What if you could catch attackers simply by watching what they shouldn’t be touching? Sean Metcalf shares how carefully crafted honeypots and identity traps provide high-fidelity detection without drowning in alerts.
⬥GUEST⬥
Sean Metcalf, Identity Security Architect at TrustedSec | On LinkedIn: https://www.linkedin.com/in/seanmmetcalf/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
Sean Metcalf, a frequent speaker at conferences like Black Hat, DEF CON, and RSAC, brings a sharp focus to identity security—especially within Microsoft environments like Active Directory and Entra ID. In this episode, he walks through the practical and tactical role of honeypots and deception in detecting intrusions early and with higher fidelity.
While traditional detection tools often aim for broad coverage, honeypots flip the script by offering precise signal amidst the noise. Metcalf discusses how defenders can take advantage of the attacker’s need to enumerate systems and accounts after gaining access. That need becomes an opportunity to embed traps—accounts or assets that should never be touched unless someone is doing something suspicious.
One core recommendation: repurpose old service accounts with long-lived passwords and believable naming conventions. These make excellent bait for Kerberoasting attempts, especially when paired with service principal names (SPNs) that mimic actual applications. Metcalf outlines how even subtle design choices—like naming conventions that fit organizational patterns—can make a honeypot more convincing and effective.
He also draws a distinction between honeypots and deception technologies. While honeypots often consist of a few well-placed traps, deception platforms offer full-scale phantom environments. Regardless of approach, the goal remains the same: attackers shouldn’t be able to move around your environment without tripping over something that alerts the defender.
Importantly, Metcalf emphasizes that alerts triggered by honeypots are high-value. Since no legitimate user should interact with them, they provide early warning with low false positives. He also addresses the internal politics of deploying these traps, from coordinating with IT operations to ensuring SOC teams have the right procedures in place to respond effectively.
Whether you’re running a high-end deception platform or just deploying free tokens and traps, the message is clear: identity is the new perimeter, and a few strategic tripwires could mean the difference between breach detection and breach denial.
⬥SPONSORS⬥
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
ThreatLocker: https://itspm.ag/threatlocker-r974
⬥RESOURCES⬥
Inspiring Post: https://www.linkedin.com/posts/activity-7353806074694541313-xzQl/
Article: The Art of the Honeypot Account: Making the Unusual Look Normal: https://www.hub.trimarcsecurity.com/post/the-art-of-the-honeypot-account-making-the-unusual-look-normal
Article: Trimarc Research: Detecting Kerberoasting Activity: https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity
Article: Detecting Password Spraying with Security Event Auditing: https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-password-spraying-with-security-event-auditing
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Interested in sponsoring this show with a podcast ad placement? Learn more:
[00:00:00]
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. This is Sean Martin, your host, where I get to talk about all kinds of cool things with some cool people in the industry. And I'm thrilled to have a fellow Sean on the show. Uh, we both spell our name the same way.
Sean Metcalfe. How are you today?
[00:00:17] Sean Metcalf: I'm doing good. Thank you, Sean.
[00:00:19] Sean Martin: It's good to, good to meet you. Good to have you on the show. Uh, oftentimes I'm, uh, I'm intrigued by stuff I see on, I probably spend too much time on social media, but it, it is work related. Most of the stuff I do, even if it's, uh, if it's a recreational hobby that's work related, uh, like music.
But, uh, Sean posted a. Uh, a note the other day, five days ago, in fact, I'm looking at here, uh, looking at the art of the Honey Honey pot account. And, um, it's something, this is a topic that's interesting me for a while. Um, the idea that. You can kind of see if somebody's inside and moving around and crossing and [00:01:00] touching and looking at stuff that you might not want them to.
And of course, you, you don't want them to actually find the real stuff. And that's the idea of you on the honeypot. And that's, uh, hopefully Sean can explain it much more than I can, better than I can. But, uh, it, it's interesting 'cause I think it. It's a different way to identify, uh, what's going on beyond just endpoint detection and response and those types of things.
We're gonna talk about that, and I think more specifically around identities and, and, uh, those types of things. So, Sean, thanks again for joining me. Um, maybe a few words about where you're up to. I, I think you've spoke, spoken at Def Con. Uh, you, you do a lot of stuff for the industry. Uh, who's Sean? What are you up to these days?
