A few days ago I was reading about features of a “next-gen” threat detection tool and found out it was capable of planting and monitoring Honeytokens in Active Directory. I realized it was the third time in just a few weeks I was seeing some reference to that concept in a threat detection tool. This is a great example of how the evolution of threats is forcing the detection tool set to adapt.
A long time ago the detection hopes were all on top of IDS systems and their ability to identify attacks. Plain attacks coming through the front door. That was how things used to happen at that time. Since then we have seen detection technology evolving from static and exploit oriented content (signatures) to more dynamic approaches, such as network sandboxing, and most importantly, the points in the network to look for attacks. Of course there is also a huge focus on the perimeter; all this cool sandboxing stuff is usually there. But with the “kill chain” mindset that dominated the industry there is now a clear attempt to identify attacks through their different phases and deeper into the internal environments. That is where honeypots and honeytokens are really useful. Once the attackers are inside they inevitably need to look for the data they want or the resources to get to the data, such as privileged credentials. And that is where some vendors are seeing the opportunity to apply honeypot concepts.
These are cool developments, and not only from niche or small vendors. These developments are coming from big players too, suggesting the idea is finally becoming mainstream. If it really comes to it we can also expect to see the pressure for the attackers to adapt. It will certainly be interesting to keep an eye on how threats will react to that. It is a never ending cycle, but it’s always fun to watch.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.