10

I haven't read much about such a technique, but I'm wondering if there's any sort of best practice around the use of "canaries" to detect certain types of intrusion:

  • Create a bogus account that should never be logged in -- if someone attempts to access that account, report an intrusion attempt.
  • "Seed" the database with email addresses or other info that can be monitored. If you start getting email (or snail mail, phone calls, etc) at the monitored info, ring the bell, you're screwed: someone stole your database. (This was how I found out about the Ameritrade data leak from a few years ago -- before they publicly disclosed the leak.)

Clearly things like monitoring 404s for scans will be very noisy. (One of my very low traffic sees tons of requests for phpMyAdmin and wp-content...) And it's obvious that the second bullet above is too late to be worth much. The first bullet might even be too noisy.

A proper IDS is going to do a more thorough job. Is any of this useful? Are there things I'm missing?

schroeder
  • 123,438
  • 55
  • 284
  • 319
bstpierre
  • 4,868
  • 1
  • 21
  • 34
  • Have you seen `Mercury Rising` lately? You should not only check the apache logs, look at /var/log/auth.log too for ssh and mail attempts. Intruders have a list of exploits that they try on random ip addresses. Getting shell access (not only root) is the primary directive. – ott-- Oct 03 '13 at 20:37
  • 1
    This is best described as "honeytokens": https://en.wikipedia.org/wiki/Honeytoken – Ion Oct 26 '13 at 10:09

2 Answers2

7

This is the same as a High Interaction Honeypot idea, but you seem to be asking about embedding honeypot elements in production systems. Even so, I believe that the best practices for honeypots would apply here.

As for your second bullet point, a Data Loss Protection system would seem to be a better way to go. You can monitor, track, and most importantly, prevent data from travelling to areas that it should not.

I use 'bogus accounts' all over my systems, implemented in various ways as a honey-trap. I personally do not believe they hold much value for me, but they are cheap to have, test, and monitor.

schroeder
  • 123,438
  • 55
  • 284
  • 319
3

There is a lot of discussions about this, for example honeywords:

https://www.schneier.com/blog/archives/2013/05/honeywords.html

Though I think that this approach brings a lot of additional administrative effort with it. User management, etc.

You might want to check out active defense techniques, like

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
t0x1c
  • 91
  • 3