[00:01:41] Sean Metcalf: Absolutely. Thanks Sean. I, uh, I've spoken at a number of conferences in the past, including Black Hat Defcon, RSA, um, numerous BSides, and, uh, most of what I focus on is Microsoft Identity Security. So basically active directory and enter ID now. Venture ID was Azure ad. [00:02:00] And so, uh, my, my focus is really on identity security and how we can better secure the identity, our Microsoft identity, um, because it's so prevalent out there, as in, in the industry.
[00:02:14] Sean Martin: No, I'm gonna start off with a, maybe an odd question or maybe it's super relevant. Um, 'cause we, we see a lot of, um. Talk about non-human identities. So how much of that, how much of your brain takes up, uh, looking at machine identities or sensor identities or stuff that aren't necessarily humans, AI and agents and all that stuff.
Is that a big part of the, the equation
[00:02:37] Sean Metcalf: Well, from the perspective of non-human accounts that are service accounts, an active directory or service principles and intra id, uh, that is an issue because they have rights. They have highly, they're highly permissioned, highly privileged, and they have abilities and they don't authenticate like humans do.
So therefore there's additional. Uh, protections that need to be applied around that different [00:03:00] understandings. One of the challenges that we've had in Act Directory for a number of years now, now that it's over 20 years old, 20 over 25 years old, excuse me. Uh, we have an issue with service counts that have been out there for 5, 10, 20, maybe even 25 years, and people don't always understand what those service counts are for, and they get left in highly privileged groups like domain admins.
[00:03:25] Sean Martin: Yeah, lot, lots of fun stuff to look at there. So can we, and I'm sure we'll touch on that in maybe some scenarios or u user stories or what have you, but I'm sure a lot of, uh, a lot of folks who listen to the show have some, some sense of what a honeypot is. Um. As you're putting this article article together, can you kind of frame the context of honeypots?
I know there was honey nets and then there's a honey is a honeypot for a file look different or you have to treat it differently or think differently than than a Honeypot account. So you kind of paint that broad picture for us and [00:04:00] we'll get into some of the
[00:04:00] Sean Metcalf: Certainly. So we've, we've all heard the, the saying before that attackers only have to be right once. Defenders have to be right all the time or every time. Well. That may be true for initial access to breach itself, but once the attacker gets inside the network and inside the environment, uh, that actually flips around.
So then now the attacker has to be right pretty much all the time because if they mi misstep, then the defender's gonna know that they're there. And the defender only has to be right once knowing where that attacker is and what they're doing. And the best way to do that is to set up, uh. Basically, uh, what Jessica Payne referred to as building the, the, the attacker's playground.
So effectively setting up the environment so that way there's trip wires, there's things that you know that no one should ever access, no one should ever connect to, no one should ever open. And if it, if it does open, if it is connected to, if it is used, then you know that that is an attacker because there's no reason for any valid user.
In the environment to ever [00:05:00] connect or or use that resource. And so one of the things that's very important about the honeypot, either account or environment, is that it is something that is, it looks like everything else, but it's not.
[00:05:15] Sean Martin: And I, and I guess that that's the true, I played around with one. I, I don't have one set up now, but I, I played around with one, uh, a while back and I think. A lot, lot of systems and services give you a template or a starting point. Um, and in my mind, well if, if that's the starting point that every, all of them look the same to start with, then probably easier to spot for from a bad actor's perspective.
So how, how do we, 'cause there's some tips specific around the identity that it's, it's not a new account, um, that if it's a service account, it actually. It looks like a service account isn't just a, an empty fake account. So kind of talk to us what, what it means to set up, [00:06:00] uh, an account that's, that's non, I guess.
Yeah. It's not easy to detect that it's fake.
[00:06:06] Sean Metcalf: So there's things that attackers are gonna look for. They're gonna look at the environment that we're going to enumerate, uh, highly privileged group membership to identify who are the admins in the environment, what are those accounts that that might look, uh, like, uh, ideal targets. And so they're going to separate those into probable human accounts and probable machine accounts or service accounts.
