With insider attacks becoming more common and costing organizations more every year, it has never been more crucial to be able to predict when an insider attack may happen. Network Anomaly Detection Systems (NADS) have the ability to identify unusual behavior making them useful in predicting cyberattacks, but often suffer from high false positive rates. Honeypots used in conjunction with NADS can help with learning attack behaviors and enable better prediction. However both honeypots and legacy NADS are generally deployed at the gateway to a network.In this paper, we introduce a novel framework called Honeyboost, deployed in the LAN, rather than at the perimeter, focusing on internal-LAN traffic to predict, for example, a malicious insider attack. Honeyboost incorporates an NADS, as well as a honeypot, within an internal network. The anomaly detection technique incorporated into Honeyboost is Lookout, a new method built on extreme value theory that makes it possible to achieve highly desirable low false positive rates. Using data from the LAN Security Monitoring Project, Honeyboost identifies most anomalous nodes before they access the honeypot, thus aiding early detection and prediction.Honeyboost is an unsupervised method comprising of two approaches: horizontal and vertical. The horizontal approach constructs a time series from the communications, via ARP, TCP or UDP, of each node, with node-level features encapsulating the node’s behavior over time. The vertical approach finds anomalies in each protocol (ARP, TCP, UDP) space. Using a window-based model, typical in online scenarios, the horizontal and vertical approaches are combined to identify anomalies and gain useful insights. Experimental results indicate the efficacy of our framework in identifying suspicious activities of nodes.