The honeypot is a simple security concept: something so sweet and enticing that the “bad guy” just can’t help but walk right into your trap. In the world of data security, honeypots are typically systems or resources that appear legitimate, but are actually isolated and monitored. Honeypots have been around for almost 30 years, but they’re enjoying a recent resurgence. As security teams increasingly realize that they can’t completely prevent malicious actions, the honeypot gives them a tool to identify who the malicious actors are, how they’re working and what they’re doing.
Creating a “honey file” to track malicious insiders
The honeypot concept is hardest to apply for data exfiltration, insider threat and other events where the malicious actor has authorized access to the network or resource. Fortunately, Code42 Forensic File Search enables a new type of lure: the honey file, a single, attractive (but not actually valuable) file that a security team can use to identify and track malicious insiders. Here’s how a honey file workflow would look:
- The security team places a honey file — in this case an Excel file named “employee salary data 2018.xlsx” — in a shared OneDrive account. The security team knows both the file name and MD5 hash.
- After a few days or weeks, the security team can log onto the Code42 web console and use Code42 Forensic File Search to execute a simple search for the file’s MD5 hash.
- The search results show any traces of the original honey file on any user or host in your environment.
- Digging into the search results, the security team can not only see who touched the honey file, but also what that person did with it. For example, if a user copies the honey file, renames it and then deletes the original in an attempt to cover his tracks, every step in this “coverup” is able to be seen through Code42 Forensic File Search.
- Using this insight, the security team can quickly take steps to investigate and remediate effectively.
Watch the video above to see how to create a honey file and track data exfiltration with Code42 Forensic File Search.
Forensic File Search for Incident Response