Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

OSINT for Defenders: Adventures in Honeytokens and Leaked Data

  • Thursday, May 03, 2018 at 3:30 PM EDT (2018-05-03 19:30:00 UTC)
  • Micah Hoffman, Justin Henderson

You can now attend the webcast using your mobile device!



Detecting attackers early in the attack process can be extremely challenging if not impossible. Yet strategic logging and tactical placement of publicly available information can take a know attack strategy and turn it into a weakness. Since we know the places where OSINT and recon tools pull data from (social media, code repositories, paste sites, PGP key repos), couldn't we place known-false content and then set alerts for when that data is used against our systems?

We can and we will! Come join Justin Henderson and Micah Hoffman in their joint Blue Team/OSINT webcast. We will examine common locations attackers harvest data from and how planting honeytokens and then monitoring for their use allows us to automate responses to potential attackers and gain early detection capabilities of targeted attacks.

Speaker Bios

Micah Hoffman

Micah Hoffman has been active in the information technology field since 1998, working with federal government, commercial, and internal customers to discover and quantify cybersecurity weaknesses within their organizations. As a highly active member of the cybersecurity and OSINT communities, Micah uses his real-world Open-Source Intelligence (OSINT), penetration testing, and incident response experience to provide customized solutions to his customers and comprehensive instruction to his students.

Over the years, Micah has conducted cyber-related tasks like penetration testing, OSINT investigations, APT hunting, and risk assessments for government, internal, and commercial customers. Micah's SANS coursework, cybersecurity expertise, and inherent love of teaching eventually pulled him toward an instructional role, and he's been a SANS Certified Instructor since 2013. He's the author of the SANS course SEC487: Open Source Intelligence Gathering and Analysis, and also teaches both SEC542: Web App Penetration Testing and Ethical Hacking and SEC567: Social Engineering for Penetration Testers.

Justin Henderson

Justin is a passionate security architect and researcher with over decade of experience working in the Healthcare industry as well as consulting. He has had multiple opportunities to work on government contracts specializing in network monitoring systems and intrusion analysis. Justin was the 13th GSE to become both a red and blue SANS Cyber Guardian and holds over around 60 industry certifications.

Justin is a SANS instructor and the author of SEC555, the industry's first vendor neutral SIEM analytics course.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.