In many computer networks, in particular enterprise networks, confidential information is generated, stored and processed. This confidential information needs to be protected from unauthorized access. Most such networks are connected to external networks to facilitate the exchange of information. Oftentimes, this external connection is provided by access to the internet. The connection to external networks provides a gateway through which unauthorized parties can access the confidential information within the internal network. Certain approaches to effectively preventing such unauthorized access to the internal network are conventional. A threat to information security that is harder to control is posed by the technical possibility of authorized users of the internal network sending confidential information over or to the external network. Once such information has left the internal network, it can no longer be controlled. In the following, the term “security leak” shall be used to refer to confidential information being transmitted to or over an external network without authorization.
A method for detecting unauthorized access to resources (such as confidential information, devices or services) is known as “honeypots” or “canary honeypots.” In this method, the resources are prepared such that any unauthorized access can be detected. The such prepared resource is intentionally used to attract unauthorized access (hence the name “honeypot”). Further information on the described method is disclosed in “Chapter 12: Using Canary Honeypots for Detection” of the book “Applied Network Security Monitoring: Collection, Detection, and Analysis” by Chris Sanders and Jason Smith, Syngress, 2014.
WO 2009/032379 A1 teaches an example of a honeypot defense for a communications network. In the disclosed method, a decoy information with an embedded beacon is placed into a computing environment. The embedded beacon provides an indication that the decoy information has been accessed by an attacker.
A method for detecting access to computer files is offered publicly under the name “HoneyDocs” at the internet address http://www.honeydocs.com. Users can upload a file in certain file formats to said website, where an object is then inserted into the file and the modified file is sent back to the user. When the modified file is opened, the software used to open the file is triggered by the inserted object to download an image file from an internet server controlled by HoneyDocs. The access to the file can thus be detected and the user can be informed that the file was accessed.
It is conventional to set traps (e.g. “honeypots”) to attract and detect unauthorized access to certain network resources, in particular computer files. However, any such file must be manually selected and prepared in order to detect any unauthorized access to it.