One Click and You're Caught: HoneyFiles in Action

 

Threat actors also known as cybercriminals often target sensitive documents such as credentials, employee information, or any other data considered critical or classified. Detecting and tracking cyber intrusions within an organization’s network, including insider threats, can be challenging.

Fortunately, we have tools like honeypots, DNS sinkholes, and other deception technologies ("honey traps") to detect and capture cyber intruders. However, some threat actors possess the skills to recognize these traps just as they can identify when they are operating in a sandboxed environment.

This is where honeyfiles come into play.

What are honeyfiles?
A honeyfile is a decoy or fake file placed on a network file share. These files are designed to detect unauthorized access and data exfiltration attempts. When an attacker stumbles upon a file share, they often zip the contents and extract the data for offline analysis. If a honeyfile is accessed or moved, it can alert defenders to potential malicious activity.

How can we prepare honeyfiles and deploy them within customized honeypots?
One effective method is to use platforms like https://canarytokens.org/nest/. This platform allows you to generate a variety of honeyfiles tailored to your needs. You can choose from different file types such as .xlsx spreadsheets, .pdf documents, or even fake URLs, cloud storage links, and database connection strings.

These honeyfiles can be strategically placed in specific directories or within your honeypot environments. When a threat actor interacts with a honeyfile, an alert is triggered, helping you detect unauthorized access or malicious activity early on.

Practical Scenario :

As threat researchers, we need to create a PDF document honeyfile and place it within our customized sandbox environment. The goal is to monitor and determine whether any threat actor or unauthorized user accesses or interacts with the file. This helps us identify potential intrusion attempts or malicious behavior within the sandbox.

Well, let’s select a PDF file and enter our email address to receive a notification when the file is accessed by a threat actor or insider threat.

Then, click the green "Create Canarytoken" button and download the generated PDF file.

The name of the PDF file is randomly generated, so make sure to rename it to something more convincing such as a sensitive document name relevant to your interests or based on your organization's naming conventions and structure.

Now that I’ve added the honeyfiles to my customized honeypot or sandbox, let’s execute the environment and see what kind of activity or alerts we receive from it.

PoC :