Gartner Blog Network


Honeytokens Everywhere

by Augusto Barros  |  July 28, 2015  |  2 Comments

A few days ago I was reading about features of a “next-gen” threat detection tool and found out it was capable of planting and monitoring Honeytokens in Active Directory. I realized it was the third time in just a few weeks I was seeing some reference to that concept in a threat detection tool. This is a great example of how the evolution of threats is forcing the detection tool set to adapt.

A long time ago the detection hopes were all on top of IDS systems and their ability to identify attacks. Plain attacks coming through the front door. That was how things used to happen at that time. Since then we have seen detection technology evolving from static and exploit oriented content (signatures) to more dynamic approaches, such as network sandboxing, and most importantly, the points in the network to look for attacks. Of course there is also a huge focus on the perimeter; all this cool sandboxing stuff is usually there. But with the “kill chain” mindset ┬áthat dominated the industry there is now a clear attempt to identify attacks through their different phases and deeper into the internal environments. That is where honeypots and honeytokens are really useful. Once the attackers are inside they inevitably need to look for the data they want or the resources to get to the data, such as privileged credentials. And that is where some vendors are seeing the opportunity to apply honeypot concepts.

These are cool developments, and not only from niche or small vendors. These developments are coming from big players too, suggesting the idea is finally becoming mainstream. If it really comes to it we can also expect to see the pressure for the attackers to adapt. It will certainly be interesting to keep an eye on how threats will react to that. It is a never ending cycle, but it’s always fun to watch.

Category: future  honeypots-and-honeytokens  threat-detection  

Tags: detection  honeypots  honeytokens  

Augusto Barros
Research Director
1 years at Gartner
19 years IT Industry

Augusto Barros is Research Director in the Gartner for Technical Professionals (GTP) Security and Risk Management group. Read Full Bio


Thoughts on Honeytokens Everywhere


  1. […] Augusto Barros A few days ago I was reading about features of a  » next-gen threat detection tool and […]

  2. […] from organizations planning their own security, there are also the security tools vendors working on the evolution of their products. That’s also an opportunity for deception techniques to be applied. Tools that track users […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.