Using “lures” like open network shares or database connections on production systems to attract an attacker to a “trap” server.
|
|
|
|
|
|
Using “breadcrumbs” like false file objects or data records on production systems to trace an attack through the environment and potentially externally.
|
|
|
|
|
|
Planting false credentials/tokens in memory on production systems to identify escalation (e.g. via pass-the-hash attack).
|
|
|
|
|
|
Using a network “honey” responder to respond (e.g. syn-ack) to connection requests (e.g. syn) for nonexistent systems and blocking source IPs at connection attempt (e.g. ack).
|
|
|
|
|
|
Slowing down a network connection with “tarpit” techniques to gather more forensic information.
|
|
|
|
|
|
Deploying false endpoints (e.g. VMs) on a network to act like legitimate systems.
|
|
|
|
|
|
Deploying a server “honeypot” to collect attribution information on attackers for use in threat management programs.
|
|
|
|
|
|