Did you plant internally to detect malicious actors from within the organization or as a way to definitively detect external actors who have presumably entered the network through an exploit?
Both are viable. It depends a bit on industry; pharma companies, say, are quite concerned about internal threats whereas financial and retail are more likely targets of external actors.
You do need to consider the type of honeypot used - asking the question "what is the goal the adversary has" is a good question to ask and optimizing you honeypots based on that is a smart thing. An internal threat is going to look for specific types of assets, and you need to build honeypots (or decoys, as the modern lingo calls them) that look like those assets.
You are probably right, but ‘both’ is the easy answer I’d think.
The question really was what the intention is, not the effect.
Catching attacks from within the organisation might just be a side-effect of catching remote hackers for example. The effect is then ‘both’, but the intention is the latter.
Why the question deserves a better answer than “why not both” is that the reasoning behind using internal honeypots is interesting. Which arguments speak for it, which against.
So let’s not kill this question thread with a too shallow answer.
