CrowdStrike Adds Honeytokens to Deceive Cybercriminals

CrowdStrike has extended the capabilities of its Falcon Identity Protection to make it simpler to employ honeytokens to identify compromised credentials that could be used to launch a cyberattack and the tools used to evade detection.

In addition, the company has added tools to surface duplicate passwords in Microsoft Active Directory (AD) and support for analyzing Server Message Block (SMB) protocol traffic in real-time; many organizations with legacy Windows environments still use SMB protocol.

Kapil Raina, vice president of zero-trust and identity marketing for CrowdStrike, said the honeytokens added to CrowdStrike’s endpoint agent software make it possible to identify the tactics and techniques used to attack an endpoint using the MITRE framework. The goal is to create honeytoken accounts in Microsoft AD without requiring additional configuration.

Microsoft AD is a high-value target because so many IT teams still use it to manage passwords that grant access to files and services, noted Raina. Poorly defended endpoints give cybercriminals access to these files and services into which they can dive deeper by, for example, escalating password privileges, he noted. Honeytokens provide a deception capability that makes it easier to detect that activity using false credentials that do not grant any real access but instead trigger alerts when they are used. Other names for honeytokens include canary tokens, canary traps or honey credentials.

Cyber deception assumes that attackers can and will eventually compromise an IT environment. Therefore, there is a need to slow them down by leading them toward dead ends and tricks them into revealing their presence. The goal is to discover breaches as close to the initial point of penetration as possible, decrease dwell times and create a detailed log of activity that can be used to identify the tactics and techniques being employed. In addition, deception technologies can also provide the added benefit of reducing the total volume of alerts generated.

The challenge is that setting up cyber deception technologies takes time and effort, so CrowdStrike is making a case for reducing that effort using agent software that has already been deployed by its customers.

As cyberattacks continue to increase in volume and sophistication, it’s never been more crucial for cybersecurity teams to understand the tactics and techniques being used to breach IT environments. Most cyberattacks follow a predictable pattern, so once the tactics and techniques are identified, the amount of time required to put countermeasures in place drops considerably. Cybersecurity training also becomes a lot more effective when the team knows that the tactics and techniques being used to create an attack simulation are not theoretical.

Many cybersecurity teams deploying deception technologies are surprised to discover the extent of the breaches being made. While that may prove humbling for cybersecurity teams that naturally take a lot of pride in their skills, it is always better to understand adversaries, especially those that are adept at combining multiple low-level exploits to launch more lethal attacks.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 848 posts and counting.See all posts by mike-vizard