Christoffer S.Nov 6, 2022

Trying to figure out the general attitude towards Deception/Honeypots as production level ready systems to glean information about attackers?

I'm personally convinced of the value they could bring when deployed appropriately and leveraged intelligently, i.e used to answer specific questions about potential attackers and their methods.

What's your take?

#deception #threatintelligence #honeypots

Show threadDominic WhiteNov 6, 2022
@cstromblad I’m a deception maximalist - so no argument there. But can you elaborate on the specific hypothesis approach you mentioned?
Show threadChristoffer S.Nov 6, 2022

@singe the idea is very much the same as intelligence led Threat Hunting. Hunting without a purpose is really nothing more than expecting to find evil because you want to.

Hypothesis driven hunting should translate equally well to Deception and Threat Intelligence. What question do you want answered? If you made an assumption about where initial access might occur, deception/Honeypots should ideally be placed close to these assumptions.

Hypothesis driven deception I guess you could say.

Show threadMartin BollerNov 6, 2022
@cstromblad @singe
The term "Hypothesis driven deception" is awesome. The hypotheses are even supported by know TTPs, so they are (can be) data driven hypotheses.
Show threadChristoffer S.

@martinboller @singe

That's what I'm thinking. Will be exploring the idea/concept with a few customers to see what to make of it. I'll report back when the time is ripe :-)

Nov 6, 2022 at 1:05pmWeb