Identifying the source of an attack and tracing it back to the perpetrator.
To help plan your deployment strategy, contact your internal security architecture team to map out asset locations. If you want to download comprehensive frameworks on this topic, look for industry standard resources like the matrix or the classic Offensive Countermeasures: The Art of Active Defense literature.
The "Art of Active Defense" exists in a gray area. Before implementing OCM, organizations must consider: offensive countermeasures the art of active defense pdf
Set your firewall to automatically drop traffic from any internal IP that attempts to connect to a known "honey-port."
Software configurations that purposefully slow down network connections. When an attacker scans a tarpit IP address, the connection lingers indefinitely, freezing their automated scanning tools. Identifying the source of an attack and tracing
MITRE Engage (which superseded MITRE Shield) is a framework designed to help organizations plan and execute denial, deception, and adversary engagement operations. It maps defensive actions directly to the attacker techniques found in the matrix. Defensive Objective Tactical Action Example Implementation Detect Honeytokens Plant fake admin credentials in LSASS memory. Elicit Decoy Systems Present a fake financial database to watch attacker tools. Disrupt Network Tarpits
In the U.S., accessing a computer without authorization is illegal. Defenders must ensure their countermeasures do not "touch" the attacker's system in a way that violates the law. The "Art of Active Defense" exists in a gray area
If you're interested in learning more about how to put these concepts into practice, I can: