Intrusion detection works best when you can discover the attacker while they are still in the system. Finding out after the fact does little to protect your systems and your data.

Ideally, you would want to set an alarm that an attacker would trigger while limiting the damage to your environment. We can use these behavioral patterns to our advantage by engaging in defensive cyber deception.

You might already be familiar with the concept of honeypots, false systems, or networks meant to lure and ensnare hackers. There is a subclass of honeypots, called honeytokens, that require almost none of the overhead, are simple to deploy, are used by many industries, and lure attackers to trigger alerts while they are trying to gain further access.

Takeaways:
- Analysis of recent breaches for common attack behaviors
- A history of cyber deception and the evolution of honeypots in defensive strategies.
- Understanding how honeytokens work
- Maximizing the impact of honeytokens