Honeytokens, closely related to honeypots, are ‘tripwires’ that you leave on machines and data stores as early warning indications of a breach. Using AWS IAM access keys, we can create nearly limitless honeytokens for attackers to stumble upon – and it’s easy and free!
Knowing that AWS IAM access keys are of high value to targets, the idea is to leave valid (but permissionless) access keys as ‘lures’ on machines, Github repos, or anywhere really. When attackers breach a target, they will find these keys, and attempt to use them. When such a key is used, you (the defender) know that some bad stuff is happening.
Hay dos maneras de hacerlo, la manual usando cloudwatch y cloudtrail y la automática.
Para la manual puedes visitar este link https://blog.rapid7.com/2016/11/30/early-warning-detectors-using-aws-access-keys-honeytokens/
Para la automática podemos usar SpaceSiren
SpaceSiren is a honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey tokens at scale — up to 10,000 per SpaceSiren instance — almost free.
Los pasos básicos son:
- Creates a resource group to put everything in (easy cleanup)
- Creates a key vault
- Creates a service principal
- Gives the service principal read access to the newly created key vault
- Configure audit logging and send it to Sentinel.
- Output the tokens so we can spread them
- Generate KQL queries so we can detect the use of our tokens
Aquí esta el blog que lo explica https://zolder.io/2020/10/15/honeytokens-azure-keyvaults/ y aquí el código para hacerlo automático: https://github.com/zolderio/microsoft/blob/master/Azure/KeyVault/CreateHoneyToken.ps1.