A few days ago I was reading about features of a “next-gen” threat detection tool and found out it was capable of planting and monitoring Honeytokens in Active Directory. I realized it was the third time in just a few weeks I was seeing some reference to that concept in a threat detection tool. This is a great example of how the evolution of threats is forcing the detection tool set to adapt.
A long time ago the detection hopes were all on top of IDS systems and their ability to identify attacks. Plain attacks coming through the front door. That was how things used to happen at that time. Since then we have seen detection technology evolving from static and exploit oriented content (signatures) to more dynamic approaches, such as network sandboxing, and most importantly, the points in the network to look for attacks. Of course there is also a huge focus on the perimeter; all this cool sandboxing stuff is usually there. But with the “kill chain” mindset that dominated the industry there is now a clear attempt to identify attacks through their different phases and deeper into the internal environments. That is where honeypots and honeytokens are really useful. Once the attackers are inside they inevitably need to look for the data they want or the resources to get to the data, such as privileged credentials. And that is where some vendors are seeing the opportunity to apply honeypot concepts.
These are cool developments, and not only from niche or small vendors. These developments are coming from big players too, suggesting the idea is finally becoming mainstream. If it really comes to it we can also expect to see the pressure for the attackers to adapt. It will certainly be interesting to keep an eye on how threats will react to that. It is a never ending cycle, but it’s always fun to watch.