And the service accounts are very interesting because those typically have passwords that haven't changed in 5, 10, 15 years or more. And so therefore. The attacker has time to work on those. The human accounts may change their password every year. They may change their password every couple years. They may change their password a couple times a year, but those are more likely to change.
So going after the machine accounts with older passwords is something that looks like a juicy target to the, to the attacker if we're able to. Take an account that's been around for a while, maybe an old service account, and repurpose that as a honeypot account. We [00:07:00] can identify if someone's attempting to log on with that account or if it's interesting to them.
So one of the ways that we can do this is through a method that I, I published years ago where it was about building a curb, roasting honeypot. Uh, K Roast is an approach to, uh, I basically crack a password of a service account. Typically, uh, that account has what's called a Kro service principle name, which is effectively a pointer.
So you have a service that's running on a server like, uh, SQL database, and you want be able to provide, uh. Kros authentication to that SQL server. So you have to set up a service count and with that service count, and you tag it with the service principle name that's associated with sql, so that way when the user attempts to connect to that database, uh, then the domain controller that's authenticating, that user knows how to route them to that service and can complete the kurbo authentication.
So one of the things that we can do is we [00:08:00] can create an account as a service account, or again, repurpose an old one, make sure it has a service principle name on it that is for a server that exists on the network, but isn't really for what the purpose is, is for. So, um, we want it to blend in. So for example, if all the applications are named, uh, after the Greek alphabet, like Alpha, beta, Charlie, Delta, uh.
Et cetera, et cetera. The Echo, uh, we wanna make sure that those are, um, what we're using and maybe we use x-ray, maybe we use something different. Maybe we, we ha we misspell something, uh, in that, so that way it looks like the others, but it's not exactly the other. Um, and I'd be remiss if I didn't mention, uh, a company.
I have no association with the company. Uh, but thanks Canary, uh, T-H-I-N-K-S-T. Uh, they have canaries that can look like just about any server on the network and operate like them, and they just sit there and hang, hang out. And when an attacker scans the environment, then. [00:09:00] You know, you, you get an understanding that someone is doing something that they shouldn't.
They're, they're trying to connect to something that a valid user wouldn't, uh, thinks. Also has a number of free, uh, canary files and what they call honey tokens that can be placed on chairs, placed in file system, completely be placed in SharePoint and other places. So that way if someone is connecting to a share that they shouldn't, they're opening up a file that they shouldn't, you know, that something interesting or unusual is happening.
[00:09:28] Sean Martin: And is it, so if I, if I didn't misunderstand you, you create the account that. Not only looks and smells like, but it actually can, can connect to something and then, and do something. So you actually get the authentication and then the access to either a thanks, uh, server or yeah, device or a file or what have you.
[00:09:51] Sean Metcalf: Yeah. An interesting approach would be to, to actually use a, uh, a honeypot account that's associated with a thanks HONEYPOT server. That would be a [00:10:00] very interesting approach.
[00:10:03] Sean Martin: So what, what else does, um, let's speak to, uh, our CISO and security leader friends here. Um. How does this fit into their, their bigger program from a detection and response per perspective? How do they, uh, how do they fold those events in perhaps with, uh, some other access control events and
[00:10:24] Sean Metcalf: Sure. Well, I think it's important that this point to also mention that there's a difference between honeypots and deception technology. So there is some technology that different companies have out there where effectively they create, uh, virtual instances of. Servers, virtual instances of users for, for instances of groups, things that are not really in active directory, but look like they are.
And therefore, whenever the attacker attempts to connect to those or in use or interact with those sort of virtual, its, I'm using virtual as as they're kind of ethereal. They don't really exist, but they seem to be there. Uh, so [00:11:00] therefore the attackers going after those, um, they're enumerating those along with the, the real ones.
And so we know that there's someone doing something that. That shouldn't be doing something. The goal with a honeypot is that you only get one alert or you only get a series of alerts when something bad is happening, when there's someone who is malicious, when there's someone who shouldn't be connecting to things that they, they shouldn't be connecting to.
And one of the great things about using, uh, for example, the Thanks Honey Token, again, I have no association with them, is that you could actually set this up on share and identify insider threat potentially. Uh, if someone is trolling around and looking for something they shouldn't, you could even create a, uh, a file called passwords and have, have a, the, the think, uh, honey token associated with that.
