World wide data infrastructure has increased in dimension and complexity due to consolidation, centralization and virtualization trends during the last 10 years. Being able to discriminate quickly between large-scale non-directional attacks and targeted APT (advanced persistent threats) or between script kiddies and experienced hackers is key for protecting critical IT infrastructures. While the first case can be easily handled by existing solutions, the latter raises significant challenges. Implementing honeytokens and honeypots is an extremely efficient intrusion detection system based on setting traps for hackers by deliberately placing enticing resources within existing environments. Previous research has used honeypots to understand hacking TTPs (tactics, techniques and procedures) and to generate more realistic honeytokens. In this paper we build on existing results to quickly categorize attacks, map the attacker persona and focus on targeted attacks. We influence the execution flow by trapping the attackers into a maze with three purposes. The first aim consists in distracting them from the real data and understanding their motivation; this is done by placing low hanging fruits in his path. The second aim refers to getting to know the attackers, gathering forensic evidence and using this information to adapt incident response. The last goal is the most difficult: to completely remove the threat by revealing the attackers' identity, getting in contact, handing them over to law enforcement agencies, or deterring them. We deploy a series of interconnected honeytokens, working together as a whole. Each honeytoken will have an exploitation difficulty in order to map out the attacker's skills and will lead to the next honeytoken, thus forming a real-world hacking scenario. We are also analysing the possibility of deploying dynamic traps based on how the attack develops in real time. From a technical perspective we propose a zero-touch approach for existing environments, by deploying the honeytokens as a service in the cloud, with minimum overhead for the customer.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.