BIPI
BIPI

Modern Deception Catches Lateral Movement at Near-Zero False Positives. Here Is How to Deploy It

Cybersecurity

Honey credentials, fake admin accounts in AD, and decoy fileshares produce some of the highest-fidelity alerts in any SOC. Plant them in the right places and they will catch attackers your other tools miss.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 24, 2024 · 6 min read

#deception#honeypot#threat-detection

We deployed a deception layer for a media company in late 2024. Six weeks later it caught a red team operator pivoting from a developer's compromised laptop into the AD environment. He hit a honey credential we had planted in a clipboard manager dump and tried to use it against a domain controller. The detection fired, the SOC isolated the laptop, and the engagement debrief revealed the red team had been inside for 9 days before tripping our trap. None of the EDR or SIEM detections had caught the lateral movement to that point.

Why deception works when other detections do not

EDR catches malicious behavior on endpoints. SIEM catches anomalies in logs. Both have false positive problems because legitimate users do unusual things constantly. Deception flips the model. The asset has no legitimate use. Anyone who touches it is by definition not supposed to be there. False positive rate approaches zero.

The trade-off is coverage. Deception only catches attackers who interact with the decoy. If they pick a different path, you miss them. So you plant decoys where attackers must go: privilege escalation paths, credential stores, file shares with names that look valuable.

What to plant

Five categories of decoys produce the highest signal-to-noise:

  • Honey AD accounts. Disabled service accounts with privileged-sounding names (svc_backup_admin, sql_replication, exch_setup). Any auth attempt against these is malicious.
  • Honey credentials in memory. Tools like Canarytokens or DCEPT inject fake credentials into LSASS. Attackers running Mimikatz dump them and try to use them. Detection fires on use.
  • Decoy file shares. Named like Finance_Reports_2025, M&A_Targets, Executive_Comp. Any access from an unauthorized user triggers an alert.
  • Honeytoken documents. Word/Excel files with embedded canary tokens that beacon home when opened. Plant in user home directories and shares.
  • Honey API keys. Fake AWS access keys, fake Slack tokens, fake DB connection strings. Drop in source code, .env files, README. Anyone using them is an attacker.

Where to plant matters more than what

Random placement is wasted effort. Plant where attackers go:

  1. Domain controllers and ADFS servers. Any successful auth as a honey account here is a domain admin probing.
  2. Developer laptops and code repositories. Honey API keys and DB credentials get harvested fast in initial access.
  3. File servers, SharePoint sites with valuable-sounding names. Lateral movement to data exfil goes through here.
  4. Privileged access workstations. Attackers escalating to PAW networks will probe before pivoting.
  5. Cloud admin consoles and CI/CD systems. Honey IAM credentials catch supply chain attackers.

Tools that work

You do not need a six-figure deception platform to start. We have shipped meaningful programs with:

  • Thinkst Canary tokens (free tier covers most of what you need to start)
  • Native AD honey accounts (cost: zero, requires AD admin and a SIEM rule)
  • Sysmon and Microsoft Defender for Identity rules tuned to honey accounts (free if you already license)
  • Acalvio, Attivo (now SentinelOne), Illusive Networks for full platform deployment in larger environments

Measure the impact on dwell time

Before deception, our typical mean time to detect lateral movement was 6-14 days based on industry data. After a mature deception layer, MTTD on lateral movement we measured at one healthcare client dropped to under 2 hours for in-scope attack paths. The catch is 'in-scope': deception only catches the attacker if they hit the decoy. Coverage planning is critical.

Deception is the only detection technology with near-zero false positives by design. If your SOC drowns in alerts, this is the antidote: high-confidence detections that always matter.

Start small. Plant five honey AD accounts and ten honey credential files this week. Tune the alerts. After 30 days you will have either caught something interesting or proven the placement is wrong. Either outcome is valuable. The program scales from there based on what you learn.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.