Using Database Honeytokens to Detect Insider Threats

Data is a company's biggest IT asset. It contains customer information, financial data, and any amount of data mined and stored for future growth. Since a database stores this information, it should be one of the biggest priorities for security. You can have the highest level of security on a database, but it doesn't always detect the biggest risk to the organization - employees. Insider threats must be considered when designing security policies and procedures to protect sensitive data stored in a database. One great way to detect these threats is using honeytokens.

What are Honeytokens?

Each record in your database should only be accessible using a frontend application, but some users (and hackers) can bypass the application and directly retrieve database data. A honeytoken is a record that should never be found. It shouldn't be accessible from the application, and it should never be retrieved through legitimate queries. It's basically a "dead" record that just sits in the database with no link to real customer data.

Attached to these honeytoken records is an alert system. Intrusion detection systems (IDSes) work with honeytokens, but you don't need to buy expensive security software to set one up. An IDS makes it easier to set up, but you can set up a honeytoken using database triggers.

Triggers are programs that execute when something happens to a record. That "something" could be a user editing a record or just reading a record. Since a honeytoken record should never be accessed, you can set a trigger to identify if the record is retrieved in any type of query. The trigger can then send an alert to the administrator that the record was accessed. Since you use a trigger directly from the database, you can also send the administrator the user name used to access the record. This is beneficial because an attacker doesn't normally check for triggers when scanning database records.

Other Ways to Use Honeytokens

Hackers and disgruntled employees scan networks for files that look important. Administrators can create fake corporate memos or documents that contain a series of phrases or typos to distinguish them from legitimate corporate documents. If an attacker steals these documents and uploads them to the Internet, a Google alert can be set up to scan for these unique phrases. When Google indexes the stolen documents, an alert is sent to the administrator. This would then tell the administrator that the documents were stolen, so an audit can be run on file access.

Files can also be marked just like database records. If an attacker gains access to a file or directory that shouldn't be exposed to employees, an alert can be sent to the administrator that the file was copied or moved. Intrusion detection systems are also useful for this type of file auditing, but the administrator has access to audit logs even through operating system security processes.

What makes honeytokens beneficial to the organization is that they are inexpensive to set up. Standard security software is expensive to set up and maintain, but a honeytoken can be used to help monitor suspicious behavior without expensive software overhead.

For administrators who oversee even a small corporate network, insider threats are an even bigger concern today than outsider threats. Smaller organizations usually give open access to all resources to every user. Privileges should always be limited, but honeytokens can help monitor insider threats when access isn't monitored properly.


Using Database Honeytokens to Detect Insider Threats | NexaCore IT | 918-544-2500