Patent attributes
Disclosed herein are methods, systems, and processes for tracking honeytokens. A malicious attack from an attacker is received at a honeypot and a determination is made that an attack event associated with the malicious attack has compromised deceptive credential information maintained by the honeypot. A unique credential pair that corresponds to the deceptive credential information sought by the attack event is generated and a honeytoken tracker state table is modified to include the unique credential pair and attack event metadata in association with the attack event. The unique credential pair is then transmitted to the attacker and the honeytoken tracker state table is synchronized with a honeypot management system. Another malicious attack is detected, the honeytoken tracker state table is accessed, and the malicious attacker is correlated to the attacker. A honeypot personality state table maintained by the honeypot management system is accessed and a present personality for the honeypot that is substantially similar to a past personality of the honeypot that existed during the malicious attack based on information in the honeypot personality state table is generated.
