My Authors
Read all threads
I mentioned that the idea for Intrusion Detection Honeypots #idhbook was floating around in my head for a long time. Something I didn't mention in the book, is that it was my time as a pen tester many years back that crystaized some key parts of the concept for me. 🍯 1/
As the attacker, it's all about iterative discovery. You access something, look around, and leverage your access to move on to the next thing. You do this until you reach a goal, whatever it may be. 2/
Good attackers exhibit some common traits -- seeking to decrease ambiguity, adaptability, and curiosity are big ones. You have to take what the network gives you and manipulate it. I really learned the value of these things in the offensive context at @inguardians. 3/
The idea for Intrusion Detection Honeypots is that if you (the defender) can control what the attacker sees and thinks during their iterative discovery, you can control what they do. You are taking advantage of the things that make attackers good and successful. 4/
That's why attackers are so vulnerable to being manipulated by savvy defenders. We can easily place honey services/docs/tokens in front of attackers by knowing where they are likely to come from (common footholds) or where they are likely to go (valuable assets). 5/
Once they see the honeypot we place, we can easily make it appear valuable by blending in with other valuable things or standing out from less valuable things. 6/
There are so many ways to exhibit value because attackers WANT to believe things they've found have value. They yearn for it, thirst for it even. An interestingly named document, a system advertising a service they've never heard of, a custom-looking web app -- irresistible. 7/
At this point, the attacker MUST explore and interact. It's at the core of what they do. It's the bedrock of their entire mindset. It doesn't matter if they find out it's a honeypot later, by the time they figure it out you already know they're on your network. 8/
Intrusion detection honeypots take advantage of the thing that makes attackers good at what the do. It preys on their very sense of identity. Their adaptability and their curiosity can be their downfall when defenders take advantage of it. 9/
You have to be an experienced red teamer to be a great blue teamer. But, my red team experience was essential for conceptualizing some of the IDH concept. It's why the book isn't just a list of ways to implement IDH, but an entire framework for a deception mindset. 10/
I show you how to create a bunch of IDHs in the book. But the underlying goal is to teach you to think deceptively so that you can go well beyond the techniques I provide.

See-Think-Do.

Control the first two and you control the third. 11/11
You *dont have to be
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Chris Sanders 🍯

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!