Since the start of the Internet, honeypots have been a very valuable defensive strategy. No matter how simple or complex they are, they definitely add a lot of value to your security posture. Clifford Stoll and his marvelous book The Cuckoo’s Egg is always referenced as one of the first deception use cases in cybersecurity, but since then, many organizations have used deception in order to level up their defenses.
When we talk about deception, we should start by describing the different use cases, which can vary depending on maturity:
- Deception for pure and rapid detection: Honeypots can give you real-time alerts that something malicious is happening. By definition, no one should ever interact with the honeypots you have deployed, so any alert is worth having a look. This means a great signal-to-noise ratio and something that can ease your security team’s alert fatigue.
- Deception as another valuable source of threat intelligence: The TTPs and IOCs that you can collect from your deception environments are unique intel that you are gathering from attackers attacking your organization.
- Deception for testing your threat hunting hypotheses: Once you have created threat hunting hypotheses, you can easily use honeypots for testing whether they are valid or not.
- Deception for engaging with threat actors: This is the most mature use case. Once you already know the TTPs from the threat actors that are likely to target your organization, you can deploy customized deception environments that will be very attractive to them...Read More!