And when someone attempts to open up that file, then there's a, a beacon that goes out and informs the soc that someone is connecting to something that they shouldn't, someone is doing something they shouldn't be doing. Um. [00:12:00] In the example of a honeypot account and active directory, someone is trying to interact with it.
They're either trying to log on with it. You could put, uh, a, a fake password in the description field or another field on that account, which happens. Uh, you could even put a password, uh, file on a share and have that point to an account that you've created, that you're using as, as this kind of multi-layered honeypot account.
But the goal of the honeypot is that since it's not. Valid since it's not something that's real, any connection to it or any use of that has by definition, has gotta be some, someone who has, uh, is not an authorized user. It's not a valid user. It's not someone that is doing something as part of their regular workday.
So whether that's an internal person, so an internal threat, or whether that's some sort of external threat that is connected inside the environment, it's gonna give us some, some interesting information depending on the, the. Source of, of this, [00:13:00] uh, alert that's gonna happen, uh, how that that user or malicious, uh, user interacts with that system.
We're going to get either one event or we're gonna get several events that something is happening. And the benefit of this is we're gonna know what the user account is that's being used, what computer account it's coming from, and of course the date and timestamp associated with that, along with some of that activity.
And if we create a, uh. A well-crafted SOP around that actual system. Then we'll be able to identify when there's attack that's happening.
[00:13:35] Sean Martin: And so going about and, and setting up an account, I think there are probably ways to manipulate files and other things in terms of date, but um, is it easy to, because one of the first things. It's not a recently created account, it's one of the, one of the points you make in, in your article on LinkedIn.
Um, is that easy to do or do you have to resurrect an old [00:14:00] one or, I, how do, how do you get that first step
[00:14:02] Sean Metcalf: Sure. So, um, something is better than nothing, so you could absolutely just go ahead and create something, uh, brand new account. Go ahead and make it look like the the others. Um. However, the, it's better if it has some age to it. Uh, if there's a service count that's been around for a while that's been decommissioned, why not resurrect that and use that in, in this, for this purposes, because we would be able to then identify if there's something happening on the network.
Um, what's interesting about security I is that I came from, uh. The engineer architecture side of the house, uh, where I was managing and administering and designing, uh, the systems like Active Directory itself. And with that, you really wanted to get to an 80, 90, 90 5% solution, maybe even a hundred percent if, if possible, because that's where you could show impact on the security side.
If you're able to move the needle 20% or 30% or [00:15:00] 40%, uh, that's great. And in a situation I worked, uh, as a consultant with, with a company years ago, um, I actually helped them set up a curb roasting, uh, honeypot. So again, that, that service principle name, that that points to something that doesn't really exist, that's not valid.
And when the, when, uh, uh, a pen tester came in the door and was working on their pen test, one of the first things they did was recon. They identified that there was. This Honeypot account that was part of these other accounts that were there that also had K Kro service principle names, and they enumerated all of those.
Well, we had detections set up for that. And once we, I identified and saw that, um, that a number of accounts were, were enumerated from the perspective, which one had service principle names, um, and actually got a. A kurbo service ticket for, for these different, uh, accounts, but more importantly, the one account that was the Honeypot account, that was one of the ones that they look, they also attempt to get a service ticket for.
Again, [00:16:00] since this is a honeypot account, there is no existing server that is associated with that, and no valid authorized user would ever be trying to connect to the server that we made up.
[00:16:11] Sean Martin: To, to reset the password so they can, so they can access it. Um, so the, just the act of enumeration, um, can trigger, which is very early warning. Right. So they're not even, not even attempting to, to leverage the account yet. They're just, they've listed it, they.
[00:16:27] Sean Metcalf: right. And, and there's another way to actually do that. In active Directory, you can actually set a, an, uh, audit, uh, configuration on a group. Domain admins. And anytime someone accesses that and tries to enumerate it, you can get a, a, uh, an event, an alert on that. Uh, so there are things you can do with an act directory natively to enhance that.
