SBN

Honeytoken Adventure: From Beta to Beyond

Honeytoken Adventure: From Beta to Beyond

This is a journey that's taken us through twists and turns, challenges and triumphs. We are excited to take you behind the scenes of a project that's been close to our hearts and has ignited conversations in the tech world. We're diving into the journey of GitGuardian Honeytoken, a story of innovation, security, and a touch of digital intrigue.

Let's start with what Honeytoken is all about. At its core, it's a decoy hardcoded secret that can trigger alerts when used, reducing your mean time to detect any potential intrusions. In a keynote titled "The State of Cybersecurity – Year in Review," Mandiant/Google Cloud CEO Kevin Mandia underscored the significance of honeytokens as an indispensable tool for detecting intruders, particularly in scenarios where other security products might fall short. This sentiment resonates deeply with us. Our journey with Honeytoken began three months ago when we launched it in beta. This phase has been instrumental in refining our creation and gathering valuable feedback from our users. And now, with pride, we announce that Honeytoken has emerged from its cocoon, ready to make an impact on all our customers.

We have showcased Honeytoken's potential at conferences like DEFCON, Bsides, and RSA. We guided numerous individuals through a blue team capture the flag exercise that showcased the power of using honeytokens in detecting potential leaks. This simple yet powerful concept sparked thought-provoking discussions and was fueled by genuine curiosity and excitement. These interactions reinforced the importance of what we were building.

So, why did we venture into the realm of Honeytoken?

The answer lies in the increasingly intricate supply chain of modern software. In a world where safeguarding applications and cloud security is paramount, the reality is that achieving zero risk remains a challenging goal, even if you do everything by the (security) book. Hackers today have mastered the art of exploiting secrets, seeking that one flaw in the armor that grants them access to scores – even millions – of potential target companies.

Claroty

We witnessed this rise in ecosystem-style supply chain attacks that exploit secrets. A notable example is the CircleCI incident, where attackers accessed a CircleCI engineer's endpoints. From there, they used the secrets they found in the source code to gain higher privileges and move around within the organization. They accessed production databases, GitHub OAuth tokens of CircleCI customers, and other sensitive build information.

Interestingly, one savvy CircleCI customer had set up an AWS honeytoken alongside their actual build secrets. This acted as a decoy, and when the attacker tried to scan for secrets, they triggered this honeytoken. This alerted the user to the potential compromise, and they promptly informed CircleCI about the issue. This customer was among the first to know about the breach, even before it was officially disclosed.

Sometimes, it's not just your own account that's compromised due to leaked credentials or brute force attacks. Remember that providers can also be breached, and attackers will attempt to access their customers' secrets.

It struck us deeply how companies often took too long – sometimes months – to realize when their dev and build environments had been breached. This is why we believe that an additional layer of intrusion detection is critical for organizations that want to stay ahead of attackers.

Honeytoken Adventure: From Beta to Beyond
Attackers are exploiting every secret they can find

The solution was clear. Instead of passively defending, we decided to outsmart potential attackers by deliberately exposing decoy secrets in users’ supply chains, tempting attackers to exploit them for further lateral movement. And thus, GitGuardian Honeytoken was born. Our honeytokens safeguard not only your code but also the vendors in your software supply chain. Defenders’ can now use secrets to their advantage to detect once attackers have breached their systems and contain the breach early before they can inflict any significant damage.

With the Honeytoken dashboard or API, users can effortlessly create and manage hundreds, or possibly thousands, of honeytokens. This flexibility allows for wide coverage across all systems, ensuring comprehensive security. They are agnostic and can be strategically scattered anywhere across the software delivery pipeline to trick and trap attackers. Whether it's Source Control Management, Continuous Integration & Continuous Deployment, software artifact registries, productivity tools, or even developer laptops, these decoy AWS access keys beckon malicious actors. Even beyond the software realm, our honeytokens extend their protective reach into the cloud infrastructure. Placing honeytokens in cloud assets such as S3 buckets or databases ensures that attackers attempting to infiltrate your cloud infrastructure without access to the code are promptly detected and trapped.

