A few weeks ago, the 32nd edition of RSA, one of the world's largest cybersecurity conferences, wrapped up in San Francisco. Among the highlights, Kevin Mandia, CEO of Mandiant at Google Cloud, presented a retrospective on the state of cybersecurity. During his keynote, Mandia stated:
"There are clear steps organizations can take beyond common safeguards and security tools to strengthen their defenses and increase their chances of detecting, thwarting or minimizing attack [...] Honeypots, or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can't stop".
"Build honeypots" was one of his seven pieces of advice to help organizations avoid some of the attacks that might require engagement with Mandiant or other incident response firms.
As a reminder, honeypots are decoy systems that are set up to lure attackers and divert their attention away from the actual targets. They are typically used as a security mechanism to detect, deflect, or study attempts by attackers to gain unauthorized access to a network. Once attackers interact with a honeypot, the system can collect information about the attack and the attacker's tactics, techniques, and procedures (TTPs).
In a digital age where data breaches are increasingly common despite growing budgets allocated to security each year, Mandia pointed out that it is crucial to take a proactive approach to limit the impact of data breaches. Hence the need to turn the tables on attackers and the renewed interest in honeypots.
What Fishing Lures Are to Fishing Nets
Although honeypots are an effective solution for tracking attackers and preventing data theft, they have yet to be widely adopted due to their setup and maintenance difficulties. To attract attackers, a honeypot needs to appear legitimate and isolated from the real production network, making them challenging to set up and scale for a blue team looking to develop intrusion detection capabilities.
But that's not all. In today's world, the software supply chain is highly complex and made up of many third-party components like SaaS tools, APIs, and libraries that are often sourced from different vendors and suppliers. Components are added at every level of the software building stack, challenging the notion of a "safe" perimeter that needs to be defended. This moving line between what is internally controlled and what is not can defeat the purpose of honeypots: in this DevOps-led world, source code management systems and continuous integration pipelines are the real bait for hackers, which traditional honeypots cannot imitate.
To ensure the security and integrity of their software supply chain, organizations need new approaches, such as honeytokens, which are to honeypots what fishing lures are to fishing nets: they require minimal resources but are highly effective in detecting attacks.
Honeytoken Decoys
Honeytokens, a subset of honeypots, are designed to appear like a legitimate credential or secret. When an attacker uses a honeytoken, an alert is immediately triggered. This allows defenders to take swift action based on the indicators of compromise, such as IP address (to distinguish internal from external origins), timestamp, user agents, source, and logs of all actions performed on the honeytoken and adjacent systems.
With honeytokens, the bait is the credential. When a system is breached, hackers typically search for easy targets to move laterally, escalate privileges, or steal data. In this context, programmatic credentials like cloud API keys are an ideal target for scanning as they have a recognizable pattern and often contain useful information for the attacker. Therefore, they represent a prime target for attackers to search for and exploit during a breach. As a result, they are also the easiest bait for defenders to disseminate: they can be hosted on cloud assets, internal servers, third-party SaaS tools, as well as workstations or files.
On average, it takes 327 days to identify a data breach. By spreading honeytokens in multiple locations, security teams can detect breaches within minutes, enhancing the security of the software delivery pipeline against potential intrusions. The simplicity of honeytokens is a significant advantage eliminating the need for the development of an entire deception system. Organizations can easily create, deploy, and manage honeytokens on an enterprise scale, securing thousands of code repositories simultaneously.
The Future of Intrusion Detection
The field of intrusion detection has remained under the radar for too long in the DevOps world. The reality on the ground is that software supply chains are the new priority target for attackers, who have realized that development and build environments are much less protected than production ones. Making the honeypot technology more accessible is crucial, as well as making it easier to roll it out at scale using automation.
GitGuardian, a code security platform, recently launched its Honeytoken capability to fulfill this mission. As a leader in secrets detection and remediation, the company is uniquely positioned to transform a problem, secrets sprawl, into a defensive advantage. For a long time, the platform has emphasized the importance of sharing security responsibility between developers and AppSec analysts. Now the goal is to "shift left" on intrusion detection by enabling many more to generate decoy credentials and place them in strategic places across the software development stack. This will be made possible by providing developers with a tool allowing them to create honeytokens and place them in code repositories and the software supply chain.
The Honeytoken module also automatically detects code leaks on GitHub: when users place honeytokens in their code, GitGuardian can determine if they have been leaked on public GitHub and where they did, significantly reducing the impact of breaches like the ones disclosed by Twitter, LastPass, Okta, Slack, and others.
Conclusion
As the software industry continues to grow, it is essential to make security more accessible to the masses. Honeytokens offers a proactive and simple solution to detect intrusions in the software supply chain as soon as possible. They can help companies of all sizes secure their systems, no matter the complexity of their stack or the tools they are using: Source Control Management (SCM) systems, Continuous Integration Continuous Deployment (CI/CD) pipelines, and software artifact registries, among others.
With its zero-setup and easy-to-use approach, GitGuardian is integrating this technology to help organizations create, deploy and manage honeytokens on a larger enterprise scale, significantly reducing the impact of potential data breaches.
The future of honeytokens looks bright, and that's why it was little surprise to see Kevin Mandia praise the benefits of honeypots to the largest cybersecurity companies at RSA this year.