2. The correlation correlator - One of the great (yet underutilized) features of the modern SIEM is the correlation engine: a good correlation implementation allows for alerting on behaviour over time or across a scope of systems. A honeypot system allows easy prioritization of correlated alerts from many systems across the enterprise by cross-checking against the honeypot system - if the same source host in the alert you are analyzing has also connected to a honeypot system, then there is good reason to consider the alert valid.
3. The virtual weather vane - virtual infrastructure is everywhere these days and deploying one additional machine template amongst many is an effortless task. Virtualization also provides a valuable tool to the honeypotter - rapid rollback to a snapshot of prior machine state.
Placing an extra, minimally configured (except for logging remotely) VM onto each hypervisor (configured for the absolute minimum of resource usage) that only accepts connections from other machines on the same hypervisor can provide a simple way of gaining more visibility into events that never leave the server.
With many security controls still requiring to be deployed in-line on physical networks, activities inside the hypervisor that never leave the virtual switch can go unnoticed for some time. A honeypot system that merely reports what happens to it, and then is rolled back to a default state every hour or so, can provide easy early-warning on attempts by intruders to migrate from systems to system within the same hypervisor.
4. The imaginary administrator - Spearphishing requires information about who to target for maximum effect at malware delivery. To a spearphisher, obtaining the contact details of someone with elevated network access (and additional information with which to social engineer them into clicking links) is the prime goal in any campaign.
Creating a non-existent person on the internet is easy these days - perhaps in the recesses of your public website you can make mention of a fictional administrator of your two-factor authentication system, provide contact details for them, and set up an email inbox - then take a close look at everything coming in to that account and cross-reference with who else in the organization receives email with the same content, originating host, etc.
Doing this effectively is an art in itself however, but there are many organizations that are high profile targets for spear phishing attacks using methods such as this to rapidly identify when and where their employees are being targeted.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.