and this kills me one of the most basic defenses is the most effective and that's honey pots I mean think in terms of the networks that have been breached that have been famous I mean I don't want to pick on one that they pick on all the time but there are a few out there that have been really famous and if they've had just a simple Honeypot even honey py deployed right behind the point of entry when those attackers begin to make way through the network they could have triggered that and the I.T Staffing for the lifters that that may not understand what what is what is Honey P why how would that have stopped well how would that have alerted you to to an attacker in your infrastructure all right so so I imagine you have a computer system this is what honeypy is in theory imagine you have a computer system that sits on an infrastructure and it does nothing it serves no business purpose under no circumstance should anybody ever try to connect to it but if you were breaching the infrastructure and you saw the system perhaps it might look interesting to you oh it's an old version Windows no version of Linux whatever it might be now what honeypy will do and what most if not I think all honey pots will do usually based on configuration but the moment a connection is initiated to these systems they'll say hey somebody is connecting to me and because they serve no purpose because nobody should ever connect to them it's never a false positive it could be because you have a piece of malware trying to propagate in the infrastructure it could be because you have an employee doing something Rogue it could be because you have an I.T admin running a process and forgot about a specific system but in all cases when you get a connection to a Honeypot it's a positive um we've actually we're running just for tests a while back um honey pots on several different infrastructures just to see you know the rates of false positives and you know and so on and so forth and we found that they had an incredibly low volume of noise right so it was very rare that we would get an alert and we found that when they did get touched it was always something interesting might not necessarily be a breach could be a misconfiguration could be something else but it was always interesting so if you understand how attackers right I.E through realistic testing if you understand how attackers are going to move through an infrastructure you can deploy honey pots in sort of a strategic manner along what I call or we call the path to compromise and then as the attacker moves along that path you're gonna let like a Christmas tree and all you have to do is respond to the first incident dig into it and say hey this isn't normal and you can prevent you know damage substantial damage and honeypy is free so the ROI on that is pretty significant