Right but that's just it. I've always toyed with the idea of honeypots in my mind. But I'm not sure what type to incorporate into existing security measures.
I primarily deal with big financials and fintechs. The problems they have are very difficult to solve. They are slow, have big legacy processes and tech and combine that with large targets on their backs. The signal to noise ration is very bad, given the amount of users and old weird tech in the network. They need something better than 1000s of "Suspicious file on machine" warnings EDR generates for them. Or "beaconing detected" every time a youtube endpoint changes or something.
They can only tackle one single security measure at a time, because any change is a Big Project given the existing infrastructure, red tape and ways of working.
I always come to the the conclusion that honeypots would not work. The security is good enough to ensure that the threats that do slip past will not make the mistake of scanning the network once inside. They'd probably not even notice there were any honeypots in the network.
To catch them when they're moving in the network you'd need to give them credentials that appear to give them the keys to the kingdom. Perhaps a user present on each machine that appears to be admin on a domain controller that does not exist? That'd be a honeypot server + credential...
Would you be open to a friendly chat on how we could possibly improve on this? As a small company, it's fair to say the big financials have evaded us so far - however, it doesn't mean it would be highly useful to understand how the top end thinks about internal threats..
My email is in my profile, so if you're up for it, send me a message. Seeing it's slightly unconventional to solicit chats via message boards so no hard feelings if not interested and if so no need to reply.
I primarily deal with big financials and fintechs. The problems they have are very difficult to solve. They are slow, have big legacy processes and tech and combine that with large targets on their backs. The signal to noise ration is very bad, given the amount of users and old weird tech in the network. They need something better than 1000s of "Suspicious file on machine" warnings EDR generates for them. Or "beaconing detected" every time a youtube endpoint changes or something.
They can only tackle one single security measure at a time, because any change is a Big Project given the existing infrastructure, red tape and ways of working.
I always come to the the conclusion that honeypots would not work. The security is good enough to ensure that the threats that do slip past will not make the mistake of scanning the network once inside. They'd probably not even notice there were any honeypots in the network.
To catch them when they're moving in the network you'd need to give them credentials that appear to give them the keys to the kingdom. Perhaps a user present on each machine that appears to be admin on a domain controller that does not exist? That'd be a honeypot server + credential...