Honeytoken
Encyclopedia
In the field of computer security
, honeytokens are honeypots
that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection
schemes. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious. In general, they don't necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity.
An example of a honeytoken is a fake email address used to track if a mailing list has been stolen.
If they are chosen to be unique and unlikely to ever appear in legitimate traffic, they can also be detected over the network by an intrusion-detection system
(IDS), alerting the system administrator to things that would otherwise go unnoticed. This is one case where they go beyond merely ensuring integrity, and with some reactive security mechanisms, may actually prevent the malicious activity, e.g. by dropping all packets containing the honeytoken at the router. However, such mechanisms have pitfalls because it might cause serious problems if the honeytoken was poorly chosen and appeared in otherwise legitimate network traffic, which was then dropped.
As stated by Lance Spitzner in his article on Security Focus, the term was first coined by Augusto Paes de Barros in 2003.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, honeytokens are honeypots
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection
Stack-smashing protection
Buffer overflow protection refers to various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables as they occur and preventing them from becoming serious security vulnerabilities...
schemes. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious. In general, they don't necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity.
An example of a honeytoken is a fake email address used to track if a mailing list has been stolen.
If they are chosen to be unique and unlikely to ever appear in legitimate traffic, they can also be detected over the network by an intrusion-detection system
Intrusion-detection system
An intrusion detection system is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor...
(IDS), alerting the system administrator to things that would otherwise go unnoticed. This is one case where they go beyond merely ensuring integrity, and with some reactive security mechanisms, may actually prevent the malicious activity, e.g. by dropping all packets containing the honeytoken at the router. However, such mechanisms have pitfalls because it might cause serious problems if the honeytoken was poorly chosen and appeared in otherwise legitimate network traffic, which was then dropped.
As stated by Lance Spitzner in his article on Security Focus, the term was first coined by Augusto Paes de Barros in 2003.