The Importance of Identifying Crown Jewels for Honey Tokens

hey everyone what's going on welcome to the ogpgh conference uh thank you so much for hopping into my chat today um my name is alexandra parisi and i'll be talking to you about the importance of identifying crown jewels for honey tokens so it's a little bit about my background i'm pursuing my master's degree at the heinz college at carnegie mellon university in information security policy and management i'll be graduating this may it's getting going i'm excited so my background is in international relations international security studies educating university where i pursued my bachelor's degree so while i really love my undergraduate degree work of course i found cybersecurity through that i really like cyber security and international relations because i

can bring both sectors of knowledge together and i find that in threat intelligence which is really where i'd like to focus in cyber security i found that both understandings together kind of bridge the gap between international affairs and the technical side of cyber security and it morphs together to understand how the world works and the different threats and i find that pretty exciting so with that i find my other interests in apt groups and that whole side of research and then of course my other interests seeing on the screen is learning ocean tools and kind of the nitty gritty through that so a little bit on what led me to today's topic is my work history

this summer i worked remotely for a fortune 200 company as a threat intelligence intern for cyber security and assurance division i learned about the importance of crown jewels and how those are essential to organizations especially global companies and then through that i learned about the concept of honey tokens and how those come into play with crown jewels currently i'm a threat analysis graduate research assistant at the software engineering institute i've been there for about two years now aside from my summer work i learned about ransomware threats and worked on a collaborative publication with that and now i'm currently working on a threat report research assignment so without further ado let's just get into it so what exactly is a honey token

what am i talking to you about any token is essentially everything a honeypot is but it's not a computer system so digital lures or digital trip wires are distributed on a network with the intent to primarily catch insider threat however the overall intent is just to catch suspicious activity or anything unusual on a network so for example a set of aws client or secret keys are dropped in a configuration file that only trusted and specified staff should be allowed to access so once it's used or accessed the honey token is then tripped over and then whoever dropped that honey token is triggered and alerted whether that's phone email whatever the system has it set up as and

then it's up to that person to decide the next steps so what's important to note here is that these tokens are meant to be left alone they're not set up like all right let's get these bad boys triggered no they're meant to be left alone on your network if they're triggered then something isn't right um aside from the possibility of false positives um these are just you don't want to touch them you really want to hope that no one is touching them because then if so then there's likely a problem you know someone's snooping on your network so what is a honey token really um this is a non-exhaustive list but this is just some of the many i have discovered and

i'm not going to read them all to you but some of them could be macro excel or word files documents google docs aws api keys qr code that's a new one that i discovered um it's becoming more and more popular with like bigger production companies uh which i think is just really incredible clone sites dns you can see all the rest there's definitely a lot of possibilities and there's way more than this these are just uh some of the ones i found are pretty popular so this summer a tool that i personally had experience with and i learned more about each day is a tool called thanks canarian they're known as canary tokens so canary tokens are hardware virtual or

cloud-based birds that are configured and deployed throughout the network so once these tokens are dropped and triggered an alert is then sent to whoever's in charge of the token as an email or phone notification of activity so when the canary is untriggered you can check logs and any any time like in my experience i would check splunk logs but that's not like the bl end all however you want to monitor the activity is all based on you and your company but i found that splunk logs were definitely the quickest way to do it then you choose your course of action so other tools i've discovered in my research are things canary open canary which is essentially

a more open source version of things canary which i found on github pansift decept stealth defend and honeyjen this is a non-exhaustive list so if anyone has other tools or curious that they might have found online or just tools and their experience i would love to talk about it and learn more about it so please let me know so now on to crown jewels what is a crown jewel and why are they such a big deal so crown jewels are mission critical information assets that are used to compete and succeed in a global marketplace these crown jewels can represent more than 80 percent of an organization's total value so that includes both tangible and intangible

assets so whatever would cause a major business impact if they were compromised that's likely considered your crown jewel so these can include valuable data trade secrets intellectual property source code and algorithms i.t systems and applications novel processes new product designs formulas changes and updates to existing products or systems research and development things like that you name it that sounds similar to this likely a crown jewel but can change of course a little bit depending on what your organization does or produces but overall depending on how you look at this list or what is essential to your organization crown jewels are where an organization or company draws all of its power in the marketplace and whatever is essential to

