Abstract :
In the past several years, extensive research has been performed in various honeypot technologies, including honeynets, honeywalls, and honeytokens, primarily to gather information about external threats. Little to no research has been performed on how honeytokens, pieces of digital information designed to attract and trace illicit uses of data, can be implemented to catch one of the most dangerous threats, the trusted insider. The goal of this work is to detect, identify, and confirm insider threats, specifically threats that are after personally identifiable information (PII) data. These insiders are not after the physical system; they are after the information that these systems contain, which is often a significant threat . Malicious insiders are a threat because they are technically skilled, generally highly motivated, and insiders have access to extensive resources. For example, this threat may be a disgruntled employee who wishes to sell information to an overseas competitor. Or, this threat could be a spy working for a foreign country to compromise national security. Examples of such spies include Robert Hansen, Aldrich Ames, and Anna Montes, all of whom caused extreme harm to their organizations over a long period of time without being detected. Insider threats are real, and they must be mitigated against. While honeytokens can be designed to appear like any type of valuable data, personally identifiable information is especially valuable. Identity theft is a huge problem in countries all over the world, and information about people´s intimate lives has to be protected from a multitude of threats, both internal and external. This type of personal information is typically contained in a database, and consists of a small but varied set of elements, including attributes such as names, addresses, birth dates, telephone numbers, credit card numbers, passport numbers, and email addresses. Personal information is also something that every organization possesses, - no matter how large or small it is, no matter where the business is located, and no matter what types of operations the organization is involved in. In the case of the spy Robert Hansen, it is known that he used an FBI search engine to look up his own name in the active case database, as well as sensitive information about several other agents. Also, when the 2008 presidential election was in full swing, state department officials were forced to admit that Barack Obama´s personal passport data had been accessed maliciously several times by government employees. In this case, it is believed that the employees were just curious, but this is still a severe breach of security. Insiders illicitly accessing PII data are a serious threat, and it happens all too often, with several instances identified in the literature. The purpose of this work is to describe the method we took to use and develop PII honeytokens to trace insiders who are using personal information maliciously. The deployment of internal PII honeytokens can significantly reduce risk profiles within an organization because monitored honeytokens can detect illicit behaviors before they have escalated into full blown data leaks and can work as an early warning system for administrators. There are several areas where personally identifiable honeytokens could be deployed, including packets sent across the network, in the same file space as personal information, and also as returned search results from a search engine. In the poster, we will show how we developed a PII honeytoken system, how we tested the realism of the honeytokens, and how we deployed them into a people search engine to track potential misuse. When an individual uses the search engine, honeytokens are returned along with the correct information. The honeytokens are designed to have no valid business use; in fact, they are completely fabricated, though they are still life-like. These honeytokens are then monitored, and if access is ever detected
