Honey Pots and Honey Tokens — a Primer
Let’s say you’re a hunter, and you decide to hunt for bear. And not a specific bear, mind you; at first maybe you’re happy to get any old bear.
An easy approach is to fill a barrel with garbage and wait for a bear to amble along. In the parlance of information security / anti-fraud, this is called a honey pot.
I used a version of this when I’d hunt feral dog; the honey pot helps the hunter observe and learn about the quarry, because you don’t want to waste a kill shot on an insignificant beta or delta pooch; with dogs you’re going for the alpha.
In the context of information security, a honey pot is a computer that’s out on the Internet, without any protection, deployed to draw attackers.
Ok, still with me? Let’s switch it up a bit.
Let’s assume that you’ve observed the bears that come to your barrel (your “honey pot” filled with trash), and have decided to hunt for a specific bear.
It might be advantageous to assemble and deploy some bait that’s customized for the specifically-identified target.
This is called a “honey token,” and realm of hunting for criminals, is an amazing method for encouraging the prey to step into a trap created explicitly for them.
Activist hackers that seek specific pedophiles will curate “honey token” profiles they are confident will lead their explicit target out into the open, custom-tailored to match their deviant desires.
For example, let’s assume that a suspected pedophile appears within the ranks of a local law enforcement operations. Through use of a specifically-tailored honey token, the predator can be invited to walk into a trap that captures them in the act.
And as I’ve noted, hackers generally observe the “no snitching to the Feds” rule, unless we encounter traitors, spies, or pedophiles; extra credit when we find pockets of those who are more than one at once.
Back to the hunting metaphor: one might assume that it’s best to pull that trigger as soon as the prey has fallen for the honey token trap.
Not so. It’s actually best to just press pause and observe. We’re talking about hunting predators, right? Let’s see if we can encourage them to reveal their pecking order, so to speak.
For whatever reason, and likely due to ego, the predator cannot help gloating, and in so doing they expose to the “victim” their throat, heart, solar plexus, sacral, and their genitals.
Every. Single. Time. The phenomenon fascinates me, deeply. It’s a dominance gesture, right?
It’s weird to me, because in their gesticulation they seal their fate, by exposing to the hunter their relative social status within the pack ecosystem, and leave themselves open to return hunting visits at a time more convenient or strategically advantageous.
Let’s switch back to the hunting of feral dogs.
See, you don’t want to just shoot any dog; it’s best to shoot the alpha, but not straight-away. It’s wisest to lay on your back and make a lot of “please don’t hurt me sounds” while you wait for the predator to gesticulate, and meanwhile, observe the others.
When the time is right, squeeze off a few that incapacitates the betas, then the omegas; pick apart the pack hierarchy one by one, with a bias towards leveraging their internal rules regarding how their organization aligns to order, in the wake of chaos.
For what it’s worth, I’m a huge fan of the .22–250. It’s a very low-mass, but extremely high-velocity round (faster than the speed of sound), and its devastating. From the perspective of the alpha, the throats of one or two of the betas just turned to vapor:
Separate but related aside: John Boyd
John Boyd is revered in the Air Force for his innovations in combat strategy, and some suggest that he may be the most important contributor to the domain since Sun Tsu.
Long story short, he developed the OODA loop, and it’s this:
Key take-away: if you can execute inside the decision cycle of your opponent, they are unable to discern order from chaos, and it drives them into madness.
It’s possible to outwardly execute slower than the other guy, but in the ways that matter, and still be operating well within their decision cycles.
Result? They are driven into madness, because they can’t discern order from chaos. Good times; literally one of my favorite things in the world.
I spent a lot of years in the information security industry, as many of you know. In the 1990’s I caught I guy who was selling proprietary secrets to another country, and he went to federal prison for industrial espionage.
I’m pretty good at catching bad guys, because I’m a hunter, obviously. And I don’t hunt deer: I hunt apex predators. It’s kind of my thing, paraphrasing Hemingway.
People think that the bad guys are “hackers,” but each and every year it’s this, quoting Price Waterhouse Coopers (PwC):
The most common types were customer fraud, cybercrime, and asset misappropriation. And there was a roughly even split between frauds committed by internal and external perpetrators, at almost 40% each — with the rest being mostly collusion between the two.
The total cost of these crimes? An eye-watering US$42 billion. That’s cash taken straight off companies’ bottom line. And 13% of those who’d experienced a fraud said they’d lost US$50 million-plus.
For example, procurement fraud / asset misappropriation tops the list every year of money that is most frequently stolen — that’s theft from within the company. Just to be clear: this is someone inside the organization preventing the accounting / the ledger in a manner that’s designed to enrich themselves.
So it’s likely you’re regularly having coffee with the apex thief within your organization (see: fraud triangle)
Corruption too is waaayyyy more damaging, financially, than “cybercrime,” and interesting aside: the more money that is invested in information security, the greater are the reported losses due to cybercrime.
I’m inclined to believe that a sizable chunk of money stolen by “cybercrime” is being taken by those from inside the organization, and its not a stretch to assume its occurring in concert with procurement fraud, corruption, etc.
This is actually what encouraged me to leave the security industry and build my own company 214 Alpha. This is where things get very interesting, getting back to the use of honey pots and honey tokens.
My company built an app that delivers governance that’s transparent, accountable, and easy to audit.
Governance = operations
I’ve been in the private sector for almost my entire career, and (speaking of honey tokens), the competitors that eventually come forward tell you a lot about the threat your product or service represents.
There’s been no companies that have stepped up and presented themselves as a competitor, probably because my company is tiny, almost entirely insignificant.
I mean. Governance? Who cares about a small company that aspires to deliver operations that’s consumer-class easy to use that discourages theft and fraud?
However, I’ve got two separate women who go out of their way to tell my current and potential customers that I’m going to get them in trouble.
One woman — a person who provides contracting services to Austin Police Department — tells my customers that there are six pending Austin Police Department investigations against me — a false claim.
The other woman is similarly affiliated with law enforcement (a local elected constable); she’s told people that I’m involved in white collar crime.
Well, that’s technically true: I’m pretty good at catching white collar criminals, but I’ve never been arrested and have therefore never been in jail.
Isn’t that interesting?
My company provides governance that’s transparent, accountable, and easy to audit. It uses a technology that’s built from the ground up to make it very difficult to engage in fraud.
A decent honey token, if you think about it.