Using “Honey Files” to Stop Data Exfiltration (Video)

The honeypot is a simple security concept: something so sweet and enticing that the “bad guy” just can’t help but walk right into your trap. In the world of data security, honeypots are typically systems or resources that appear legitimate, but are actually isolated and monitored. Honeypots have been around for almost 30 years, but they’re enjoying a recent resurgence. As security teams increasingly realize that they can’t completely prevent malicious actions, the honeypot gives them a tool to identify who the malicious actors are, how they’re working and what they’re doing.

Creating a “honey file” to track malicious insiders

The honeypot concept is hardest to apply for data exfiltration, insider threat and other events where the malicious actor has authorized access to the network or resource. Fortunately, Code42 Forensic File Search enables a new type of lure: the honey file, a single, attractive (but not actually valuable) file that a security team can use to identify and track malicious insiders. Here’s how a honey file workflow would look:

  1. The security team places a honey file — in this case an Excel file named “employee salary data 2018.xlsx” — in a shared OneDrive account. The security team knows both the file name and MD5 hash.
  2. After a few days or weeks, the security team can log onto the Code42 web console and use Code42 Forensic File Search to execute a simple search for the file’s MD5 hash.
  3. The search results show any traces of the original honey file on any user or host in your environment.
  4. Digging into the search results, the security team can not only see who touched the honey file, but also what that person did with it. For example, if a user copies the honey file, renames it and then deletes the original in an attempt to cover his tracks, every step in this “coverup” is able to be seen through Code42 Forensic File Search.
  5. Using this insight, the security team can quickly take steps to investigate and remediate effectively.

“ Digging into the search results, the security team can not only see who touched the honey file, but also what that person did with it. ”

Watch the video above to see how to create a honey file and track data exfiltration with Code42 Forensic File Search.

Finding Rogue Software in Your Organization (Video)

There are many reasons you may want to locate particular software in your organization. Sometimes it’s because you are trying to catch someone doing something malicious, but sometimes it’s because employees are trying to work around processes to get work done. For example, many employees install software that isn’t yet approved by their company’s IT and security teams.

A true story: MacOS version control

Here’s a true story from Code42’s own IT team about MacOS version control. Code42 blocks the installation of the latest version of MacOS on employees’ laptops until it has been fully tested. While we don’t expect to see any security risks in the newest release, we also don’t want employees running unsupported or untested software. Once upgraded, MacOS can’t be reverted back to the older version—so untested installations are hard to correct.

The Code42 IT team knows when an employee figures out a way to circumvent their endpoint management system’s security controls to download the new version of MacOS. They know this because they’re able to locate the installer on employee endpoints with Code42 Forensic File Search.

A simple search, clear results

Many endpoint management systems block file installation based simply on filename. When the installer file is renamed, the program in question can be downloaded and the endpoint management system won’t catch it. However, Code42 Forensic File Search gives you the ability to search by MD5 hash. If you suspect that employees in your organization are downloading a particular program, you can search for the MD5 hash of the program to find everywhere it exists in your organization, even if it has been renamed. Code42 Forensic File Search locates all instances of the file across all endpoints, even on endpoints that are offline.

“ If you suspect that employees in your organization are downloading a particular program, you can search for the MD5 hash of the program to find everywhere it exists in your organization, even if it has been renamed. ”

Human behavior affects everyone

We upgrade all of our Mac users to the latest version of MacOS as quickly as we can. If employees break policy and install MacOS early, we recognize that it’s not out of malice—they just want to have access to the best and most current tools. This is likely the case at your organization as well. As the 2018 Data Exposure Report explains, employees want to work in ways that make them more productive even if that means violating IT policy.

This could be true of anyone in your organization, from the most junior employee to the CEO. In fact, according to the report, 59 percent of CEOs admit to downloading software without knowing whether it is approved by corporate security. Seventy-seven percent of business leaders believe their IT department would view this behavior as a security risk, but they do it anyway. No wonder that the Data Exposure Report also found that 75 percent of CISOs and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.

With Code42 Forensic File Search, you have visibility into what’s happening in your organization that your prevention tools don’t see. You’ll never be able to convince 100 percent of your users to follow your IT and security policies, but you can quickly and accurately locate the rogue software they bring into your organization.

Facebook Twitter Google LinkedIn YouTube