Little do attackers know, these traps never grant access to actual customer data or systems. Instead, these decoy access keys serve as early breach detection triggers, generating high-fidelity alerts that not only notify security teams but also provide valuable information about the intrusion's source.

🔉
"Slowing down an adversary is one of the least valuable uses of a canary token. The most valuable thing is a sensor. It’s like a tripwire that tells you where an adversary has been" – Andy Ellis, ex-CSO at Akamai Technologies

In most cases, attackers follow predictable patterns. Instead of manually searching for secrets, they often rely on open-source secrets scanning tools like TruffleHog and GitLeaks. This means the file names or how the decoy secrets are placed don't have to be overly convincing. We designed our honeytokens to be triggered by all types of tools that scan for secrets, effectively fooling attackers into exposing themselves.

Honeytoken is a tailored solution designed to thwart DevOps intrusions. While the concept isn't new, having a way to detect real-time intrusions in the supply chain was missing. We saw that traditional methods like honeypots had their limitations, so we set out to create a simpler and more cost-effective solution. Honeytokens are much easier to implement, maintain, and manage than honeypots since there's no additional cloud infrastructure to handle on your end. Plus, with the automated dissemination of honeytokens, you will need fewer resources.

During the beta phase, we introduced several key features of Honeytoken that received overwhelmingly positive feedback from our users. Here's a closer look at these features and why they garnered acclaim.

Key Honeytoken features

Centralized management dashboard for honeytokens

The intuitive user interface provides a centralized view of all honeytokens associated with your workspace. This feature allows for easy oversight, ensuring that honeytokens are effectively placed and monitored.

Honeytokens are, by default, listed by most recently created first. Each honeytoken is characterized by its name, type, and optional description, providing contextual clarity. The source field indicates the repository location where the honeytoken is detected upon deployment in your private repos.

The labels you create offer flexibility for easy categorization and organization, ensuring precise placement of honeytokens. For effective tracking, statuses include Active, Triggered, and Revoked, with triggered honeytokens displaying the trigger date. The filtering options facilitate quick access and prioritization of your events.

Honeytoken Adventure: From Beta to Beyond
Table of honeytokens

Instant alerts for triggered and publicly exposed honeytokens

The platform promptly sends email alerts with crucial details whenever a honeytoken is triggered. This ensures you're at the forefront of any potential threat, enabling swift action when needed.

Your security operations or SOC teams are instantly notified, integrating the incident into your workflow, be it your security information and event management (SIEM), IT service management (ITSM), or ChatOps systems. Based on threat indicators, you can determine whether additional action or an incident response plan is warranted.

Honeytoken Adventure: From Beta to Beyond
Email alerting

Source detection

The GitGuardian platform recognizes the location (including the repository and file name) of a deployed honeytoken within your perimeter. This ensures accurate tracking and monitoring of honeytokens in private repositories.

On the honeytoken detail page, you'll find the number of open secrets incidents detected in that repository, along with a direct link to the repo and file. If that honeytoken is triggered, you need to tackle those secrets first.

Honeytoken Adventure: From Beta to Beyond
Source detection

This way, Honeytoken works in tandem with the platform's Secrets Detection capabilities.

Integrated into the GitGuardian platform, honeytokens are automatically identified, preventing unnecessary alerts in the dashboard. This means you won't be inundated with false alarms about secrets incidents, saving your security team valuable time in investigation and response efforts. We know this is something important for defenders, and this precision in alerting greatly enhances security operations.

Simple and easy way to test honeytokens

Testing honeytokens is made convenient through a modal with terminal commands. This feature allows you to verify the effectiveness of your honeytokens in triggering alerts.

By clicking the "How to test your honeytoken" link, you can access this modal.

Honeytoken Adventure: From Beta to Beyond
Testing your honeytoken

Comprehensive event logs for thorough analysis

🔉
One of our beta customers aptly noted, “I recently saw the Honeytoken beta, and I'm impressed with the concept, level of detail, and information they provide when honeytokens are triggered.” – Security Architect at an Independent Software Vendor (ISV)

The Honeytoken detail page provides a log of every event where the honeytoken was triggered. This data is invaluable for in-depth analysis and understanding of each event. It includes:

  • Timestamp of the trigger event.
  • The IP address of the person or entity that activated the honeytoken.
  • Tags associated with the event.
  • User-agent details describing the operating system, device type, and browser/software used for the request.
  • Specific action attempted when the honeytoken was in use.
Honeytoken Adventure: From Beta to Beyond
Incident details view

IP Tagging for event origin analysis

Custom rules can be set up to assign tags based on IP addresses, allowing for differentiation of events based on their origin, like internal IPs. This feature enhances precision in threat analysis.

