Traditional security isn’t always enough to keep attackers at bay. When it comes to sneaking into networks, detection will often only come after malicious traffic reaches systems such as next-generation firewalls and intrusion detection and prevention systems. Meanwhile, threat actors have free range. But if you can trick the attacker attempting to trick you, it’s a different story.

The first response after detection is often to remove the compromised systems and disable the breached user accounts. The idea is to cut down on further problems and limit any existing risk. Sadly, this approach leaves you with only the artifacts and logs that the attackers decided to leave behind.

Engaging with the attacker will allow you to get more insight into their goals, techniques, tactics and attack paths. You can then use this to strengthen your existing defenses and prevent this specific actor from using the same techniques again.

Intelligent Adversary Engagement

You can choose from multiple tools and frameworks when setting up a strategic adversary engagement. One of these is MITRE Engage, a framework created just to be used for discussing and planning responses to an attacker. That includes engagement, deception and denial. Let’s look at a few notable techniques used to engage with threat actors.


Honeypots mimic real systems with the goal to attract and detect malicious actors in your infrastructure. Think of them as the digital version of bait cars. Honeypots allow system admins and other cybersecurity personnel to detect techniques and tactics used to compromise systems.

Note the difference between high- and low-interaction honeypots. Low-interaction honeypots will help you detect malicious actors in your network. However, they won’t give much insight into their goals and tactics. High-interaction honeypots will allow you to learn more about the attack. This way, you’re simulating the real systems in a more in-depth manner.

A wide range of honeypots are freely available. Which one is right for your needs depends on your infrastructure and goals.


Honeytokens have similar goals as honeypots, but you can use them in different ways. Instead of simulating systems and services, they can be files, credentials, e-mail addresses and URLs that are used to attract the attention of attackers. They alert the security team when someone uses or opens them.

An example of a honeytoken would be a file called Employee_passwords.xlxs. You could place this on any system or file share. When the attacker opens the file, the honeytoken will alert the admin, indicating unwanted access or a data breach.

Honeytokens are easier to set up than honeypots because they don’t require extra infrastructure to run. The tradeoff is that the alerting signals are more limited in the information they provide about the attacker.

Controlled Malware

Attackers will often use malware to create a foothold into networks. They can deliver it via a wide range of channels. For example, an attacker could directly send malware by e-mail or deploy it directly after gaining access to the infrastructure.

The attacker’s purpose in deploying malware can vary. Usage can range from file encryption as part of an extortion campaign to data exfiltration of sensitive business information via covert channels. Once you’ve caught it, the good guys can execute the malware in a controlled setting to study its behavior. The analysis can help you understand the techniques and goals of the attacker.

Using MITRE Engage and Other Frameworks

Some people see adding an active defense strategy into your existing infrastructure as only suitable for the more security-mature businesses and agencies. This should not be the case anymore with the low integration threshold of today. There are a lot of open-source frameworks out there to help you set up and integrate tools to support this kind of work.

In addition, MITRE Engage will guide you through setting up an adversary engagement operation and help you to strategize, plan, execute and analyze the result.

Set up honeytokens by filling in a form at and dropping the token on your company’s network share. Also, a huge list of open-source honeypots has been created on Github.

Most of these active defense tools tie directly into existing security information and event management solutions like QRadar from IBM or simpler messaging channels like e-mail. A lot of honeypots will support channels like Slack, Syslog and e-mail for alerting directly to your security operations center or personnel.

What’s Next?

In short, planning an intelligent adversary engagement will help your business be more aware of attackers’ goals, techniques, tactics and attack paths. It will also allow you to strengthen the current security integration with data from real-world scenarios. Use MITRE Engage to plan engagements supported by open-source honeypots, honeytokens and malware analysis frameworks.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read