What Are Honey Tokens?

A honey token is data that looks attractive to cyber criminals but, in reality, is useless to them. Generally speaking, a “honey” asset is a fake IT resource created and positioned in a system or network to get cyber criminals to attack it. In this way, honey tokens are similar to honeypots. 

However, while honeypots can be fake servers or other types of resources, honey tokens hold data that an attacker takes with them, unknowingly revealing information that helps IT teams prevent future attacks or go after the attacker.

Honey tokens have data made and monitored to catch digital thieves. They contain a marker, which is fake data that looks like a valuable asset to a thief but has no real value for the organization. Once this data has been taken, it can be used to track the attacker, regardless of whether they launched their attack from outside the organization or within.

What Is a Honeypot vs. Honey Token?

In the world of cybersecurity, organizations attempting to protect themselves from attackers often take a defensive stance, engaging in a high-tech chase of finding and catching cyber criminals. Honeytokens and honeypots represent a slightly different tack. Organizations use them as tools to strike back—proactively go after cyber criminals by fooling them into revealing themselves and information about their methods.

A honeypot is a fake system deployed next to your genuine digital assets. It is made to look attractive to an attacker, and when the criminal falls for the bait, not only do they waste their resources on a useless system or fake data but they also reveal crucial information about the nature of their attack strategy.

On the other hand, honey tokens are more of a way to identify attackers. They are used to track malicious actors, revealing critical information about their identity and the methods they use to exploit a system.

Types of Honey Tokens

There are various kinds of honey tokens, each designed for different methods of deployment. Each type can provide critical information about the attacker and how they attempt to penetrate a system.

Fake Email Addresses

Fake email addresses can draw in unsuspecting bad actors, causing them to divulge personal information, usernames and passwords, and information about the organizations they work for. You can set up a fake email account using names you randomly make up or even the names of celebrities attackers may not be familiar with. After you set them up, you leave them inactive, but make sure they are easy for attackers to discover on your mail server or somewhere else that is relatively easy for an attacker to access.

Because no one actually uses the fake email addresses, the only way they can get attacked with phishing emails or spam messages is if those messages come from someone who was able to hack into the internal email or web server and access a list of email addresses. Alongside fake email addresses, you can also use honey credentials, which are fake passwords, to entice attackers.

Fake Database Data

Fake database data are fabricated records with names that are attractive to cyber criminals. You can also put fake data into an existing database. When an attacker falls for the bait, they steal the data, and in the process, take the honeytoken with them. This then enables you to pinpoint a specific weakness in your security that allowed them to get inside, for example. You may also find other types of loopholes, such as a mistake—or calculated move—at the administration level.

Fake Executable Files

Fake executable files are, in some ways, similar to malware, except you create them and use them against an attacker. They are applications or software programs that contain a switch that sends information back to you after an attacker runs them. The switch, once activated, can provide you with valuable information, such as the Internet Protocol (IP) address of the hacker and usernames associated with the hacker’s system.

In this way, an organization is able to, in effect, hack back. Fake executable files can even damage the attacker’s system. However, they may only work if the attacker does not adequately protect their machine from these kinds of “attacks.” For example, if they block their external ports while running the program, the information you need will not be relayed back to your organization.

Web Beacons

A web beacon refers to a link to an object inside a file. The file can be very small and hard to see with the naked eye, such as a transparent graphic that is only one pixel in size. After a document that has the beacon in it gets opened, the web beacon sends a message back to your IT team with details about the attacker’s system, as well as where it is on the internet.

However, a web beacon has a similar vulnerability as a fake executable file. If the attacker has a firewall around their machine that prevents it from transmitting outgoing information, the defending organization will not get any information.

Browser Cookies

With browser cookies, you may be able to get around a hacker’s attempt to neutralize strategies like fake executables and web beacons that depend on their external transmission ports being open. Browser cookies provide you with information about what a hacker does online, similar to how Google or Bing gathers information about visitors.

This method is often successful because a hacker, or someone in their network, may neglect to clear their browser cache or otherwise conceal their online activity. This is a relatively common oversight, and it can leave a hacker open to sharing critical information about their behavior.

Canary Traps

A canary trap is created based on the idea that the “canary” acts like a snitch, “singing” out information about an organization. The honeytoken gets placed inside a file that someone who wants to leak information will be attracted to. For example, you can put a honeytoken in a fake accounting spreadsheet that appears to reveal secret information about the company’s finances.

You can also place a honeytoken within a legitimately valuable resource, knowing there is someone in the organization that will likely leak that file. For instance, you can put it inside an internal bulletin that gets sent only to company employees. Each bulletin can have an identifier embedded within that is unique to the person who receives it. When the “canary” sends it to someone outside the organization, the token can help you identify the mole.

AWS Keys

Amazon Web Services (AWS) makes use of keys, which are digitally signed, to unlock specific areas within its infrastructure designed to limit access. The keys can be placed within text files, on desktops, inside GitHub repositories, and other areas.

Cyber criminals are naturally attracted to these keys for a variety of reasons. For one, an AWS key can be leveraged to gain control over a company’s infrastructure. When a hacker gets their hands on one of these keys, they can obtain administrator privileges and make changes to the flow of data and applications. This can be used to sabotage or reroute valuable digital assets toward the hacker’s system. Even if an attacker is unable to acquire a key as valuable as one that grants administrator privileges, they can still use a key with lower-level credentials to steal other information, escalate their privileges, or crack other aspects of the system.

As an organization, you can use the hacker’s desires against them, and using AWS keys as honeytokens is fairly straightforward. To use an AWS key, the individual must first test it. Each of the AWS keys issued by Amazon has a built-in logging mechanism. When the attacker tests out the key, this activity is logged, so all an IT team has to do is deploy fake keys.

Are Honey Tokens Effective in Identifying Cyberattackers?

Honey tokens can be a very effective tool in identifying cyberattackers because they send you specific information about the attacker that you would not otherwise be able to glean. For example, if a malware attack successfully penetrates your system, it may be impossible—and at the very least, difficult—to figure out the IP address of the attacker. With a honey token, once the attacker opens the file with the token inside, you are instantly given their IP address. For this reason, the European Union Agency for Cybersecurity (ENISA) has specifically recommended the use of honeypots and honey tokens to trap or ensnare cyber criminals.

However, honey tokens alone are not sufficient to protect your organization's infrastructure. While they can help you identify attackers and reveal vulnerabilities in your system, they cannot prevent attacks without the help of other security tools, such as next-generation firewalls (NGFWs) or secure web gateways (SWGs).