Honey File Monitoring
This time, we are going to discuss honey file monitoring.
What is a Honey File?
In a nutshell, a honey file is a fake file(s) intentionally put into share folder/location in order to detect the existence of an attacker or insider. The original idea came from the honeypot, which is a vulnerable machine in the network to detect the existence of an attacker or study the behavior of the attacker. Now, the idea has evolved into different types of detection including honey user, honey credential, honey token, honey file, and honey database record.
Things to remember
The first thing to remember is DO NOT intentionally set up any traps which can lead someone to commit a crime. For instance, DO NOT put a file with a copyright on the internet, lure someone to download it, and then sue someone. In fact, you are committing a crime in this case. On the contrary, the aim of honey file or honeypot is to attract the attention of cyber criminals who already want to commit a crime.
Basically, the honey detection strategies and actual implementations are based on what you are trying to detect, your assumptions and the risk your organization can accept. I saw many organization refuse to consider any kind of honeypot including virtual honeypot due to they think the risk are too high. So, what is something attractive to an attacker and also benefit to us as defender ? Definitely, you want your adversaries discover it at the earliest stage, and blue team have enough time to handle it before the attacker cause damage. For instance, we found honey user name such as backup or test always occurred in the first round of attempt. For honey file name, we found the attacker(s) will firstly try to locate keyword such as password, key, network diagram, inventory and IP address which allow them to further pivot into other computers or network.
Options for honey file setup
So, what’s our options ? Both dedicated file server 及 honey file in existing file server are the most common options of honey file monitoring.
Firstly, we will discuss dedicated file server, which can minimize the log size and catch whoever access the server. Surely, you will need to filter those access from vulnerability scanner or inventory scanning tools. In general, you may detect illegal network scan, enumeration or lateral movement, and all these things should be further investigated.
On the other hand, if you design to put honey file in existing file server(s), you can optionally setup SACL on that particular honey file(s) or configure “Detailed File Share” to monitor all file access. The first option has higher chance to catch insider, while it creates more false positive. The second option need much more storage and license cost in case you are using commercial SIEM. However, it do it gives us more insight and context during our investigation.
So, how to choose which Event Code or settings for Honey File monitoring with Splunk that consume minimum license usage ? As an illustration, below is a summary of Event Code related to share folder level logging or NTFS file system level logging.
Comparison of different options
GPO Settings/SACL Settings | Event ID | Indicate Access Denied ? | 服務描述 |
---|---|---|---|
Object Access -> Audit File Share | 5140, 5142, 5143, 5144 | No Failure events | Shared Folder level logging with username and source IP (Include SYSVOL & IPC$) |
Object Access -> Audit Detailed File Share | 5145 | 是 | Shared Folder level logging with username, source IP and actual file path (Include SYSVOL & IPC$) |
Object Access -> Audit File System 及 SACL | 4663 | No Failure events | NTFS File System level logging including local access with username but not source IP address, can target only one file or one folder with specified action |
Object Access -> Audit Handle Manipulation 及 Object Access -> Audit File System 及 SACL | 4656 | 是 | NTFS File System level logging including local access, can target only one file or one folder with specified action. |
Recommendation
If there is a dedicated honey file sharing server without other production usage, then I will definitely choose Event ID 5145 and grant the permission of honey file to everyone. It provides source IP address which immediately provide analyst with direction of investigation.
On the other hand, If the use case is to place honey file on every file server, I will still choose Event ID 5145, and deny the access of honey file to everyone. In this case, only turn on failure auditing in GPO.
Reference for SACL: https://petri.com/how-to-audit-permission-changes-on-windows-file-servers