Tripwire
Definition
A deliberately placed artefact or detection rule designed to fire only if an attacker returns or residual malware reactivates. Examples include canary files, honeytoken credentials, and SIEM rules scoped to previously compromised accounts.
Related terms
- Baseline comparison
- Comparison of a recovered system's current state, including running processes, network connections, scheduled tasks, and file hashes, against a known-good reference state...
- Extended monitoring window
- A defined period of heightened detection sensitivity following recovery, during which security operations maintain increased logging, alert thresholds, and analyst attention. Ends...
- Honeytoken
- A synthetic credential, document, or data record placed in a monitored location. Any attempt to use or access the honeytoken is an...
- Recovery validation
- The verification process that confirms a restored system is clean, correctly configured, and free from residual attacker access. Distinct from eradication, which...
- Recurrence
- Re-establishment of attacker access or re-execution of the same attack vector after the prior incident has been eradicated. Recurrence triggers the incident...
Explained in
- Validating Recovery and Monitoring for RecurrenceA deliberately placed artefact or detection rule designed to fire only if an attacker returns or residual malware reactivates. Examples include canary files, h...