Detect and Investigate Attacker Reconnaissance
Attackers are most vulnerable when they first gain internal network access. Their next move has to be reconnaissance, looking for available ports, services, and assets. This is usually accomplished via network scan, which is difficult to identify by log and network analysis alone. Instead, you can deploy a Honeypot - a purpose-built machine to listen and report on any attempts to access it.
In this use case, we'll investigate a Honeypot Access alert, part of the Deception Technology custom-built in InsightIDR.
Easy to Deploy Multiple Honeypots - Anywhere
In the past, honeypots have been challenging to deploy and generate siloed alerts without user context.
InsightIDR incorporates multiple types of deception technology in its detection suite, so you get defense-in-depth that also gives you valuable context for quick investigations.
Detect Horizontal Bruteforcing with Honey Users
We've learned from our pen test teams & incident responders that attackers often guess common passwords (e.g. Spring2017!) across many accounts. As it only shows up as a single failed authentication on each account, no lockouts occur.
With Honey Users in InsightIDR, you are alerted as soon as a single guess is made against fake accounts.
Detect Pass-the-Hash with Honey Credentials
When you deploy the Insight Agent to your endpoints, fake credentials are automatically injected into memory.
If an attacker dumps this Honey Credential from memory and tries to authenticate elsewhere, your team will get this alert.