So you could even set up that cur, that, uh, account, that honeypot account. And set up auditing on it so that you can identify when someone actually, uh, interacts with that. Now, granted that auditing, [00:17:00] uh, event, uh, gets pretty large. Uh, and so in larger environments, that's not as, uh, uh, not as feasible. Uh, but certainly in the smaller environments, the, these are things that can be done, uh, pretty easily, especially around a honeypot account.
[00:17:15] Sean Martin: And so on, on the note of scale or scope, um, is it important or necessary or, or not to have multiple. Honey Pot accounts.
[00:17:29] Sean Metcalf: on the goal, so. You could definitely set up multiple honeypot accounts. You could have one that's set up with a kurbo service principle name that doesn't point to a valid server. Uh, you could have another one, uh, which is basically just an account that's in, say, domain admins. And in the, uh, in a, in a field on that account, like the description or the info or the notes field, you could actually put in a fake password for that account and then monitor for a bad password attempt on that account.
[00:18:00] Uh, 'cause that's something, it's, it looks too juicy to not try it. And so, um, when we've done security assessments, we've identified an account that looked really like it was probably a honeypot account. Uh, 'cause we have ways to, to look and really. Identify artifacts and act directory. And so we were, we typically are able to identify a honeypot account.
Um, so we saw something that looked like it was a honeypot account, so we talked to the, to the customer about it and said, Hey, if this is a honeypot account, then everything's fine. If it's not, uh, you have had someone that's put a password in a, in a notes field or one of the, one of the fields in, um, active directory for this account.
And so it's not a good idea to have that there. If this is something other than a honey account,
[00:18:48] Sean Martin: Another. Other signals that, uh, I don't know, pen test teams and therefore, uh, bad actors are pen testing for, for different reasons.
[00:18:59] Sean Metcalf: right?[00:19:00]
[00:19:00] Sean Martin: Thing things they would do to or look for at a spot and they bought accounts. So the examples you gave or to set 'em up in a certain way, so. If they look juicy and you want, you want them to touch 'em.
Right. Um, but are there things that you do like that, that could trigger or signal, Hey, I'm in a place that, that has, uh, yeah, these honey pots set up.
[00:19:22] Sean Metcalf: Well, certainly if there's an account that's fairly new and it has a, uh, a password in one of the, one of those notes fields, one of those, uh, like info or, uh. A description field in active directory, that to me would stand out. And I would probably avoid that if I were a pen tester or, or active attacker on the network.
Um, if I saw something that was 15 years old, um, that might be something that's more interesting. If I saw something that was 10 years old and it looked like a valid service account, it looked like it was, it was connecting to, or was set up for something else, it, it looked like it was something that was real.[00:20:00]
That's where really what we're trying to do, we're trying to give it the same look and feel as the other accounts. So if all the service accounts are named SVC and then like Exchange or SVC LDAP or something like that, uh, and there was an account that had a different name and was newer, that might stand out as something that maybe I don't wanna touch, maybe I wanna stay away from that.
[00:20:24] Sean Martin: And would, would bad actors touch accounts that are not admin? I mean, I'm wondering if there's a value in, in setting up an account that isn't admin level, but still might be juicy. Is there an
[00:20:40] Sean Metcalf: I, I think that you could, so the, the answer is yes and no, unfortunately. Uh. Uh, admins are, are admins at different levels. So you have admins of active directory, you have admins of workstations, you have admins of servers, uh, you have admins of SharePoint exchange, et cetera. So you could [00:21:00] layer in different honeypot accounts at different parts of different areas of, of the actual environment and, and how things are configured within that.
Uh, you could layer that there. Um, but those are typically going to be admins. Ultimately, attackers want access to data and they want to be able to persist in the environment. So where that, that data is, is where they're gonna go. That's why attackers have pivoted a lot to the cloud, because that's where the data is.
Uh, it's in SharePoint Online. It's in Exchange Mailboxes, uh, it's in, uh, OneDrive for Business. Uh. Shares and, and, and user environments. So that's really where the attackers are going. So if we can use a combination of honeypot accounts to help us identify when someone is interacting with an account or trying to connect to something that, that doesn't really exist, we could AC actually use honey tokens in some of these file shares, some of these systems so that we can identify if someone is poking around in the areas that they shouldn't.[00:22:00]
[00:22:00] Sean Martin: So you, you mentioned the cloud and, and, and I'm, I'm thinking of systems like, like Zapier for example, that that connects with a lot of services via the cloud that, um, and forgive me for my ignorance, but. Those, those are accounts connected through tokens. Um, how does it, how does that look in the context of a honeypot?
