This document discusses decoy documents, which are machine-generated documents containing bogus credentials and beacons. They are used to detect insider threats by enticing attackers to steal fake information and alerting administrators. Decoy documents are generated to appear believable and enticing using realistic names and data of interest to attackers. They are embedded with watermarks, beacons, and markers to detect unauthorized access and exfiltration. The Decoy Document Distributor system generates and monitors decoy documents containing honeytokens like fake login credentials and bank information.

1. 1 of 14
By:
Dastagiri,
Software Engineer.
@dast999 | dast.sofiya@facebook.com
Decoy Documents

2. Contents
2 of 14
 Introduction to decoy documents
 Threat Model
 Generating and Distributing bait
 Questions

3. Introduction to decoy documents
Decoy Document:
“On demand machine generated document. It contains the content
to entice the attacker into steeling bogus information”.
Contains:
 Different types of bogus credentials (Honeytokens)
 Stealthy beacons
 Embedded markers
Development:
 At Intrusion Detection Systems Lab,
Columbia University
3 of 14

4. 4 of 14
Introduction to decoy documents
Basic Idea:
Insider attack.
Detect insider actions against the enterprise system as well
as individual hosts and laptops
Report back to the control server or Alerting administrators
Configuring the system and setting policies using management
platform

5. Introduction to decoy documents
Existing solutions:
 Blocking exfiltration
 Prevention techniques
- User modeling and Profiling
techniques
e.g. Anomaly detection,
Honeypots, etc.
- Policy and access
enforcement techniques
e.g. Limiting the scope
 Misuse detection
Proposed solutions:
 Monitoring and detection
techniques are used when
prevention technique fails
 Trap-based defense
mechanisms
 Preventive disinformation
attack
5 of 14

6. 6 of 14
Threat Model
1. Insider threats
 Malicious Insiders
-Traitors
-Masqueraders
-Attacks(e.g., Viruses and worm)
 Non-Malicious Insiders
2. Outsider threats
 Outsider internal network access
-Attacks(e.g., Spyware and rootkits)

7. Threat Model
Level of Sophistication of the attacker
1. Low - Direct observation
2. Medium - Thorough investigation, decisions based on other,
Possibly outside evidence
3. High - Super computers and other informed people who have
organizational information
4. Highly privileged - being aware of baiting and using tools to
analyze, avoid and disable decoys entirely
7 of 14

8. Generating and Distributing bait
Properties of decoy documents:
 Used to guide decoy design and maximize the deception
(achieved by hiding)
 Deception -masking, repacking, dazzling, mimicking,
inventing and decoying.
1. Believable - Appearing true
Using realistic names, addresses and logins
2. Enticing - Highly attractive.
Creating decoys based on attacker interest(passwords,
credit card numbers).
8 of 14

9. Properties of decoy documents(contd.):
3. Conspicuous - easily visible or obvious to the eye or mind
4. Detectable - To discover/catch in the performance of some act
5. Variability - The quality of being subject to variation
6. Non-interference - Easily identified by the actual user
7. Differentiable - Constitute a difference that distinguishes
Generating and Distributing bait
9 of 14

10. Generating and Distributing bait
The Decoy Document Distributor(D3) System :
 Generates and places decoy documents within a file system.
 D3 is integrated with a variety of services to enable monitoring
of these decoy documents.
 http://sneakers.cs.columbia.edu:8080/fog/index.jsp
 http://www.alluresecurity.com
 Types of bait Information
- Online banking logins provided by a collaborating
financial institutions,
- Login accounts for online servers and
- Web based email accounts
10 of 14

11. Generating and Distributing bait
Design of Decoy Document:
1. A watermark is embedded in the binary format of the document
file to detect when the decoy is loaded in memory, or egressed in
the open over a network.
2. A beacon is embedded in the decoy document that signals a
remote web site upon opening of the document indicating the
malfeasance of an insider illicitly reading bait information.
3. If 1 and 2 fails, the content of the documents contain bait
(honeytokens)and decoy information that is monitored as well.
Bogus logins at multiple organizations as well as bogus and
realistic bank information is monitored by external means.
11 of 14

12. Generating and Distributing bait
Implementation :
1. Honeytokens - e.g., login credentials, banking credentials etc.
2. Beacon
- Uses obfuscation technique called Spectrum Shaping
- Unique token is used
- Document type and rendering environment influences the
data collection
- The signaling mechanism relies on the document type or
stealthily embedded remote image
12 of 14

13. Generating and Distributing bait
Implementation (contd.):
3. Embedded Markers
- Constructed as a unique pattern of word tokens uniquely tied
to the document creator
- The sequence of word tokens is embedded within the beacon
document’s meta-data area or reformatted as comments
within the document format structure.
- The embedded markers can be used in Snort signatures for
detecting exfiltration.
13 of 14

14. Questions
14 of 14