Deception technology allows you to create an illusion for attackers that they have found something of interest in your environment. When you deploy intruder traps on your network, they act as a virtual trip wire. Once an attacker is tricked into accessing the trap, InsightIDR fires an alert to flag the suspicious activity.
Some types of stealthy behavior can be difficult to discern from normal activity, allowing the attacker to sneak past your security tools and into your organization undetected. Placing intruder traps as a way to distract attackers can often help you find attackers earlier and take action to block them before they access something they should not.
Use Honey Items
Various intruder traps, or Rapid7 Honey Items, can attract hackers because they are “sweet” with opportunity. The most common type of intruder trap is a honeypot, which are decoy systems designed to gather information about attackers on your network and to allow you to learn how attackers are accessing your systems.
InsightIDR has four kinds of deception traps that you can configure and deploy in this recommended order:
- Honeypots: deploy these to cover as much network as possible (for instance, one for each subnet)
- Honey Users: add a user to the Active Directory that matches how you typically configure usernames but also conveys it may be a domain admin
- Honey Files: deploy files that appear to be valuable, such as a financial report or something with personally identifiable information (PII)
- Honey Credentials: this is managed by Rapid7 on the Agent so no setup is required
- Honey Alerts: Attempted access or use of these intruder traps triggers various alarms in InsightIDR
Limit Access to Honey Items
Because these entities serve no real business purpose, they should never be touched by legitimate users.
See System Requirements for specific information.
You can watch a Rapid7 video that describes how all the Intruder Traps work here.