Why Honeytokens Are the Future of Intrusion Detection

Intrusion detection

A few weeks ago, the 32nd edition of RSA, one of the largest cyber security conferences in the world, closed in San Francisco. Among the highlights, Kevin Mandia, CEO of Mandiant on Google Cloud, presented a retrospective on the state of cybersecurity. During her conference, Mandia stated:

“There are clear steps organizations can take beyond common safeguards and security tools to strengthen their defenses and increase their chances of detecting, thwarting or minimizing attacks. […] Honeypotsor fake accounts deliberately left untouched by authorized users, they are effective in helping organizations detect intrusions or malicious activity that security products cannot stop“.

“Build honeypots” was one of his seven tips to help organizations avoid some of the attacks that might require involvement with Mandiant or other incident response companies.

As a reminder, honeypots are cheating systems which are set up to attract attackers and divert their attention from the real targets. They are typically used as a security mechanism to detect, deflect, or study attackers’ attempts to gain unauthorized access to a network. Once attackers interact with a honeypot, the system can gather information about the attack and the attacker’s tactics, techniques, and procedures (TTP).

In a digital age where data breaches are becoming more common despite increasing budgets allocated to security every year, Mandia noted that it is crucial to take a proactive approach to limiting the impact of data breaches. Hence the need to turn around attackers and the renewed interest in honeypots.

What are fishing baits for fishing nets

Although honeypots are an effective solution for tracking attackers and preventing data theft, they have yet to be widely adopted due to their difficulties in configuration and maintenance. To attract attackers, a honeypot must appear legitimate and isolated from the actual production network, making it difficult to set up and scale for a blue team looking to develop intrusion detection capabilities.

But this is not all. In today’s world, the software supply chain is very complex and consists of many third-party components, such as SaaS tools, APIs, and libraries, which often come from different vendors and suppliers. Components are added at every level of the software build stack, challenging the notion of a “secure” perimeter that needs to be defended. This moving line between what is internally controlled and what is not can defeat the purpose of honeypots: in this DevOps-led world, source code management systems and continuous integration pipelines are the real bait for hackers, which traditional honeypots cannot imitate.

To ensure the security and integrity of their software supply chain, organizations need new approaches, such as honeytokens, which are to honeypots what fishing bait is to fishing nets: they require minimal resources but are very effective in detecting attacks.

Honeytoken Lures

Honeytokens, a subset of honeypots, are designed to appear as a legitimate credential or secret. When an attacker uses a honeytoken, an alert is immediately triggered. This allows defenders to take quick action based on indicators of compromise, such as IP address (to distinguish internal from external origins), timestamp, user agents, source, and logs of all actions performed on the honeytoken and adjacent systems.

With honey tokens, the bait is the credential. When a system is breached, hackers often look for easy targets to move laterally, escalate privileges, or steal data. In this context, programmatic credentials such as cloud API keys are an ideal target for scanning, as they have a recognizable pattern and often contain information useful to the attacker. Therefore, they represent a prime target for attackers to seek out and exploit during a breach. As a result, they are also the easiest bait for defenders to spread: they can be hosted on cloud assets, internal servers, third-party SaaS tools, as well as workstations or files.

On average, it takes 327 days to identify a data breach. By spreading honeytokens to multiple locations, security teams can detect breaches in minutes, improving the security of the software delivery channel against potential intrusions. The simplicity of honeytokens is a major advantage eliminating the need to develop an entire cheat system. Organizations can easily create, deploy and manage enterprise-scale honeytokens, securing thousands of code repositories simultaneously.

The future of intrusion detection

The field of intrusion detection has remained under the radar for too long in the DevOps world. The reality on the ground is that software supply chains are the new priority target for attackers, who have realized that development and build environments are far less secure than production environments. Making honeypot technology more accessible is crucial, as is making it easier to deploy at scale through automation.

GitGuardian, a code security platform, recently released its Honeytoken capability to accomplish this mission. As a leader in secret detection and remediation, the company is uniquely positioned to transform a problem, the proliferation of secrets, into a defensive advantage. For a long time, the platform has emphasized the importance of sharing security responsibility between developers and AppSec analysts. Now the goal is to “shift left” in intrusion detection, allowing many more to generate spoofing credentials and place them in strategic places in the software development stack. This will be possible by providing developers with a tool that allows them to create honeytokens and place them in code repositories and the software supply chain.

The Honeytoken module also automatically detects code leaks on GitHub: When users place honeytokens in their code, GitGuardian can determine whether and where they were leaked to public GitHub, significantly reducing the impact of breaches such as those disclosed by Twitter, LastPass, Okta, Slack and others.


As the software industry continues to grow, making security more accessible to the masses is essential. Honeytokens provide a proactive and simple solution to detect software supply chain intrusions as early as possible. They can help companies of all sizes secure their systems, regardless of the complexity of their stack or the tools they use: source control management (SCM) systems, continuous deployment continuous integration (CI) pipelines /CD) and software artifact logs, among others.

With its zero-configuration, easy-to-use approach, GitGuardian is integrating this technology to help organizations create, deploy, and manage honeytokens at a larger enterprise scale, significantly reducing the impact of potential data breaches.

The future of honeytokens looks bright, which is why it was no surprise to see Kevin Mandia extol the benefits of honeypots at RSA’s biggest cybersecurity companies this year.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
At Ikaroa, we are all about staying ahead of the tech curve and making sure our customers are updated on the latest advancements in cybersecurity. That is why we are here to talk about the future of intrusion detection: honeytokens!

Honeytokens are a unique and effective way to detect intrusions, and they have quickly become a popular decentralized tool to keep data safe from malicious actors. In a nutshell, honeytokens are false data points, either “lures” or “traps”, designed to look like real data, but in reality they are fake – they only exist as a method of cybersecurity.

When hackers attempt to steal data, they look for given data points and parameters to access the right information. A honeytoken is designed to look like one of those, but any attempts to access it will lead nowhere. This triggers an immediate automated response, alerting cybersecurity professionals that an intruder is tampering with the system, allowing them to immediately respond and prevent acts of theft.

But why honeytokens? Honeytokens provide an effective method of defense. They can be uploaded onto a company’s servers from a trusted source, making it almost impossible for hackers to recognize them as false data points. Furthermore, honeytokens are an easily expandable security measure, as new ones can be added to cover all available data points, providing a more comprehensive level of defense.

Given the current influx of cyber threats, it is more important than ever for companies to stay ahead of the game and protect their valued technology. With honeytokens, companies can be assured that any attempts at data theft will be detected and acted upon immediately, allowing them to take the necessary steps to protect their data and reputation.

At Ikaroa, we pride ourselves on providing the latest advancements in cybersecurity to help protect our customers. With honeytokens, we are taking one step further towards achieving our goal of protecting our customers against any malicious actors. We believe that honeytokens are an invaluable tool that are here to stay, providing an additional layer of security that will remain a key element of intrusion detection in the future.


Leave a Reply

Your email address will not be published. Required fields are marked *