Getting Started - Summary
This article describes details after this Summary showing you how to start w/ Honeypots:
- Login to SSProtect
- From the SSProtect notification icon's context menu, choose Account Configuration
- At the bottom of the dialog, next to the Honeypot Pwd, choose Config*
- Create your Honeypot Password, entering it twice, then choose OK
You will be taken to the Protected Files display where you can now enable Honeypot behavior for any file by first one or more files, then checking the Honeypot checkbox at the top.
By design, Honeypot behavior remains associated with the file identified by its' full path, specific to your host computer. Even if deleted from disk and then re-created, Honeypot behavior continues until you choose the file and de-select the Honeypot checkbox.
The remainder of this article describes configuration and functionality in more detail, continuing with in-depth operational details in the article, Honeypot Behavior: Scope and Triggers.
*Honeypots are optional, and are not enabled by default. If Config is gray, talk to your Administrator and/or coordinate with Support to have it turned on for your Organization/ Account.
What is a Honeypot?
A Honeypot is a resource, or set of resources, setup to facilitate IT network management by redirecting focus away from sensitive operations. Because Honeypots do not manage or store production data, legitimate users will have little interest in their presence. As a result, any attempt to connect to or use Honeypot resources should raise questions. This can help expose unwanted threat actors or malicious insiders in your network.
Many believe that Honeypots, when properly utilized, offer compelling advantages in retaining network system availability and security. Some practitioners make extensive use of Honeypots, though others have never used them - and many never will.
The addition of Honeypot file configuration is the direct result of our Early Adopter program. One of our first users spent time in classified government briefings on data security specific to data exfiltration, and from his experience, he felt the detection of unwanted access to sensitive data files provided a compelling opportunity for early detection. Working together, we scoped a solution consistent with our lifecycle protection philosophy. The results will unfold in the paragraphs that follow.
Explorer File Status
Windows Explorer shows files in folders using icons that reflect the registered management application for each item. SSProtect enhances this view by providing red and orange (yellow) icon overlays indicating whether or not a file is protected. Red indicates that you are the managing user of a specific file, while orange (yellow) shows that a file is protected by SSProtect, though came from an external source or Third Party. In this case, it will not be clear whether or not you have access to the file from the active Profile's context.
Roadmap for Attackers
Though SSProtect provides convenient status information for authorized users, it also serves as a roadmap for attackers, allowing them to adjust their strategy upon discovering sets of files that are closely managed. Assuming SSProtect retains effectiveness against even the most advanced host threats (such as impersonation), attackers can approach resources by offloading unprotected and lower-risk items before returning to try their hand at stealing SSProtect-managed data.
Inhibiting Mass Data Exfiltration
Honeypots change this dynamic drastically - because attackers can no longer assume unmarked files are outside the protective scope of SSProtect. This presents the risk of triggering alarms when accessing any file that seems in every other way to be normal and independent of SSProtect. This can have a drastic impact on the way attackers go after their bounty. It can also reduce the amount of time attackers are free to roam, undetected. This early warning system, deployed appropriately, will reduce the typical impact of breach dynamics specific to mass offloading of application data files stored on desktop/ workstation (and server) systems.
This tips the scales back toward your favor, though to what extent and whether or not past the tipping point depends on a great many things. It should, however, have more than a subtle impact and can be utilized as a centerpiece in choosing how to manage other aspects of your network - from behavioral analysis and next-generation intrusion prevention to the way in which outbound DNS and firewalling is applied and managed (with SIEM for example).
An Explorer view of SSProtect'd content, showing Shared, Protected, and Unprotected files.
Unmasking Honeypot Configuration
Honeypot configuration is masked. This precludes exposure to locahost presence except when you specifically enable controls to modify scope. You can do this by visiting the Account Configuration dialog from the SSProtect notification icon's context menu:
Navigate to the bottom of the Account Configuration display and choose Config to enable password entry controls:
Enter your password then choose Send Pwd... Note that the first time you perform this operation you will be asked to create a new password using the same procedure you encountered during Registration. The button will then change to Upd Pwd... which you can use to change your Password.
