Honey Token Detection across multiple protocols

There has been some talk about “Honey-Tokens” and how they can be used to detect bad actors or even active breaches. One of the challenges with using these in environments is that the setup can be cumbersome and combining the Syslogs, Event logs, etc is time consuming if the protocols you are seeking to monitor even log at all.

While many examples are used for Kerberos and LDAP, in the trigger below we are checking across a multitude of protocols. If you use our decryption capabilities, you can also security check your front-end web applications, Netscaler/Zscaler Gateways as well as SSL VPNs.

Below is a trigger/detection that allows you to populate an array of IDs that can be used to monitor honey token accounts. In the Rx Factory Lab we have 3 accounts that have poor security settings that we use as Honey-Tokens. The results are very effective and can serve as an early warning or “digital canary” for breaches.

/**
 * The user names or IDs which will cause the detector to fire. Add new items
 * to this list to control the detector behavior.
 */
const trackNames = [
    "bb-8", 
    "rubeus", 
    "prodsql"
].map((s) => s.toLowerCase());

/**
 * Check if a user name or ID counts as one of the "tracked" values.
 * @param {string|null} name A user name or ID
 */
function checkName(name) {
    if (name === null) return false;
    const user = name.toLowerCase();
    return trackNames.some((n) => user.includes(n));
}

function detect(user, offender = Flow.client, victim = Flow.server) {
    commitDetection("HoneyToken", {
        categories: ["sec.caution"],
        title: "HoneyToken or Tracked User ID Observed",
        participants: [
            { role: "offender", object: offender.device },
            { role: "victim", object: victim.device },
        ],
        description: `A HoneyToken or tracked user ID, '${user}', was observed in ${Flow.l7proto} from ${offender.ipaddr} to ${victim.ipaddr}.`,
        identityKey: user,
        riskScore: 35,
    });
}

// Main logic
switch (event) {
    case "DB_REQUEST": {
        if (checkName(DB.user)) detect(DB.user);
        return;
    }
    case "KERBEROS_REQUEST":
    case "KERBEROS_RESPONSE": {
        if (checkName(Kerberos.clientPrincipalName)) {
            detect(Kerberos.clientPrincipalName);
        }

        return;
    }
    case "LDAP_REQUEST": {
        if (checkName(LDAP.bindDN)) detect(LDAP.bindDN);
        return;
    }
    case "FTP_REQUEST": {
        if (checkName(FTP.user)) detect(FTP.user);
        return;
    }
    case "CIFS_REQUEST": {
        if (checkName(CIFS.user)) detect(CIFS.user);
        return;
    }
    case "NTLM_MESSAGE": {
        if (checkName(NTLM.user)) {
            detect(NTLM.user, Flow.sender, Flow.receiver);
        }

        return;
    }
    case "SMTP_REQUEST":
    case "SMTP_RESPONSE": {
        const detectOnSender = checkName(SMTP.sender);
        const detectOnRecipients =
            (SMTP.recipientList && SMTP.recipientList.some(checkName)) || [];
        if (detectOnSender) {
            detect(SMTP.sender);
        } else if (detectOnRecipients.length) {
            detect(detectOnRecipients[0]);
        }

        return;
    }
}
6 Likes