True, you may discover more broken business processes and deployed systems than actual hostile actors on the network, but no experienced security analyst would count the discovery (and rectification) of these as wasted effort; for the more silent you become the more you can hear.

2. The correlation correlator - One of the great (yet underutilized) features of the modern SIEM is the correlation engine: a good correlation implementation allows for alerting on behaviour over time or across a scope of systems. A honeypot system allows easy prioritization of correlated alerts from many systems across the enterprise by cross-checking against the honeypot system - if the same source host in the alert you are analyzing has also connected to a honeypot system, then there is good reason to consider the alert valid.

3. The virtual weather vane - virtual infrastructure is everywhere these days and deploying one additional machine template amongst many is an effortless task. Virtualization also provides a valuable tool to the honeypotter - rapid rollback to a snapshot of prior machine state.

Placing an extra, minimally configured (except for logging remotely) VM onto each hypervisor (configured for the absolute minimum of resource usage) that only accepts connections from other machines on the same hypervisor can provide a simple way of gaining more visibility into events that never leave the server.


With many security controls still requiring to be deployed in-line on physical networks, activities inside the hypervisor that never leave the virtual switch can go unnoticed for some time. A honeypot system that merely reports what happens to it, and then is rolled back to a default state every hour or so, can provide easy early-warning on attempts by intruders to migrate from systems to system within the same hypervisor.

4. The imaginary administrator - Spearphishing requires information about who to target for maximum effect at malware delivery. To a spearphisher, obtaining the contact details of someone with elevated network access (and additional information with which to social engineer them into clicking links) is the prime goal in any campaign.

Creating a non-existent person on the internet is easy these days - perhaps in the recesses of your public website you can make mention of a fictional administrator of your two-factor authentication system, provide contact details for them, and set up an email inbox - then take a close look at everything coming in to that account and cross-reference with who else in the organization receives email with the same content, originating host, etc.

Doing this effectively is an art in itself however, but there are many organizations that are high profile targets for spear phishing attacks using methods such as this to rapidly identify when and where their employees are being targeted.