Honey Data: Data Leakage Prevention and Detection Strategy

Other groups may have a different name for the below process but Security Experiment has referred to it as “Honey Data.”

“Honey Data” can be a very valuable technique to detect and respond to data leakage.  Not to be confused with a “Honey Pot,” where whole systems may be set up to entice would be attackers.  Using honey data involves the introduction of strategic data into production databases and resources.  Different databases within the organization are seeded with unique information.  A secure database is maintained of honey data location and content.  Known signatures for this very specific information can be easily created.  Theses known signatures are generally granular enough not to generate false positives.  They could easily be incorporated into existing intrusion detection systems as well as specialized data leakage solutions such as Vontu, Vericept, and Verdasys.  This can be a very cost effective tool of detecting when data is leaving an organization and from which resources the leak is originating from.

In addition to customized network based signatures, other means for detecting the leak of information would also be in place.  Dummy accounts would include data such as working email addresses for which the defending organization has control over.  Then accounts can be monitored for unsolicited traffic.  If one of the dummy accounts were to receive spam, it would be an indication that the email address had been leaked and from which database or source.  This method could be applied to other mediums as well, such as postal addresses, IP addresses and telephone numbers.  Another method for detection is data mining for our known honey data on the Internet.  For example, currently one would not want to do Google searches for legitimate customer private information.  But we could perform Google, IRC, or file sharing searches for our known honey data social security or account numbers.  The process could even be automated to be performed at an acceptable interval

Honey data sometimes can be your last line of detection.  If a determined attacker is successful at stealing information, honey data techniques may detect the breach via misinformation.  It is not infeasible for an attacker to be able to encrypt information in order to bypass detection at an organization’s egress points.  However, once the stolen information is acted upon, detection will not be easily avoided by the attacker. 

As with any solution, there are some considerations to be aware of.  Some such considerations include who has access to the database and knowledge of honey data.  Special caution must also be performed to avoid the unintentional use of honey data which effects business decisions unknowingly. 

Look for more research on honey data by Security Experiment in the near future.