accomplish the organization's mission so that's really where you should focus on what defining your chronicles can be is look at the mission speaking of so define your crown jewels are there any agreements or policies within your organization or company on what defines your crown jewels it can be either spelled out right in a policy which i'm finding is a bit more common or it's like hearsay among your threat intel team something like that i think that having a policy set in stone that works with updating your mission that is probably smarter because as you update your mission or your needs of your threat until team something like that um you should be updating your criminal

policy so if you do have a crown jewel policy where is it located and what are the costs of it you know what according to the policy defines your crown jewels is that spelled out because it should be um and are these how often are these updated you know are these updated every five years how often is your mission updated is it is it just hearsay i mean all different possibilities should be factored into this policy and now this one makes my blood boil because it is so important who has access to what and that might sound like a no-brainer but you'd be surprised statistically how often this is overlooked you know what applications what users who can access

what and does this access make sense um if i'm an intern and i have access to my sizzos files why did you were even aware that i have access to these files probably not but say i'm some sneaky little brown noser with a hidden agenda i'm probably not going to tell you that i can access the c-suites files i'm just saying and say you know you have some analyst that's pretty curious about what's going on in our business partnership with x country i might snoop around those files and maybe get our financial documents from our partnership you know so different things like that or maybe you might not even realize the access that i have

so this is really important to constantly check up on it's but also not locking up that access right away could be smart due to the fact that you might want to drop a honey token here and see how often it's triggered so that's something to consider and then these other questions you know who are the owners and what processes rely on them so these questions such as these need to be asked and addressed in identifying your crown jewels in order to protect and secure your organization so an example of how an organization can work to identify the crown jewels is something like mitre's crown jewel analysis i'm not saying this is the bl end-all but for me um this is definitely

something i looked at in a first step process for an organization that is kind of unsure of their crown jewels or definitely needs a revamping so mitre cja is a methodology that's proven to help large and complex enterprises understand what's most critical so you start from a system development all the way through the system deployment and so this found this framework provides a foundation for other minor processes that i'm just not going to go into but it's used to help assist in identifying chrome jewels for other organizations and it's assisting and identifying the associated threats and risks especially if you're trying to set up a threat landscape so once your crown jewels have been identified you then must understand the

threats to your critical data if your data has been compromised this probably is not a random event it could be but it most likely isn't this most likely happened with relatively low effort and there's a possibility that the real threat to your organization is right at home oftentimes these honey tokens through the crown jewels catch insider threat um and it's more often than not if your security is inadequate a data breach and siphoning could go unnoticed for months which is why it's pretty important to stay up on your logs and keep a clear line of communication with people on your team does your threat intelligence team work hand in hand with the sock building off the point i just

made so while the socks shouldn't notify you of every little thing that goes wrong immediately of course they have to do their job appropriately having a clear line of communication with people on your team the different analysts or perhaps even interns trying to learn of what's going on and how to learn from all that data that they're collecting that is definitely something essential especially if you're trying to revamp your crown jewels or trying to learn from different honey tokens you might have dropped you know there needs to be a clear line of communication between the two so when you have this you can then revamp your threat landscape you can lay out a threat landscape if

you don't have one if you're learning from previous incidents or learning from previous threats this is essential in communicating with one another you can't have a cohesive cyber security team if you're not talking something to think about so these elements can all be pieced together and the is the glue in securing your crown jewels or discovering what the heck's going on on your network so i found these statistics from status statista sorry about that english is hard to show the annual number of data breaches and exposed records in the united states from 2005 all the way to the first half of 2020. so in 2019 the u.s faced 1473 data breaches with over 164.68 million sensitive records exposed

in the first half of 2020 there were 540 reported data breaches and i'm very curious to see how that number shifts by the end of the year and the number exposed records that are reported in 2018 where figures peaked you can see right here um you can see my mouse um what there were nearly 471 million records exposed with the data breaches amounted to 1257 and that year it was primarily the business sector so there's a lot of data theft and then usually the financial sector is targeted after that so reading these statistics the article mentioned that data breaches um could be classified as unauthorized party just accessing protected files and or accounts which of course is sounds

