3. Introduction to decoy documents
Decoy Document:
“On demand machine generated document. It contains the content
to entice the attacker into steeling bogus information”.
Contains:
Different types of bogus credentials (Honeytokens)
Stealthy beacons
Embedded markers
Development:
At Intrusion Detection Systems Lab,
Columbia University
3 of 14
4. 4 of 14
Introduction to decoy documents
Basic Idea:
Insider attack.
Detect insider actions against the enterprise system as well
as individual hosts and laptops
Report back to the control server or Alerting administrators
Configuring the system and setting policies using management
platform
5. Introduction to decoy documents
Existing solutions:
Blocking exfiltration
Prevention techniques
- User modeling and Profiling
techniques
e.g. Anomaly detection,
Honeypots, etc.
- Policy and access
enforcement techniques
e.g. Limiting the scope
Misuse detection
Proposed solutions:
Monitoring and detection
techniques are used when
prevention technique fails
Trap-based defense
mechanisms
Preventive disinformation
attack
5 of 14
6. 6 of 14
Threat Model
1. Insider threats
Malicious Insiders
-Traitors
-Masqueraders
-Attacks(e.g., Viruses and worm)
Non-Malicious Insiders
2. Outsider threats
Outsider internal network access
-Attacks(e.g., Spyware and rootkits)
7. Threat Model
Level of Sophistication of the attacker
1. Low - Direct observation
2. Medium - Thorough investigation, decisions based on other,
Possibly outside evidence
3. High - Super computers and other informed people who have
organizational information
4. Highly privileged - being aware of baiting and using tools to
analyze, avoid and disable decoys entirely
7 of 14
8. Generating and Distributing bait
Properties of decoy documents:
Used to guide decoy design and maximize the deception
(achieved by hiding)
Deception -masking, repacking, dazzling, mimicking,
inventing and decoying.
1. Believable - Appearing true
Using realistic names, addresses and logins
2. Enticing - Highly attractive.
Creating decoys based on attacker interest(passwords,
credit card numbers).
8 of 14
9. Properties of decoy documents(contd.):
3. Conspicuous - easily visible or obvious to the eye or mind
4. Detectable - To discover/catch in the performance of some act
5. Variability - The quality of being subject to variation
6. Non-interference - Easily identified by the actual user
7. Differentiable - Constitute a difference that distinguishes
Generating and Distributing bait
9 of 14
10. Generating and Distributing bait
The Decoy Document Distributor(D3) System :
Generates and places decoy documents within a file system.
D3 is integrated with a variety of services to enable monitoring
of these decoy documents.
http://sneakers.cs.columbia.edu:8080/fog/index.jsp
http://www.alluresecurity.com
Types of bait Information
- Online banking logins provided by a collaborating
financial institutions,
- Login accounts for online servers and
- Web based email accounts
10 of 14
11. Generating and Distributing bait
Design of Decoy Document:
1. A watermark is embedded in the binary format of the document
file to detect when the decoy is loaded in memory, or egressed in
the open over a network.
2. A beacon is embedded in the decoy document that signals a
remote web site upon opening of the document indicating the
malfeasance of an insider illicitly reading bait information.
3. If 1 and 2 fails, the content of the documents contain bait
(honeytokens)and decoy information that is monitored as well.
Bogus logins at multiple organizations as well as bogus and
realistic bank information is monitored by external means.
11 of 14
12. Generating and Distributing bait
Implementation :
1. Honeytokens - e.g., login credentials, banking credentials etc.
2. Beacon
- Uses obfuscation technique called Spectrum Shaping
- Unique token is used
- Document type and rendering environment influences the
data collection
- The signaling mechanism relies on the document type or
stealthily embedded remote image
12 of 14
13. Generating and Distributing bait
Implementation (contd.):
3. Embedded Markers
- Constructed as a unique pattern of word tokens uniquely tied
to the document creator
- The sequence of word tokens is embedded within the beacon
document’s meta-data area or reformatted as comments
within the document format structure.
- The embedded markers can be used in Snort signatures for
detecting exfiltration.
13 of 14