Intrusion detection works best when you can discover the attacker while they are still in the system. Finding out after the fact does little to protect your systems and your data.

Ideally, you would want to set an alarm that an attacker would trigger while limiting the damage to your environment.

We know from many recent breaches that attackers commonly try to expand their foothold in a system by finding and exploiting hardcoded credentials in environments they have accessed. We can use these behavioral patterns to our advantage by engaging in defensive cyber deception.

You might already be familiar with the concept of honeypots, false systems, or networks meant to lure and ensnare hackers. There is a subclass of honeypots that require almost none of the overhead, are simple to deploy, are used by many industries, and lure attackers to trigger alerts while they are trying to gain further access. The industry has arrived at the term honeytoken for this branch of cybersecurity tooling.

- Analysis of recent breaches for common attack behaviors
- A history of cyber deception and the evolution of honeypots in defensive strategies.
- Understanding how honeytokens work
- Maximizing the impact of honeytokens


Please login to leave a comment

Fascinating stuff. I don't post anything to outside repos, so I wonder, is there any other way to use this technology?

Myles Hyson at 13:53 on 25 Apr 2024

This was great. Gonna look into implementing different honey tokens on our servers.

This honestly blew my mind. Thank you for the content and the clear presentation.

My only constructive feedback is that the slides were hard to read on the discolored projector so you might benefit with a higher contrast between the text and the background.

taylor shuff at 14:11 on 25 Apr 2024

Great talk. I enjoyed learning about the history/origins of honeypots and honeytokens.

Joanna Kus at 14:20 on 25 Apr 2024

Very interesting talk, enjoyed the history information behind honeytokens. Great speaker.