to covert their actions). Therefore, NIDS won't do much good here after intruder uses ssh or scp to next hop. As George said, I think that hooks should be set up either on database access or on access to specially crafted data in database. If we trap all database access we don't have any use of honeytokens or we will make a honeydatabase (just to keep naming convention :). If we trap access to honeytokens in a valid database, we can detect some malicious activities. Of course, we shouldn't rely only on that because intruder could read only valid data (even if he's not knowing we have honeytokens inside) so our detection would end up with a false negative report. Regards, Bojan Zdrnja
Current thread:
- Re: Honeytokens and detection, (continued)
- Re: Honeytokens and detection Bram Matthys (Syzop) (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Bojan Zdrnja (Apr 03)
- RE: Honeytokens and detection Andrew Hintz (Drew) (Apr 04)
- RE: Honeytokens and detection Beau Monday (Apr 03)
- RE: Honeytokens and detection LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 04)
- RE: Honeytokens and detection Glenn_Everhart (Apr 04)
- Re: Honeytokens and detection george chamales (Apr 04)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection andre (Apr 05)
- Re: Honeytokens and detection george chamales (Apr 05)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection Jack Whitsitt (jofny) (Apr 05)
- FW: Honeytokens and detection TimTim (Apr 06)