In cybersecurity, we spend a lot of time focusing on preventative controls — patching vulnerabilities, implementing secure configurations, and performing other “best practices” to mitigate risk to our organizations. These are great and necessary, but something must be said about getting an up close and personal look at real-world malicious activities and adversarial behavior.
One of the best ways to do this is to use honeypots. The National Institute of Standards and Technology (NIST) defines honeypots as: “A system or system resource that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears.” It’s an amusing — and appropriate — coincidence that many advanced persistent threat groups have the word “bear” in their names.
Honeypots generally refer to entire systems or environments. Honeytokens, on the other hand, are often specific files, data, and other objects that are used similarly, serving as decoys to entice malicious actors and gain valuable information about them. That said, for this article, and to avoid granular differences, we will broadly use the term honeypots.
