Data loss prevention defenses to date have focused on identifying technical tell-tale signs (byproducts) of stealthy operation by adversaries, such as modification of kernel data structures and code, anomalous network or process activity, etc. Due to the complexity of today's systems, attackers are presented with numerous opportunities to remotely control a targeted device, often on a sustainable basis and occasionally with the assistance of unsuspecting legitimate users.
Given the emphasis placed on protecting the perimeter of networks, through air-gaps, physical access control, and high assurance cross-domain guards, once attackers reach the relatively weaker inside of an enterprise's network, they can do tremendous damage, particularly if undetected for long periods of time as is often the case with insider threats. Thus, some enterprises use honeypots (traps) in an attempt to detect threats. However, the critical fundamental limitations of honeypots are their low lure factor in drawing in more sophisticated threats, and their lack of realism or believability as an environment worth targeting.