| 摘要 |
Techniques related to detecting compromised unmanaged client end stations using synchronized tokens placed on enterprise-managed client end stations are described. A token distribution module causes token(s) to be placed with user data of a managed client end station in specific locations. The placement locations are selected due to the token(s) likely being synchronized, the token(s) being unlikely to be discovered or used by an authorized user, but likely discovered by an attacker. During a synchronization process, the token(s) are sent to an unmanaged client end station. The token(s) can be detected and/or acquired from the unmanaged client end station by an attacker, and thereafter used in an attempt to access an apparent enterprise resource. A token detection module can detect this use of the token(s) to thereby detect the compromise of the unmanaged client end station, without needing direct access to the unmanaged client end station. |
| 主权项 |
1. A method for causing a token to be placed on an unmanaged client end station without direct access to the unmanaged client end station, wherein a managed client end station that is managed by an administrator of an enterprise has stored therein existing code and existing user data, wherein the existing code is configured to allow participation in a synchronization process of the existing user data, and wherein the synchronization process causes that existing user data to be synchronized with existing user data on the unmanaged client end station, the method comprising:
causing the token to be stored with the existing user data on the managed client end station such that the token will be synchronized when and if the existing user data is synchronized by the synchronization process, wherein the token appears to be useful for accessing an apparent enterprise resource, wherein the existing user data was chosen because the token's presence with the existing data is unlikely to be discovered and used by an authorized user and because the existing user data is likely to be synchronized, wherein the token and the existing user data were chosen because an attacker is likely to access the token and attempt to use the token to access the apparent enterprise resource; transmitting, by the managed client end station, the token as part of the synchronization process to cause the token to be stored by the unmanaged client end station; detecting a use of the token within network traffic, wherein the token was accessed from the unmanaged user end station; and in response to the detected use of the token, generating an alert. |
