Logo of Acalvio, a leading company in cyber deception technology

Identity threats are involved in 80% of all cyberattacks, according to the CrowdStrike 2023 Global Threat Report. These are serious threats that compromise corporate and personal information and put organizations at grave risk. Sophisticated attackers like APTs and ransomware actors typically start their campaign with an attack on identities. Attackers can exploit identities on endpoints, applications, and identity stores.

An identity threat is difficult to detect with traditional cybersecurity approaches.

Why are Honeytoken Accounts and Honeytokens Important?

Existing security controls are not sufficient to protect enterprises from identity compromise. Attackers target identities of privileged users (such as Helpdesk Admins, and Domain Admin accounts), as well as machine or service accounts. Service accounts represent a significant attack surface as they cannot be easily secured using existing prevention-based security mechanisms. These credentials cannot be protected using MFA techniques, giving the attacker opportunities for Lateral Movement and Privilege Escalation.

Deception technology is a novel way of detecting identity threats with high fidelity. Acalvio ShadowPlex honeytoken accounts and honeytokens are purpose-built deceptions that offer a new layer in the Defense-in-Depth offering for Identity Protection – for all credential and account types.

ShadowPlex containment for active directory security emphasizing that attackers cannot disable this containment
Use of Crowdstrike honeytoken accounts and honeytokens in cybersecurity for identity protection

About Honeytoken Accounts and Honeytokens

Honeytoken accounts are deceptive user accounts, service accounts, and application identities created in Active Directory (AD). They are specifically designed to lure attackers away from critical resources. Honeytokens are deceptive credentials and data that are embedded in legitimate assets such as Falcon-managed endpoints and cloud workloads. Together, they are extremely effective at detecting identity threats.

CrowdStrike Falcon® Identity Protection has in-built support for monitoring honeytoken accounts and a policy-based identity threat containment and response mechanism. Any access or alterations of honeytoken accounts trigger a dedicated high-fidelity detection, giving SOC analysts visibility into the detailed insights and adversary attack path.

Benefits of Honeytoken accounts and Honeytokens for Identity Protection

In a recent publication by CrowdStrike on Identity Security Innovations, the new Honeytokens capability is highlighted as a key capability for Identity Protection.

As covered in the blog, Identity-driven attacks are extremely hard to detect with traditional approaches. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it’s often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.

Advanced Identity attack techniques are stealthy and do not leave any evidence on the AD logs or on existing security controls. They use well-established authentication protocols that are difficult to distinguish through AD login interception or authentication protocol interception approaches.

Deception has been widely recognized by leading AD researchers and AD experts as a powerful mechanism for the detection of identity threats. (ref: Active Directory Security).

Acalvio Honeytoken Accounts and Honeytokens are designed to detect even zero-day threats and are the perfect solutions to deploy in zero-trust environments for Identity Protection.

Operationalizing Honeytoken Accounts and Honeytokens

For effective utilization of Honeytoken Accounts and Honeytokens, there are several factors to consider during the creation and deployment phase. Manually defining these would be cumbersome and challenging to make them attractive and effective.

Acalvio’s proven expertise in Advanced Deception Technology helps CrowdStrike Identity customers to operationalize this capability by automating the design, definition, and deployment of effective Honeytoken Accounts and Honeytokens.

Acalvio's advanced AI solution to quickly operationalize Honeytoken accounts
Effective honeytokens and honeytoken accounts

Acalvio Helps Crowdstrike Identity Protection Customers Operationalize Honeytoken Accounts & Honeytokens

  • Domain selection for deploying Honeytoken Accounts & Honeytokens
  • Automated Al-driven recommendation of Honeytoken Accounts
  • Appropriate count of Honeytoken Accounts per Domain
  • Honeytoken Account Types & Variety
  • Honeytoken Account Attributes
  • Automated creation & Deployment of Honeytokens
  • Wide variety of Honeytokens
  • Designed to be hidden from legitimate users
  • Visible to attackers via tools & scripts
  • Blended based on endpoint characteristics

Seamless Integration: Acalvio ShadowPlex and CrowdStrike Falcon® Identity Protection

Acalvio ShadowPlex is pre-integrated with CrowdStrike Falcon® that provides immediate value:

  • Acalvio’s integration with CrowdStrike Identity Protection is powered by the Acalvio SaaS Service
  • No software installation on the enterprise network
  • Scalable architecture protects multiple Active Directory Domains & thousands of endpoints
  • Single console solution – managed using the CrowdStrike Falcon® console
  • Administrators can control the variety and count of Honeytoken Accounts & Honeytokens.
Integration of Acalvio ShadowPlex and CrowdStrike Falcon® for enhanced monitoring of honeytoken accounts and honeytokens


What are honeytoken accounts and honeytokens?

Honeytoken accounts are deceptive accounts (representing human and service accounts, and application identities) created in the Active Directory (AD), that are specifically designed to blend into the domain.
Honeytokens are deceptive credentials and data that are embedded in legitimate assets such as OS caches, application configuration files, Windows registry entries, Falcon-managed endpoints, and cloud workloads. Any usage or manipulation of these deception artifacts is a very reliable indicator of an identity threat.

Why do I need Honeytoken cybersecurity with CrowdStrike Falcon® Identity Protection?

Acalvio ShadowPlex Honeytoken accounts and Honeytokens for CrowdStrike Falcon® Identity Protection are based on Deception Technology and provide a new layer in the Defense-in-Depth offering for identity protection. They are a class of Deception Technology techniques that are proven to be extremely powerful and efficient in detecting a variety of identity threats.

Acalvio ShadowPlex leverages the Falcon® Identity Protection Honey Account monitoring and containment policy to provide a scalable and effective deception-based identity threat detection solution.

What makes honeytokens and honeytoken accounts by Acalvio unique?

Honeytoken accounts and Honeytokens are unique, attractive and are carefully designed. They are invisible to normal users, but visible through the lens of attacker tools.

ShadowPlex gives honeytoken accounts properties that are like the properties of existing accounts in Active Directory. In other words, when a honeytoken account is created in Active Directory, its properties would enable it to blend with the existing accounts in Active Directory. At the same time, ShadowPlex also gives a honeytoken account properties that make it look attractive to an adversary.

Manually creating honeytoken accounts and honeytokens is a laborious process, and it is extremely challenging to make them attractive to attackers.

How are Acalvio ShadowPlex and CrowdStrike Falcon® integrated?

The Honeytoken fulfillment capability from Acalvio is completely automated, pre-integrated into the Falcon® platform, and does not require any additional Acalvio software to be installed. Acalvio provides a single console solution to CrowdStrike Falcon® customers.

Next Steps

Explore our patented technologies to enable Active Defense and Identity Security in your enterprise.