Does your organization actively monitor deception technology (e.g., honeypots, honeyfiles, decoy accounts) for any usage or interaction?
Explanation
Deception technology creates fake assets that legitimate users should never interact with, making any activity on these decoys a strong indicator of malicious behavior. Monitoring these decoys provides early warning of potential intrusions, lateral movement attempts, or credential theft without generating false positives that plague traditional detection methods.
Evidence could include screenshots of deception technology dashboards showing monitoring configurations, alert logs from deception systems, documentation of response procedures when decoys are triggered, or reports showing historical monitoring of deception assets with timestamps and resolution actions.
Implementation Example
Continuously monitor deception technology, including user accounts, for any usage
ID: DE.CM-03.282
Context
- Function
- DE: DETECT
- Category
- DE.CM: Continuous Monitoring
- Sub-Category
- Personnel activity and technology usage are monitored to find potentially adverse events
Related questions
- Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?
- Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?
- Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?
- Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?
- Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?
- Does your organization monitor physical access control logs for unusual patterns and failed access attempts?

