Having the ability to detect and respond to user authentication attempts is a key feature of InsightIDR, Rapid7’s threat detection and incident response solution. Users can take this ability one step further by deploying deception technology, like honey users, which come built into the product. A honey user is a dummy user not associated with a real person within your organization. Because the honey user is not a real user, it should never be used by anyone for any valid authentication. Attackers frequently attempt to authenticate to as many user accounts as possible during the reconnaissance phase of an attack. Therefore, the idea behind the honey user is that if you see any activity on the honey account, it is an indicator of potential attacker activity. In InsightIDR, such activity generates a Honey User Authentication incident.
How to Use Honey Users in InsightIDR
1. Set Up Your Honey User Account
First, create a new user in Active Directory with a believable name and with every appearance of being a normal employee in your organization. In order to make the user more believable, you may wish to create several user accounts for the user. Note the honey user’s name so that it can be entered into InsightIDR settings. There are various strategies one can take when selecting a name. A few of note:
- Company owners, board members, and other VIPs
- Default credentials for various technologies
- Common pentesting account names
Next, in InsightIDR, navigate to Settings --> Honey Users and enter in all of the honey users using the search bar. Most of the time, [First & Last Name] will be the appropriate search query rather than Active Directory username. Selecting the desired name(s) will mark the user as a honey user.
NOTE: The LDAP event source is how honey users are made available in the InsightIDR configuration. In order for the honey users to appear when you search for them, the collector must have made an LDAP pull since you created the honey users. In other words, you may need to wait a day or so after creating the honey users in Active Directory before you can configure them in InsightIDR.
2. Test Your Honey User Account
Once configured, any attempt to authenticate with a honey user account will generate an alert. Ensure that you are collecting the audit trail from the test system into InsightIDR for it to see the logs with the honey user attempts. For example, if you’re attempting to log onto your domain with the honey user(s) accounts, make sure that InsightIDR is already ingesting your domain controller security logs.
InsightIDR Honey Users: Deception at Its Best
If you’ve been interested in deploying deception traps such as honey users throughout your organization, InsightIDR can help. The included deception tech is easy to setup and manage, and event alerts come back instantaneously. If you’re a current customer, log into your InsightIDR account and give honey users and other deception traps a try. Then, comment below to tell us the most interesting alert you’ve found.
Not yet an InsightIDR user?
If you’re still reeling from a poor experience with SIEM, InsightIDR has abstracted out the biggest, common pain points we hear from strained security teams. No more buying and managing hardware, writing and tuning detection rules, and navigating a UX that brings more nostalgia than answers. Best of all, InsightIDR is a cinch to deploy—all that’s required from you is a few clicks of a button to be off the ground running.