Opinion piece: Australian companies are increasing identity protection with honey tokens

Opinion piece: Australian companies are increasing identity protection with honey tokens

There’s a reason adversaries rely more on malware-free tactics to gain initial access and persistence in corporate environments: They work because they are extremely difficult to detect.

Such tactics include an increase in the use of stolen credentials to attack and infiltrate organizations.

When a valid user’s credentials are compromised and an adversary impersonates that user, it is often very difficult to differentiate between typical user behavior and hacker behavior.

Our own research data. notes that compromised identities are already used in 80 percent of attacks. This highlights the high risk of attack faced by Australian organizations, as well as the importance of strong identity-focused security.

Australian businesses must prioritize identity-based protections to thwart adversaries who exploit that attack vector and often succeed in achieving their objectives. This, in turn, creates a vicious cycle where the success rate leads to more attacks, further undermining trust.

In our recent Global Threats Report 2023, We recommend prioritizing identity protection as a way to “stay one step ahead of the adversary.” That advice is still very much in force.

Identity-based security improvements can make legacy, unmanaged systems more defensible while providing “immediate detection and real-time prevention of lateral movement.” [or] “Suspicious behavior” caused by misuse of legitimate credentials and accounts.

But the nature of these improvements is important. Some tools aimed at the identity-based security space are more effective than others. While deception technologies like honeypots are commonplace, it is the power of today’s honeytokens that is being better recognized by security teams for their value.

Honeypot Dangers

Deception technology has sought to make a mark in the identity space in recent years. It has existed in one form or another for over three decades, with honeypots being the oldest and best understood example.

These are fake resource sets (that look attractive to an adversary) that are used and run alongside legitimate business systems. The idea is to get the adversary to use fake resources instead of real resources, thwarting their progress while locking them into a process where their tactics, techniques, and procedures can be observed.

But a closer inspection of honeypot-like deception technologies shows that they can lull companies into a false sense of security.

One of the disadvantages of honeypots is that they assume that they are likely to encounter adversaries with limited knowledge of the target environment.

But if there is one characteristic of adversaries that constantly comes up when attacking companies, it is sophistication. Our research shows that it takes an attacker only 84 minutes on average to move laterally from the initial point of compromise to another host in the victim’s environment. This suggests a level of sophistication that should not be underestimated.

Clearly, a sophisticated adversary can distinguish between a decoy and the real thing. The risk is adversary counterattacks (abusing the honeypot to generate false alerts that distract security teams) while they do their real work elsewhere in the network.

There are also significant costs associated with installing and maintaining honeypots and similar deception infrastructures. It takes effort to keep these systems looking legitimate enough to attract adversary attention.

Using real resources

One of the ways organizations can gain equally elevated insight into adversary activity while keeping them away from critical resources is through the use of honey tokens.

Honeytokens are legitimate data and accounts that contain specific markers that make them easy to track. From an identity perspective, an organization can mark accounts as honey tokens in active directory, so that any activity or alteration to the honey token account triggers dedicated detection, giving operations center analysts security (SOC) visibility of the adversary’s attack path.

This has an advantage over honeypots in that there is no need to use completely separate deception systems, saving time and resources. Because the adversary is interacting with a legitimate account, it is also less likely to detect the ruse, perhaps until it discovers that the account does not provide sufficient privileges to allow movement to higher-value network resources.

The legitimacy, security, and ease of implementation of honeytokens, compared to honeypots, suggest that they will increasingly be used as part of broader suites designed to defend against identity-based attacks. That is, identity threat detection and response (ITDR) programs will be even more effective with the addition of honey tokens.

Ultimately, the success of identity-related security protections will still be measured and based on the breadth of protections. Integrated identity protection with a tight correlation between endpoints, identity and data is increasingly essential to help teams increase their confidence.

Kapil Raina is an identity protection evangelist at CrowdStrike.

Leave a Reply

Your email address will not be published. Required fields are marked *