Op-Ed: Australian enterprises are augmenting identity protections with honeytokens

Such tactics include a rise in the use of stolen credentials to target and infiltrate organisations.

When a valid user’s credentials are compromised and an adversary masquerades as that user, it’s often very difficult to differentiate between the user’s typical behaviour and that of the hacker.

Our own research data points to compromised identities already being used in 80 per cent of attacks. This highlights the elevated attack risk that Australian organisations face, as well as the importance of robust identity-focused security.

Australian enterprises need to prioritise identity-based protections to thwart adversaries who are exploiting that attack vector and often succeeding in achieving their goals. That, in turn, creates a vicious cycle, where the success rate leads to more attacks, undermining confidence further.

In our recent 2023 Global Threat Report, we recommended prioritising identity protections as a way to “stay one step ahead of the adversary”. That advice is still very much current.

Identity-based security improvements can make legacy and unmanaged systems more defensible while also providing “immediate detection and real-time prevention of lateral movement [or] suspicious behaviour” caused by the misuse of legitimate credentials and accounts.

But the nature of these improvements is important. Some tools that target the identity-based security space are more effective than others. While deception technologies like honeypots hold currency, it’s the power of today’s honeytokens that are being better recognised by security teams for their value.

Honeypot hazards

VIEW ALL

Deception technology has sought to make a mark in the identity space in recent years. It’s been around in some form or another for over three decades, with honeypots as the earliest and most well-understood example.

These are sets of fake resources — that look attractive to an adversary — that are stood up and run side by side with legitimate business systems. The idea is to get the adversary to engage with the fake resources instead of the real ones, frustrating their progress while also boxing them into a process where their tactics, techniques, and procedures can be observed.

But a closer inspection of honeypot-type deception technologies shows they can lull enterprises into a false sense of security.

One of the downsides of honeypots is their assumption that they are likely to encounter adversaries with limited knowledge of the target environment.

But if there’s one characteristic of adversaries that is consistently raised when enterprises are targeted, it’s sophistication. Our research shows it takes just 84 minutes on average for an attacker to move laterally from the initial point of compromise to another host in the victim’s environment. This suggests a level of sophistication that should not be underestimated.

Clearly, a sophisticated adversary can tell the difference between a decoy and the real thing. The risk is the adversary counters — abusing the decoy to generate fake alerts that distract security teams — while doing their real work elsewhere in the network.

There are also significant costs involved with setting up and maintaining honeypots and similar deception infrastructure. It takes effort to keep these systems looking legitimate enough to attract adversary attention.

Utilising real resources

One of the ways that organisations can get a similarly elevated view into adversary activity while luring them away from critical resources is through the use of honeytokens.

Honeytokens are legitimate data and accounts that contain specific markers that make them easy to track. From an identity perspective, an organisation can flag accounts as honeytokens in active directory, such that any activities or alterations to the honeytoken account triggers a dedicated detection, giving security operations centre (SOC) analysts visibility into the adversary attack path.

This has an advantage over honeypots since there is no need to stand up entirely separate deception systems, saving time and resources. Because the adversary is interacting with a legitimate account, they are also less likely to detect the ruse — perhaps until they figure out that the account does not provide sufficient privilege to enable movement to higher-value networked resources.

The legitimacy, security, and ease of implementation of honeytokens, compared to honeypots, suggests that they will increasingly be used as part of broader suites that are designed to defend against identity-based attacks. That is, identity threat detection and response (ITDR) programs will become even more effective with the addition of honeytokens.

The success of identity-related security protections will ultimately still be measured and based on the comprehensiveness of the protections. Integrated identity protection with tight correlation across endpoints, identity, and data is increasingly essential to helping teams increase their confidence.

Kapil Raina is an identity protection evangelist at CrowdStrike.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.