A few days ago I was reading about features of a “next-gen” threat detection tool and found out it was capable of planting and monitoring Honeytokens in Active Directory. I realized it was the third time in just a few weeks I was seeing some reference to that concept in a threat detection tool. This is a great example of how the evolution of threats is forcing the detection tool set to adapt.
A long time ago the detection hopes were all on top of IDS systems and their ability to identify attacks. Plain attacks coming through the front door. That was how things used to happen at that time. Since then we have seen detection technology evolving from static and exploit oriented content (signatures) to more dynamic approaches, such as network sandboxing, and most importantly, the points in the network to look for attacks. Of course there is also a huge focus on the perimeter; all this cool sandboxing stuff is usually there. But with the “kill chain” mindset that dominated the industry there is now a clear attempt to identify attacks through their different phases and deeper into the internal environments. That is where honeypots and honeytokens are really useful. Once the attackers are inside they inevitably need to look for the data they want or the resources to get to the data, such as privileged credentials. And that is where some vendors are seeing the opportunity to apply honeypot concepts.
These are cool developments, and not only from niche or small vendors. These developments are coming from big players too, suggesting the idea is finally becoming mainstream. If it really comes to it we can also expect to see the pressure for the attackers to adapt. It will certainly be interesting to keep an eye on how threats will react to that. It is a never ending cycle, but it’s always fun to watch.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.