I have a little guy that notifies if someone is operating Responder on the business network and that is my justification as well.

As a defender, you only get to fail once for it to be costly. As an attacker, you can often fail hundreds or thousands of times depending on what they have for observability. Adding offensive elements helps level the playing field.

Yeah, I mean like a lot of things in security, it’s better than nothing. But you would have to be very undisciplined or uninformed to get caught by this.

There’s even an argument that all you’ve done is tipped your hand to the adversary that deception is at play in this scenario and allow them to adjust their approach accordingly.

Not even suggesting that would be a horrible thing to happen, even in that scenario you most likely can at least slow them down but if you never know you’re being targeted in the first place it doesn’t matter too much when that clock starts.

The ideal scenario I think you should actually be aiming for here is to craft a situation where you know about them but they don’t know that you know. That’s a window of time where you very clearly have an upper hand.

That isn’t actually that hard to create. For example one technique I have at that really early stage is to return a 403 auth error on a web service and set a cookie that looks very natural to its environment but is also very obvious as to how you could change it in order to no longer get a 403 response.

The moment I get a request with that new cookie value I instantly know I have something I should be paying attention to and I know it’s a real person not a bot. The adversary however has no idea yet what’s going on, they just think they hit a gold mine.