Is there a way to, I guess if somebody's using zapper, is there a way to see if somebody's coming in through one of the connected accounts, um, using Honeypot technologies around identities or, or, I dunno.
[00:22:38] Sean Metcalf: There, there may be. I'm not as familiar with Zapier from, from an administrative perspective. I understand that it, it, it provides a lot of automation. Um, there are some things that you can do within, say the Microsoft environment, uh, like intra id. You could have something set up that is an ad admin account, uh, that has rights, uh, but.
Uh, [00:23:00] it's a little bit different because the enumeration is different For intra ID versus Act Directory and ACT directory. By default, everyone can see pretty much everything. Um, with, uh, with Intra id, there's different levels of what can be seen by the attacker. So it's that that part has to be adjusted for and, and, and, uh, uh, taken account.
[00:23:27] Sean Martin: So in terms of, trying to think what else we can, we can touch on here. 'cause setting up policies around this, um. Do Is this kind of like public knowledge? 'cause I know you, a lot of organizations bring pen testers in. They have, they're in bug bounties. Uh, they want, they wanna disclose, not disclose, but I don't know, is there, is there a best practice around who knows that there are honey pots or, or is it a [00:24:00] special
[00:24:00] Sean Metcalf: I, I would.
[00:24:01] Sean Martin: of the team that knows, or
[00:24:02] Sean Metcalf: I mean, you're, if, if you're going to have a honeypot account in, uh, say domain admins, uh, then certainly your act directory admins need to know about this. They need to know what it is, and that you just leave it alone. It's, it's a, it's an alerting account basically. Um, and, and if you were layering this in other places, like in your exchange admins group, then the Exchange admins group has to know that that's an alerting account.
Um. I've used the account named Joe Fox before as, as a, an alerting account. And so, uh, when I created that, I had to let people know that this is, this is an alert, an account that will alert us if there's something going on. So just leave it the way it is, um, and. One of the great things is when you have a conversation from, uh, the security side with operations about these things, they can also say, Hey, by the way, there's this one thing about that account that's different from the others.
We should enable that or set that there as well, so it looks the same as the [00:25:00] others. So if you build that partnership between security and operations, uh, jointly we can work together and actually have things that are, that are better able to, uh, identify. Malicious activity because of, uh, that help of, Hey, this thing looks a little odd.
If we tweak this, then this will make it look better. Ultimately, uh, we need to make sure that there's proper standard operating procedures, SOPs, that are, uh, at the SOC level, so that when they see an alert associated with that account, they know what that means. Uh, that one should be triaged, that one should be raised higher and have, uh, be tagged as a, a higher fidelity type alert.
[00:25:42] Sean Martin: And you mentioned insider, uh, threats earlier, and I'm wondering, um, does the response, I presume it does, but does the response have to look different? Uh, if it's from an internal user, a known. Known user touching things versus [00:26:00] um, yeah, obviously if they're authe authenticated in one, maybe, maybe authenticating to another honeypot account is not detectable across cross account.
But I dunno, is there, from an insider perspective, do, do they need to treat that differently from a response
[00:26:15] Sean Metcalf: I, I think the triage approach to it is the same. Basically identifying and figuring out who is actually doing this, this activity. Um, I call that kind of an internal external user. The external user, the, the attacker that is leveraging this account. That they have been able to get a foothold on their computer and they're leveraging that account to, to perform, act activity, to perform actions.
So very much it, it will look like the user's doing it, but they may have already left and gone home, uh, and just locked their workstation. So, um, the triage perspective has to be done, uh, because there's a difference between that person has locked their workstation and gone home versus. They are there staying late and looking around for things, which is typical internal, [00:27:00] uh, uh, activity because they, they stay late, they get in early, they, they poke around and things.
They're looking at things that they normally wouldn't be able to or shouldn't be looking at. Uh. One of the biggest challenges that any environment has are shares that are open for more people, uh, than they should be. More, more than what's necessary. So it's very difficult to lock down a share to just the right number of people.
