Honey Users

When an attacker gets into a network, they may try to to break into user accounts, especially those that have an important description. Attackers frequently attempt to authenticate to as many user accounts as possible during an attack. This helps them expand their footprint and gain access to more assets and privileges without tripping any traditional alarms.

With InsightIDR, you can create user accounts within Active Directory that look exciting to an attacker. If any attempt is made to log in using this account, InsightIDR will fire a detection.

Rapid7 Honey Users

A honey user is a fake user that is not associated with a real person within the organization, and therefore should never be accessed.

Honey users are a unique way to detect attacker activity. If someone attempts to log in to a honey user account, InsightIDR generates a Honey User Authentication incident, which displays the time at which the attempt was made and the asset that was targeted.

Before You Begin

Before creating a honey user, please note the following:

  • Once you create a honey user, the Collector must make an LDAP pull in order for the honey user to appear. This may take a day or more.
  • In order to see honey user attempts or honey user evidence, you must have an Active Directory event source configured to pull security event logs from the Domain Controller(s) in your environment.

Create a Honey User

To create a honey user:

  1. Create a new user in Active Directory with a believable name, but do not allow anyone access to the account. This will be your new honey user.
  2. Give the honey user every appearance of a normal employee of the company. This includes things like a complex passphrase, organizational mappings, permissions, or whatever else may trick an attacker into believing the user is an actual employee.

Remember that honey users may have multiple accounts. In fact, multiple accounts can increase the likelihood that an attacker will target the user, as it seems more authentic and provides additional chances for reaching an administrative role.

  1. Log in to your account in InsightIDR. Go to Settings > Deception Technology, and click the Honey Users tab.
  2. Enter the newly created honey user’s name in the search bar on the page (not the global search bar). Select the name to mark the user as a honey user.

LDAP makes honey users available in InsightIDR

In order for the honey users to appear when you search for them, the Collector needs to make an LDAP pull after you create the honey user(s).

Therefore, you may need to wait a day or so after creating the honey users in Active Directory before you can configure them in InsightIDR.

Test a Honey User

Any attempt to authenticate with a honey user will trigger a detection. The easiest way to test the honey user is to use a tool like Microsoft Remote Desktop.

First, attempt to log into the Windows domain with the honey user account.

After attempting to authenticate with the honey user, wait a few minutes and then navigate to Investigations in InsightIDR to verify that an investigation was created for a Honey User Authentication detection rule.