any suggestions on where/how to host honey files?
Thanks for reaching out on our Discuss Hub.
When deploying deception technology, creativity plays an important factor so you really got to ask yourself first “What are my strategy goals?”.
Here are some requirements and goals examples that can hopefully help:
- Generate actionable, high-fidelity alerts.
- Reduce the “dwell time” of an initial compromise.
- Confuse the attacker with false assets and misinformation.
- Tackle the human attacker or APT.
- Threat intelligence regarding tactics, techniques, and procedures.
- Integrate with existing defense-in-depth architecture.
Once you have that objective in mind you can start with:
- Determining locations to place your honey files. Locations in which your decoys are placed in
a file system should be selected so that the decoys remain conspicuous to malicious insiders
but do not impede a legitimate user’s normal actions. I would start looking at the most recently
accessed documents as well as ten folders/Network Shares/Directories containing the greatest number of files with common document extensions .pdf, .doc, .docx, .ppt, .xls, .txt, .html, and .htm…etc
Selecting the most populated and most recently accessed folders increases the conspicuousness of decoys, since these are directories that would be the most probable targets for malicious insiders.
- Naming of Honey Files. The prime objective of the naming scheme is to create filenames that blend in with existing legitimate documents so that they do not look overtly suspicious. Appending either “-final” or “-updated” to the end of the filename, or a date string makes a document appear as if it has been marked as a more authentic, official version.
I hope you will find this useful.
You have asked what I think is a very interesting question. Just to add to what my colleague, Oli, has mentioned, on a practical level you might also want to think about which of your hosts you might use to set up honey files. The way that the honey files feature works is that you would enable Audit Detailed File Sharing on the server that will host the honey files. This server must also be running the Insight Agent. Then, if anyone accesses the files, you will get an alert.
As you can see, this description brings up some interesting things to think about.
The server that you are going to put the honey files on must be running a Windows operating system and it must have the Insight Agent installed on it. Next, you must enable the auditing that Microsoft calls Audit Detailed File Sharing. When most people think of auditing file access on Windows, they immediately think of File System auditing: you enable file system auditing, and then you go to the individual files/folders on the host and turn on what auditing you want for those objects. Audit Detailed File Sharing is completely different! You enable it on a host and it is enabled for all files and folders on that host. After Audit Detailed File Sharing is enabled, if any files or folders are accessed from a network share, then a specific Security log event, event ID 5145, is generated. This event is generated for any type of access, including reading the file or adding it to an archive/zip file.
Audit Detailed File Sharing can generate a lot of events! If you were to enable this on a busy file server, it will cause many more events to be generated and written into the Security log than before. The Insight Agent must read and collect these events from the Security log. Therefore, you can expect the Insight Agent to use more resources than it was before this auditing was enabled. The cool thing about enabling this is that the Insight Agent will collect all of these events (i.e. all 5145 events) so that all of this activity will be in Log Search, not just the activity for your honey files. It is an easy way to track file access to files/folders that are accessed from file shares. However, if you are setting this up on a file server, I would recommend monitoring resource usage for a while after you have enabled Audit Detailed File Sharing to be sure that turning it on isn’t impacting performance. If it is, you might need to add more RAM/CPU to the file server. Be especially cautious if your file server is old and/or already strapped for resources, as this is going to increase resource utilization on the server.
Most people just enable the Audit Detailed File Sharing on their main file servers and configure the honey files to be on shares on these servers. However, if you are worried about the load that the Audit Detailed File Sharing will cause on these servers or you do not have a Windows file server, you could configure a fake Windows file server and put your shares and files on it. One of the main type of attacks that the honey file feature would help you catch is someone getting access to a host in your environment and then using an automated tool to zip up all the files on all network shares that they have access to in order to send them offsite. Therefore, your goal with the fake file server would be to set up what you need in order to catch this activity. You would build a Windows server, add some shares and files to it in order to make it look “real”, and then perhaps even add a mapped drive for your users over to the fake server. Then in InsightIDR, you would configure some of these files on the fake server to be honey files.
Sometimes it is interesting to think about what types of files you want to use for the honey files. As Oli says, the file names that you use for your honey files depends on what you want to accomplish. If I wanted to find out if an internal user is snooping into folders that they shouldn’t be, I might create a few honey files with flashy names and put these fake files into my real file shares. That is, I might put a file like “passwords.csv” into an IT file share, or “Employee Salaries.pdf” into an HR share that I wouldn’t expect many people to have access…just to make sure that nobody is opening the file that shouldn’t be! The Honey File Accessed alert should only trigger if a file is opened that you don’t expect to be opened. On the other hand, if I want to catch ransomware or a similar attack where the malicious activity consists of someone zipping up an entire share, I’d probably sprinkle quite a few different types of files into my network shares, with the idea that if I see a bunch of them being accessed within a short time something is going on that I need to investigate.
Last, if you decide to enable Audit Detailed File Sharing on your production file servers, it gives you an easy way to use the Custom Alert or Dashboards to monitor access to any files that you do need to track activity on. However, I would use the Custom Alerts or Dashboards features for this and not Honey Files. That is, if you need to know who is opening “\fileserver\public\importantfiles\secretcookierecipe.docx”, then you after you have enabled the Audit Detailed File Sharing feature, you can create either a Custom Alert or Dashboard view for this activity.
I know that between Oli and I we have provided you with a lot of information, but hopefully this helps you decide what you want to do. Good luck!