like a no-brainer right but a huge reason why identifying your crown jewels is so important is that definition exactly so when an organization takes time to figure out these critical assets it shows where you're most vulnerable and where security may be loose in these data files or even where the organization may be turning a blind eye like you could think that not paying attention to some random file on a very small part of your team you know it's not that important but who knows there could be the most data siphoning happening through that file and getting into a network otherwise so it could make your team susceptible to breaches so then i took a look at the verizon

2019 data breach investigations report which conducted analysis of 41 686 security incidents of which 2013 were confirmed data breaches the cat wants to learn about this too so what these incidents and breaches show different types of involvement such as public sector entities health care organizations financial industries small businesses outsiders and insider threats business partners organizing organized crimes excuse me organized criminal groups and identified nation states or affiliate actors and these are all due to vulnerable systems and poor cyber hygiene that these incidents or events happened so and often more than not the crown jewels of the organization were impacted so a statistic that i definitely wanted to point out that i found pretty alarming um and

but also not surprising because this is a common theme i'm finding or that executive staff were compromising 20 of the incidents and they're six times more likely to be a target asset that is compromised in professional service breaches than in the median industry according to verizon so these hackers are sitting here and they're thinking like why the heck would i jump through all these hoops at the bottom levels of the company when i could just go to the head honcho up top and just knock on a store and say give me the cash because clearly you don't care about your security your security sucks so you're just going to give it to me or i'll put up slightly a slight bit of

a fight but you don't care so why should i care you know these hackers clearly see that you don't care about your security so if you're c-suite is sitting there being compromised like it's no one's business they're just gonna go for it you know and you know what a lot of the times it's probably gonna work and that's where it should be concerning for you that's where these honey tokens will work because something is wrong in your cyber hygiene and these tokens needs to be dropped here to figure out what is going wrong and a lot of the times of social engineering which is so mind-boggling but you know it happens and it's usually fishing but

we're not gonna dwell on that at the moment so similar to honey pots honey tokens were based on what they're built for so after you identify your crown jewels and your vulnerabilities from learning about prior attacks or failures what's the common intention of the attacker and do you notice any trends building on that threat landscape so an interesting mechanism for tokens i actually read about pretty recently was for national security purposes um i never thought about it this way i guess it looked from more of an industry perspective but um the director of institute for security technology studies at dartmouth university did a little bit of research on honey tokens and he pitched that the defense

department could use honey tokens to snare people searching for unauthorized information on weapon systems especially nuclear weapons which i found to be pretty interesting i guess i just never thought about it that way but it makes sense um so this honey token would be designed so that if the information were downloaded and transferred to a different system it would contact its original server from each time it was accessed so that would involve including code in the honey token that would try and fetch some type of file or any image that's on the same system both based on the home server and the honey token would be considered a home phone on the home server so i found that to be pretty fascinating

and just shows like how flexible honey tokens are i think that's what's really great about honey tokens that they come with flexibility and you can really do anything you want that to manipulate your systems your data and find what's going on in your system so while doing uh my own work and seeing some of these like alarming statistics i learned how flexible like i'm saying honey tokens can be and you know these little nuggets of knowledge could really begin to protect an organization or even your strategic business partnerships and relationships by being dispersed over global networks when it comes to intellectual property so if intellectual property is something you're worried about your global networks are not off limits

especially if you have access to it which is more likely than not so honey what did you gain from this a honey token is just like a honey pot you know you put out there on your network and no one should interact with it and if it does watch your data see what's going on any interaction is typically an indicator of malicious or unauthorized activity on your network so this can be monitored but not limited to splunk logs and other mechanisms that you so choose an identification of your crown jewels can be drastically changed your organization's vulnerability to incidents and escalations but honey tokens can aid in the process to what is most critical so all these can work together to

protect your networks and to really change your security posture of your organization so i'm looking forward to talking to you with any questions or comments thanks so much for your time today