Deception network system

What is claimed is: 1. A method, comprising: receiving threat intelligence information or updated threat intelligence information associated with one or more security threats; contextualizing and storing the threat intelligence information as one or more threat indicators corresponding to a security threat, including matching internal threat intelligence information identified from internal security threats to external threat intelligence information identified from external security threats; identifying an occurrence of the security threat by detecting one or more of the threat indicators corresponding to the security threat; identifying a predetermined course of action to be performed in response to the identified security threat; performing the predetermined course of action, wherein the performing comprises: identifying an endpoint under threat; performing a snapshot of a current session of the identified endpoint; based at least in part on the snapshot, recreating the current session of the identified endpoint in a honeypot environment of a target computing device; and redirecting network traffic intended for the endpoint to the honeypot environment of the target computing device; generating internal threat intelligence information based on activity observed on the target computing device; and using the external threat intelligence information identified from external security threats to contextualize the observed internal threat intelligence information. 2. The method of claim 1 , wherein detecting one or more of the threat indicators includes receiving information from one or more network data sources. 3. The method of claim 1 , wherein identifying the predetermined course of action includes accessing information that associates the identified security threat with the predetermined course of action. 4. The method of claim 1 , wherein redirecting network traffic includes providing instructions to a software-defined networking controller to change a network topology. 5. The method of claim 1 , further comprising: intercepting network traffic between the honeypot environment and an attacker; and analyzing the network traffic to identify one or more actionable threat indicators. 6. The method of claim 5 , wherein intercepting network traffic between the honeypot environment and the attacker includes using deep packet inspection to identify information associated with an attack, as the attack is being performed. 7. A computer-readable device encoded with a computer program comprising instructions that, when executed, operate to cause a computer to perform operations comprising: receiving threat intelligence information or updated threat intelligence information associated with one or more security threats; contextualizing and storing the threat intelligence information as one or more threat indicators corresponding to a security threat, including matching internal threat intelligence information identified from internal security threats to external threat intelligence information identified from external security threats; identifying an occurrence of the security threat by detecting one or more of the threat indicators corresponding to the security threat; identifying a predetermined course of action to be performed in response to the identified security threat; performing the predetermined course of action, wherein the performing comprises: identifying an endpoint under threat; performing a snapshot of a current session of the identified endpoint; based at least in part on the snapshot, recreating the current session of the identified endpoint in a honeypot environment of a target computing device; and redirecting network traffic intended for the endpoint to the honeypot environment of the target computing device; generating internal threat intelligence information based on activity observed on the target computing device; and using the external threat intelligence information identified from external security threats to contextualize the observed internal threat intelligence information. 8. The computer-readable device of claim 7 , wherein identifying the predetermined course of action includes accessing information that associates the identified security threat with the predetermined course of action. 9. The computer-readable device of claim 7 , wherein redirecting network traffic includes providing instructions to a software-defined networking controller to change a network topology. 10. The computer-readable device of claim 7 , further comprising: intercepting network traffic between the honeypot environment and an attacker; and analyzing the network traffic to identify one or more actionable threat indicators. 11. The computer-readable device of claim 10 , wherein intercepting network traffic between the honeypot environment and the attacker includes using deep packet inspection to identify information associated with an attack, as the attack is being performed. 12. A deception network system comprising: a threat intelligence server configured to monitor and control security threats, the threat intelligence server being configured to: receive threat intelligence information from one or more intelligence feeds; contextualize and store the threat intelligence information as one or more threat indicators corresponding to a security threat, including matching internal threat intelligence information identified from internal security threats to external threat intelligence information identified from external security threats; and identify key indicators of the one or more threat indicators; a management and process orchestration server configured to: receive applicable threat intelligence information from the threat intelligence server including the identified key indicators; and generate one or more identified security threats associated with the key indicators; networking controller in communication with one or more network switching devices, the networking controller being configured to implement network topology changes on the network switching devices in response to instructions received from the management and process orchestration server; a target computing device connected to one of the network switching devices, the target computing device including a honeypot environment configured to recreate, on the target computing device, a session of an endpoint under threat, wherein the management and process orchestration server is further configured to execute a response process for each identified security threat, including providing instructions to the networking controller to redirect network traffic intended for the endpoint under threat to the target computing device; and an indicator analytics server configured to: generate internal threat intelligence information based on activity observed on the target computing device; and provide the observed internal threat intelligence information to the threat intelligence server; wherein the threat intelligence server uses the external threat intelligence information identified from external security threats to contextualize the observed internal threat intelligence information. 13. The system of claim 12 , wherein the one or more intelligence feeds include information associated with one or more security threats. 14. The system of claim 13 , wherein the threat intelligence server is operable to identify key indicators associated with the one or more security threats. 15. The system of claim 13 , wherein the threat intelligence server implements a process for consolidating and/or normalizing information associat