Honey Sheets: What Happens to Leaked Google Spreadsheets?

Cloud-based documents are inherently valuable, due to the volume and nature of sensitive personal and business content stored in them. Despite the importance of such documents to Internet users, there are still large gaps in the understanding of what cybercriminals do when they illicitly get access to them by for example compromising the account credentials they are associated with. In this paper, we present a system able to monitor user activity on Google spreadsheets. We populated 5 Google spreadsheets with fake bank account details and fake funds transfer links. Each spreadsheet was configured to report details of accesses and clicks on links back to us. To study how people interact with these spreadsheets in case they are leaked, we posted unique links pointing to the spreadsheets on a popular paste site. We then monitored activity in the accounts for 72 days, and observed 165 accesses in total. We were able to observe interesting modifications to these spreadsheets performed by illicit accesses. For instance, we observed deletion of some fake bank account information, in addition to insults and warnings that some visitors entered in some of the spreadsheets. Our preliminary results show that our system can be used to shed light on cybercriminal behavior with regards to leaked online documents

Real-Time Cyber Attack Detection Over HoneyPi Using Machine Learning

The rapid transition of all areas of our lives to the digital environment has kept people away from their intertwined social lives and made them dependent on the isolated cyber environment. This dependency has led to increased cyber threats and, subsequently, cyber-attacks nationally or internationally. Due to the high cost of cybersecurity systems and the expert nature of these systems\u27 management, the cybersecurity component has been mostly ignored, especially in small and medium-sized organizations. In this context, a holistic cybersecurity architecture is designed in which fully open source and free software and hardware-based Raspberry Pi devices with low-cost embedded operating systems are used as a honeypot. In addition, the architectural structure has an integrated, flexible, and easily configurable end-to-end security approach. It is suitable for different platforms by creating end-user screens with personalized software for network security guards and system administrators

Deception Honeypots : Deep Intelligence

En un món on Internet és una eina fonamental pel desenvolupament de les empreses, que volen créixer i establir-se en el mercat econòmic global, la seguretat dels seus sistemes informàtics es converteix en una necessitat. La constant evolució de les tecnologies, promou un ambient en el qual els mètodes que es fan servir per atacar els sistemes informàtics, evolucionen encara més ràpid que les pròpies tecnologies, crean un estat on és pràcticament impossible garantir la integritat i la seguretat completa dels sistemes. La majoria dels mètodes actuals de seguretat, tenen com a objectiu la prevenció o detecció. Per aquest motiu aquest treball implementa els honeypots d'alta interacció, amb els quals podem implementar un factor proactiu en la nostre seguretat, atraient als atacants a un espai controlat, per aprendre els seus mètodes i fer servir aquesta informació per protegir els sistemes reals. En aquest article, es proposa el desenvolupament d'un honeypot d'alta interacció i la seva implementació, en una xarxa similar al entorn de producció d'una empresa per enganyar possibles atacants.In a world where Internet is a key element for the development of any company, that wants to rise and establish in the economic global market, the security of the computer systems used in the company's becomes an imperious need. The constant evolution of technology, provides an environment where the methods used to attack the computer systems evolve even faster than the technologies itself, creating a state where it is practically impossible to assure the integrity and complete security of the systems. Most actual security methods and policies, act only as a prevention or detection solution. Therefore in this paper we implement high interaction honeypots, which allow a new proactive factor in our security, to attract the attackers into a controlled environment, where we can learn their methods and use that information to protect the real systems. In this paper we will propose the development of a high interaction honeypot, and its implementation in a network, which we could find in a real bussines environment.En un mundo donde Internet es una herramienta basica para el dessarrollo de las empresas, que quieren crecer y establecer-se en el mercado economico global, la seguridad de sus sistemas informàticos se convierte en una necesitat. La constante evolucion de las tecnologias, promueve un ambiente en el que los metodos que se usan para atacar los sistemas informàticos evolucionan aun mas rápido que las propias tecnologias, creando un estado donde es practicamente imposible garantizar la integridad y seguridad de los sistemas. La mayoria de los metodos actuales de seguridad, tienen como objetivo la prevención o detección. Por este motivo en este trabajo implementa honeypots de alta interacción, con los quales se puede implantar un factor pro-activo en la seguridad, atraiendo a los atacantes a un espació controlado, para aprender sus metodos i usar esta información para proteger los sistemas reales. En este Articulo, se propone el desarrollo de un honeypot de alta interacción i su implementación, en una red similar a la de un entorno de producción de una empresa para engañar a posibles atacantes

Insider Threat Detection on the Windows Operating System using Virtual Machine Introspection

Existing insider threat defensive technologies focus on monitoring network traffic or events generated by activities on a user\u27s workstation. This research develops a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. Six core use cases are developed along with eighteen supporting scenarios. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated through the use of two data sets, one containing simulated normal and malicious insider user behavior and the second from a computer network operations exercise. Compiled Memory Analysis Tool - Virtual (CMAT-V) and Xen hypervisor capabilities are leveraged to perform VMI and insider threat detection. Results of the research show the developed methodology is effective in detecting all defined malicious insider scenarios used in this research on Windows guests

BABELTOWER: How Language Affects Criminal Activity in Stolen Webmail Accounts

We set out to understand the effects of differing language on the ability of cybercriminals to navigate webmail accounts and locate sensitive information in them. To this end, we configured thirty Gmail honeypot accounts with English, Romanian, and Greek language settings. We populated the accounts with email messages in those languages by subscribing them to selected online newsletters. We also hid email messages about fake bank accounts in fifteen of the accounts to mimic real-world webmail users that sometimes store sensitive information in their accounts. We then leaked credentials to the honey accounts via paste sites on the Surface Web and the Dark Web, and collected data for fifteen days. Our statistical analyses on the data show that cybercriminals are more likely to discover sensitive information (bank account information) in the Greek accounts than the remaining accounts, contrary to the expectation that Greek ought to constitute a barrier to the understanding of non-Greek visitors to the Greek accounts. We also extracted the important words among the emails that cybercriminals accessed (as an approximation of the keywords that they possibly searched for within the honey accounts), and found that financial terms featured among the top words. In summary, we show that language plays a significant role in the ability of cybercriminals to access sensitive information hidden in compromised webmail accounts

Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends