Currently we have honey credentials deployed with a customer which is under attack. Over the weekend we got multiple attempts to access servers with the honey account which really helps us understanding which workstations are involved. The only thing that I was wondering about is, are the credentials unique for every insight agent (asset) or are they the same on each asset?
The reason that I ask is because if they are compromised on workstation A then the attacker could be trying them from workstation B to avoid being detected on patient zero.
Does any one known this?