It's just the right. Types of accounts, a grouping of accounts so that they have access to it, but nobody else does. So a lot of times we end up with shares on, uh, in the network that are more permissive than they should be. So an internal, uh. User, uh, or even that at that external, uh, threat actor starts poking around and looking for things that, that are gonna be interesting to them.
Because again, uh, the in insider threat is looking for data as well as the external, uh, threat actors looking for data.[00:28:00]
[00:28:00] Sean Martin: Got it. So it's, it's, I dunno, it's, it's fascinating topic for me. Um, the whole deception and, and the, the, the trigger trigger technologies we're talking about here and. I don't know that I'm interested in people listening and watching, uh, their thoughts on this. I don't, I don't know that it's widely used.
I dunno if you have any insight into that as a, as a mechanism for alerting. Do you, do you think it's widely adopted as a,
[00:28:28] Sean Metcalf: not as, not as often as it could be for sure.
[00:28:32] Sean Martin: Uh, that's probably true for anything, I guess, but. All right. Well, well, Sean, um, anything, anything else you wanna touch on that we didn't, didn't
[00:28:39] Sean Metcalf: No, I think we, we, uh, explored this pretty, pretty comprehensively there. There's, there's certainly a lot to it and there's a lot of other technologies that are out there, but basically I want to focus on what's free or. You know, cheap, easy to use. Uh, really it comes down to Enact Directory, being able to leverage those accounts that you can create.
Uh, and of course that article, the Art of the Honeypot, [00:29:00] uh, is, is one article. I also have, uh, detecting curb roasting, which is another one, uh, which talks about how to use a honeypot account in order to detect that standard operating procedure. Uh, for attackers, uh, they are going to. Attempt to ro because they can take that ticket that they get, that service ticket when they, when they query those accounts, uh, they're gonna take that offline attempt to brute force the password for it.
So the longer, the older, the password, the, the easier it is for them to basically, uh, crack that password, uh, that they, that they're, that they're getting from that ticket. So, uh, the other thing that I have published is information about how to, uh, detect when password spraying happens. So, password spraying is basically when an attacker, uh, takes a list of passwords and starts with the first one, and attempts to authenticate as every user in the environment with that first password.
And then they identify if that was, if that was successful on anyone. Then they move on to the second one and they go through. Every [00:30:00] user tries to authenticate for that, and they might have, uh. Some sleep time in between those where basically there's a pause, so they might try the first one and then go through all the users and then pause for five or 10 minutes and then go through the next ones and pause.
So that way they don't trip up any, uh, bad, uh, account Log on. Uh. Restrictions where may, basically the account would be locked out for a certain amount of time. And this is, this enables the attacker to ba be able to get passwords for valid users on the environment, uh, without really tripping that that issue where they get blocked, uh, to authenticate us that user.
But there are event logs that happen with that, whether it's NTLM authentication, which is your standard, uh, bad log on attempt or, uh. When they're attempting to use Kross, which, uh, will be actually under a kros associated, uh, event, uh, id, so I've published some information on that as well.
[00:30:56] Sean Martin: Well, if you can, uh, I think have the heart of the honeypot for sure. [00:31:00] And, uh, it looks like the detecting Kur roast article. I have the link for that. If you wanna share, share any others. Um. They've published the referenced here. That'd be,
[00:31:08] Sean Metcalf: damn. Absolutely. I share that with you.
[00:31:11] Sean Martin: Yep. Awesome. Well, Sean, thanks for, uh, so much for joining me today and, uh, giving me some insights and hopefully, uh, some, some tips and tricks for folks who wanna leverage this technology or this method, I should say, to, uh, to help them find, uh, insider and external.
Uh. Cruisers, if you will. Um, and everybody listening, watching, thanks for joining me here on this episode. Hope, uh, to see everybody on the next one. Sean, I'll miss you in Vegas at Defcon. But, uh, for everybody else who's gonna be in Vegas, uh, next week, please, uh, please find me and, uh, say hi. And, uh, we'll see.
See everybody rolling around.
[00:31:47] Sean Metcalf: Great. Thanks Sean.
[00:31:48] Sean Martin: again.