By Salvatore Stolfo on Jan 4, 2019 4:05:02 PM
Detecting early-stage data theft activity can be the difference between losing mission-critical data and stopping an attacker in his or her tracks. Research has shown that detecting attackers in the early stages of execution – ultimately, reducing the dwell time of a potential attack – is crucial to protecting data.
Some detection systems rely on a technology called canary tokens to trip up attackers while they peruse an environment that contains valuable data. A canary token is an old idea in its native form; It may be a web URL, email address, or document file that triggers an action if it's ever accessed. However, there are challenges and limitations using the canary token approach. A deeper understanding of deception helps guide a more intelligent design and implementation of decoy documents supporting a deception-in-depth security strategy.
The most frustrating weaknesses of canary tokens are that they have a low probability of signal and give no guidance on how and where to deploy them, providing only a slight chance that an attacker will trigger an event, even if they directly open a document containing the token. This means that after you go through the trouble of creating a convincing and enticing document, placing it where an attack might take place and relying on it to alert you to malicious activity, it could end up being completely useless in an attack. Additionally, there’s a lot of manual effort required to deploy and manage canary tokens, making it difficult to scale this technique. You have to figure out on your own which files to arm with tokens, create your own files and decoys and hope they are highly convincing, and determine how many you need and where to place the documents in order to have any chance this approach will work. You’ll also need to manage the ensuing alerts generated by each individual token, completely separate from your existing SOC process.
There’s a big difference between a canary token and setting up an enterprise-wide, high-fidelity data loss detection environment. Canary tokens are only one small part of a holistic strategy - and one that isn’t all that reliable or scaleable. Deceptive documents require deeper thought to automatically create and deploy in a worthwhile manner. Deception-in-depth is guided by being believable, enticing, conspicuous, non-Interfering, variable, and timely. All of these properties are key to the shelf-life and effectiveness of document content and placement.
Ideally, early breach detection strategies that incorporate deception include all of the following:
- Probability of Signal: Allure’s patented highly believable Decoy Documents guarantee signal upon opening and can’t be reconstructed or opened off-network like canary tokens. They also don’t issue a warning to the recipient upon opening as most honeynet and canary token documents do, making them more stealthy and useful for high-probability detection.
- Ease of Deployment: We don’t just offer blank beaconized docs, but instead we provide a desktop application with out-of-the-box decoy documents that makes for easy deployment and management across a large enterprise. Strategic placement reduces interference with normal operations, while luring to attackers to these conspicuous and enticing documents. Allure’s Decoy Document content is engineered to get the highest probability detection possible (based on DARPA-funded research), so deployment is a matter of minutes or hours instead of days or weeks.
- Information for Response: When someone opens an Allure Decoy Document, the owner of the decoy receives event data along with the most information possible for enabling intelligent response. You’ll get more than just a simple IP address; you can also see the results of any third-party IP lookups, and a map showing the location of the person who opened the document via Allure’s geofencing rules engine. We even offer the ability to search event history for trends, and Allure events can easily be integrated with a SIEM in order to correlate our data with other events.
- “Big Picture” Reporting: Most honey or canary tokens only track by each individual URL, with no relation to any others or how they were placed. With Allure, users can build out context around all detected events, making them valuable for large enterprises with large numbers of decoy documents deployed. Our dashboards and reports (scheduled or on-demand) start with a high-level security posture and present the status of all deployed decoy documents.
- Holding Attackers Accountable: During active investigations, our proprietary geofence and telemetry insights have been used by our customers to identify hackers and leakers, and been provided to law enforcement to hold these attackers accountable.
Allure tracks and provides activity insights for both real and decoy documents, including files shared in the cloud and even after documents have been downloaded, copied or shared. Our desktop app makes it easy to track a specific critical file, all files in a given folder/subfolder, and you can set up Watch Folders so that every document added is automatically beaconized.
With Allure, we’ve taken document tracking and decoy planting to a whole new level. It’s not just about (sometimes) knowing that a document has been opened; it’s about providing a complete detection and response system that is deployed as a service, with reliable visibility that requires few resources. Our approach is designed to detect malicious events, provide the proprietary geofence and telemetry insights needed to respond with countermeasures, and identify the people responsible and hold them accountable.