Managing this feature is simple through the Settings > Honeytoken > IP tags section.

Honeytoken Adventure: From Beta to Beyond
Creating custom rules for IP tags

GitGuardian also automatically tags events originating from GitGuardian Public Monitoring IPs (used for monitoring public GitHub) and AWS internal IPs for events within AWS. These tags are applied when a honeytoken is publicly leaked on GitHub. You can efficiently manage events by filtering based on these tags.

Honeytoken Adventure: From Beta to Beyond
Future IP-matching events will be tagged accordingly

To enhance clarity, we've added country flags next to IP addresses in the Events table. This helps you identify the origin of events more precisely, making it easier to spot potential threats.

Honeytoken Adventure: From Beta to Beyond
Country flags next to IP addresses

Code leakage detection on public GitHub

This one is a favorite among our users! Honeytoken offers a powerful capability – the ability to swiftly identify a code leak.

🔉
As one of our beta customers said, “During the trial, I discovered that GitGuardian can detect when a token has been leaked on public GitHub repositories. This will help us take swift action to mitigate the potential security risks associated with code leakage.”

If a honeytoken ends up in a public GitHub repository, GitGuardian Public Monitoring quickly detects it. You'll receive an immediate alert, and these identified honeytokens are labeled as "Publicly Exposed". With a simple click, you can access a window displaying every public GitHub commit where your honeytoken was found. This way, you can efficiently handle these incidents and concentrate on safeguarding your other secrets.

Honeytoken Adventure: From Beta to Beyond
Code leakage detection

What's next for Honeytoken?

Our beta program garnered immense interest, with over 700 eager minds joining the waitlist. We are deeply grateful to our beta testing community for their valuable support in shaping Honeytoken's journey. Several accounts created honeytokens as we granted them access to Honeytoken. Our success was anchored in the platform's mature features that resonated with beta testers. We're especially thrilled to share that our first customers emerged from the beta phase – an affirmation of Honeytoken's future potential.

And speaking of the future, as we transition beyond beta, here's a sneak peek at what's in store:

  • Expanding to on-prem customers: We understand that one size doesn't fit all. That's why we're working on making Honeytoken compatible with self-hosted installations.
  • Automating honeytoken dissemination: Addressing a common request from our beta users, we're currently developing an automated dissemination process for honeytokens. Recognizing that manual insertion can be time-consuming, this enhancement will enable large enterprises to efficiently deploy and manage honeytokens at scale within their code repositories through automated pull requests.
💡
AI for Honeytoken: We are exploring the possibilities of integrating advanced LLM models like OpenAI, for example, to create relevant contexts to insert honeytokens dynamically. While we use AI to elevate Honeytoken's effectiveness, we want to provide flexibility for individual preferences. Hence, we will also develop static content templates as fallback options
  • Diverse honeytoken types: We're not stopping at AWS key pairs. Our team is exploring the implementation of additional honeytoken types.

Honeytoken is now yours to explore, deploy, and embrace wherever your supply chain security journey leads you. As always, keep a watchful eye on our release notes and public roadmap. The journey continues, and with Honeytoken by our side, together, we will step into a future where vigilance meets innovation.

If you're already a GitGuardian customer, access this new capability through the new Honeytoken tab in your dashboard. If you haven't signed up for GitGuardian Secrets Detection yet, you can do so for free. This will not only help you locate hardcoded secrets in your code but also provide you with 5 free honeytokens.

For a seamless setup, you can refer to our step-by-step guide. At GitGuardian, we're dedicated to keeping you safe, and with Honeytoken, we are helping to turn the tables on attackers and fight them back faster!

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Automated Secrets Detection authored by Soujanya Ain. Read the original post at: https://blog.gitguardian.com/untitled/

Application Security Check Up