ITSPmagazine Podcasts

Making Honeypots Useful Again: Identity Security, Deception, and the Art of Detection | A Conversation with Sean Metcalf | Redefining CyberSecurity with Sean Martin


Listen Later

GUEST

Sean Metcalf, Identity Security Architect at TrustedSec | On LinkedIn: https://www.linkedin.com/in/seanmmetcalf/

HOST

Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com

EPISODE NOTES

Sean Metcalf, a frequent speaker at conferences like Black Hat, DEF CON, and RSAC, brings a sharp focus to identity security—especially within Microsoft environments like Active Directory and Entra ID. In this episode, he walks through the practical and tactical role of honeypots and deception in detecting intrusions early and with higher fidelity.

While traditional detection tools often aim for broad coverage, honeypots flip the script by offering precise signal amidst the noise. Metcalf discusses how defenders can take advantage of the attacker’s need to enumerate systems and accounts after gaining access. That need becomes an opportunity to embed traps—accounts or assets that should never be touched unless someone is doing something suspicious.

One core recommendation: repurpose old service accounts with long-lived passwords and believable naming conventions. These make excellent bait for Kerberoasting attempts, especially when paired with service principal names (SPNs) that mimic actual applications. Metcalf outlines how even subtle design choices—like naming conventions that fit organizational patterns—can make a honeypot more convincing and effective.

He also draws a distinction between honeypots and deception technologies. While honeypots often consist of a few well-placed traps, deception platforms offer full-scale phantom environments. Regardless of approach, the goal remains the same: attackers shouldn’t be able to move around your environment without tripping over something that alerts the defender.

Importantly, Metcalf emphasizes that alerts triggered by honeypots are high-value. Since no legitimate user should interact with them, they provide early warning with low false positives. He also addresses the internal politics of deploying these traps, from coordinating with IT operations to ensuring SOC teams have the right procedures in place to respond effectively.

Whether you’re running a high-end deception platform or just deploying free tokens and traps, the message is clear: identity is the new perimeter, and a few strategic tripwires could mean the difference between breach detection and breach denial.

SPONSORS

LevelBlue: https://itspm.ag/attcybersecurity-3jdk3

ThreatLocker: https://itspm.ag/threatlocker-r974

RESOURCES

Inspiring Post: https://www.linkedin.com/posts/activity-7353806074694541313-xzQl/

Article: The Art of the Honeypot Account: Making the Unusual Look Normal: https://www.hub.trimarcsecurity.com/post/the-art-of-the-honeypot-account-making-the-unusual-look-normal

Article: Trimarc Research: Detecting Kerberoasting Activity: https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity

Article: Detecting Password Spraying with Security Event Auditing: https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-password-spraying-with-security-event-auditing

ADDITIONAL INFORMATION

✨ More Redefining CyberSecurity Podcast: 

🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast

Redefining CyberSecurity Podcast on YouTube:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/

Interested in sponsoring this show with a podcast ad placement? Learn more:

👉 https://itspm.ag/podadplc

...more
View all episodesView all episodes
Download on the App Store

ITSPmagazine PodcastsBy ITSPmagazine, Sean Martin, Marco Ciappelli

  • 5
  • 5
  • 5
  • 5
  • 5

5

31 ratings


More shows like ITSPmagazine Podcasts

View all
The Joe Rogan Experience by Joe Rogan

The Joe Rogan Experience

225,542 Listeners

Cybersecurity Today by Jim Love

Cybersecurity Today

163 Listeners

The Azure Security Podcast by Michael Howard, Sarah Young, Gladys Rodriguez and Mark Simos

The Azure Security Podcast

24 Listeners

Audio Signals Podcast by ITSPmagazine, Marco Ciappelli, Sean Martin

Audio Signals Podcast

2 Listeners

Redefining CyberSecurity by Sean Martin, ITSPmagazine

Redefining CyberSecurity

3 Listeners

Stories From Space by ITSPmagazine, Matthew S Williams

Stories From Space

4 Listeners

Redefining Society and Technology Podcast by Marco Ciappelli, ITSPmagazine

Redefining Society and Technology Podcast

0 Listeners

Leading Edge Discovery Podcast by Charlie Camarda Ph.D, ITSPmagazine

Leading Edge Discovery Podcast

3 Listeners

The Mentor Project Podcast by The Mentor Project, ITSPmagazine

The Mentor Project Podcast

0 Listeners

The Tucker Carlson Show by Tucker Carlson Network

The Tucker Carlson Show

15,381 Listeners