Traditional security isn’t always enough to keep attackers at bay. When it comes to sneaking into networks, detection will often only come after malicious traffic reaches systems such as next-generation firewalls and intrusion detection and prevention systems. Meanwhile, threat actors have free range. But if you can trick the attacker attempting to trick you, it’s a different story.

The first response after detection is often to remove the compromised systems and disable the breached user accounts. The idea is to cut down on further problems and limit any existing risk. Sadly, this approach leaves you with only the artifacts and logs that the attackers decided to leave behind.

Engaging with the attacker will allow you to get more insight into their goals, techniques, tactics and attack paths. You can then use this to strengthen your existing defenses and prevent this specific actor from using the same techniques again.

Intelligent Adversary Engagement

You can choose from multiple tools and frameworks when setting up a strategic adversary engagement. One of these is MITRE Engage, a framework created just to be used for discussing and planning responses to an attacker. That includes engagement, deception and denial. Let’s look at a few notable techniques used to engage with threat actors.


Honeypots mimic real systems with the goal to attract and detect malicious actors in your infrastructure. Think of them as the digital version of bait cars. Honeypots allow system admins and other cybersecurity personnel to detect techniques and tactics used to compromise systems.

Note the difference between high- and low-interaction honeypots. Low-interaction honeypots will help you detect malicious actors in your network. However, they won’t give much insight into their goals and tactics. High-interaction honeypots will allow you to learn more about the attack. This way, you’re simulating the real systems in a more in-depth manner.

A wide range of honeypots are freely available. Which one is right for your needs depends on your infrastructure and goals.


Honeytokens have similar goals as honeypots, but you can use them in different ways. Instead of simulating systems and services, they can be files, credentials, e-mail addresses and URLs that are used to attract the attention of attackers. They alert the security team when someone uses or opens them.

An example of a honeytoken would be a file called Employee_passwords.xlxs. You could place this on any system or file share. When the attacker opens the file, the honeytoken will alert the admin, indicating unwanted access or a data breach.

Honeytokens are easier to set up than honeypots because they don’t require extra infrastructure to run. The tradeoff is that the alerting signals are more limited in the information they provide about the attacker.

Controlled Malware

Attackers will often use malware to create a foothold into networks. They can deliver it via a wide range of channels. For example, an attacker could directly send malware by e-mail or deploy it directly after gaining access to the infrastructure.

The attacker’s purpose in deploying malware can vary. Usage can range from file encryption as part of an extortion campaign to data exfiltration of sensitive business information via covert channels. Once you’ve caught it, the good guys can execute the malware in a controlled setting to study its behavior. The analysis can help you understand the techniques and goals of the attacker.

Using MITRE Engage and Other Frameworks

Some people see adding an active defense strategy into your existing infrastructure as only suitable for the more security-mature businesses and agencies. This should not be the case anymore with the low integration threshold of today. There are a lot of open-source frameworks out there to help you set up and integrate tools to support this kind of work.

In addition, MITRE Engage will guide you through setting up an adversary engagement operation and help you to strategize, plan, execute and analyze the result.

Set up honeytokens by filling in a form at and dropping the token on your company’s network share. Also, a huge list of open-source honeypots has been created on Github.

Most of these active defense tools tie directly into existing security information and event management solutions like QRadar from IBM or simpler messaging channels like e-mail. A lot of honeypots will support channels like Slack, Syslog and e-mail for alerting directly to your security operations center or personnel.

What’s Next?

In short, planning an intelligent adversary engagement will help your business be more aware of attackers’ goals, techniques, tactics and attack paths. It will also allow you to strengthen the current security integration with data from real-world scenarios. Use MITRE Engage to plan engagements supported by open-source honeypots, honeytokens and malware analysis frameworks.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…