Resetting your Honeypot Password
Your Honeypot Password isn't reset independently - it gets Reset with your Login Password. For this reason, you want to be sure and set your Honeypot Password after you Register and anytime you change your Login Password. In fact, this is the only way to change your Honeypot Password. Thus, request a Login Password Reset from your Administrator/ Delegates, or if you're using an Individual Account, contact support. After you login, navigate to the Account Configuration page to create your new Honeypot Password.
After you unmask Honeypot Configuration with your Honeypot Password, you are taken directly to the Protected Files display where you can choose a target file then check the Honeypot checkbox. After a few seconds, the file will transition to the Decrypted state and will continue to be shown with the Honeypot checkbox status. Explorer will no longer display the red overlay icon - the file now presents just like any other unprotected item.
Reset your Login session with the notification icon's Refresh Login... context menu and return to this dialog - notice that the file and the Honeypot designations are no longer present. This default state protects from disclosure to localhost attackers who may be watching you work using malware that collects screenshots.
To disable a Honeypot, unmask configuration, in Protected Files, choose the target file, then deselect the Honeypot checkbox. Note that the target file is not re-encrypted and re-protected - you can manually re-add the file to the protective scope of SSProtect independently, as you wish.
Some users will see a Honeypots button on the right side of the Protected Files display. This enumerates all Honeypot-configured files for the host computer on which you're working (for all Profiles). These are stored in the local Host Debug Log, then displayed for you automatically. It's important for you to erase these entries and save the log file when finished perusing the list, else an attacker may be able to find the set and specifically avoid those items.
Monitoring begins immediately after configuration is changed, and includes:
- Opening the file with the default application*
- Moving or renaming the file
- Deleting the file
Notification is available in two forms - by direct email to your SSProtect Account address, and in :Assess reports that contain these and other events.
Notification events are one of three types - online, offline, or configuration. Online events occur while you are actively logged into SSProtect, while offline events occur when SSProtect does not have any authenticated user logged in. You will receive one (1) notification for each event associated with a target Honeypot file. You can use Email filtering and Rules to manage incoming content until more advanced notification policies are made available.
Note that Configuration notification is only applicable to Honeypot state Removal.
*This will be extended in the future to include additional access events, such as accessing data with most any application. Because of the way Windows manages application data files, this is more than a simple matter of waiting for a file to be opened, though managed in-place encryption capabilities provide the foundation for ongoing work in this area.
The notification email message is simple and straightforward, and it includes the basic information necessary to direct you toward further investigation. An example is given below, though the presentation will likely differ:
:Assess Report Details
Cloud services record details associated with Honeypot behavior - detection and configuration - and provide details available in :Assess File and Admin (Integrated) Reports. These items include the date, time, event, local and public host IP addresses, along with the target Filename, file size, unique file ID, plaintext hash, and managing application used to access content. This allows you to correlate information with other items and events for forensic investigation.
The following shows a sample progression that includes logging in, configuring a Honeypot item, accessing it while Logged in and after Logging out, and removing Honeypot configuration:
NOTE: The Application details, date/time, and public/private IP addresses have been removed for brevity.
When designing for and working with Honeypots, use the following list to insure your expectations and intent remains aligned with SSProtect capabilities:
- You can only configure a Honeypot for a protected file
- Configuring a file for Honeypot monitoring decrypts content
- Disabling Honeypot behavior does not re-encrypt or re-protect the file
- Honeypots remain active whether Logged in to SSProtect or not
- All Honeypot items, for all Profiles on a single host, are constantly monitored
- Reset your Honeypot Password after any change to your Login Password
Honeypots can be helpful in the early detection of rogue resources in your network. We will have more to say on this subject in our @DefiniSec Insights column. In the meantime, send questions and comments to firstname.lastname@example.org, or contact your DefiniSec representative for additional assistance.