Honeytoken Accounts with Deceptive Profiles

Engage Goals: EGO0001 Expose, EGO0003 Elicit

Engage Approach: EAP0001 Collect, EAP0002 Detect

Engage Actions: EAC0003 System Activity Monitoring, EAC0012 Personas

Name of Element: Honeytoken Accounts with Deceptive Profiles

Description of Element:

Goal: Expose attackers attempting to utilize compromised accounts and gather information about their activities.

Approach: Monitoring access to and usage of honeytoken accounts.

Create realistic but fake user accounts (“honeytokens”) with attractive data or access privileges. These accounts have deceptive profiles, leading attackers towards fabricated resources or triggering alerts upon access.

Technical Context:

These accounts are strategically placed within Active Directory or other identity systems. Monitor login attempts, resource access, and any modifications made by attackers. This aligns with the MITRE ATT&CK techniques T1078.002 (Valid Accounts: Domain Accounts) and T1087.002 (Account Discovery: Domain Account).

Other:

Vary the “attractiveness” of honeytokens – some might have high privileges, others access to sensitive data, or even appear to be dormant admin accounts.

Honeytoken Accounts with Deceptive Profiles

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense